Commit Graph

3 Commits

Author SHA1 Message Date
Mark Stemm
e99b11e793 Make enable()/disable() virtual so they can be overridden
Subclasses might want to also see when rules are enabled/disabled.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2024-10-16 12:01:37 +02:00
Poiana
50b98b30e5 chore(falco): apply code formatting
Signed-off-by: Poiana <poiana.bot@gmail.com>
2024-09-30 13:25:31 +02:00
Mark Stemm
bbcfa61d82 Add an indexable ruleset that can split filters by ruleset/evttype
Now that custom rules loading implementations (and related, custom
rulesets) can be swapped into falco in a customizable way, there is
some functionality in evttype_index_ruleset that could be used by
other rulesets, specifically the part that segregates filters by
ruleset and enables/disables filters based on name substring + tags.

To allow for this, create a new template indexable_ruleset<class
filter_wrapper> which derives from filter_ruleset and segregates the
filter_wrappers by ruleset. It also optionally segregates
filter_wrappers by event type.

The filter_wrapper class is an object that can return a name, tags,
and sc/event codes.

The main interfaces for classes that derive from indexable_ruleset are:

- add_wrapper(), which provides a filter_wrapper to the
  indexable_ruleset. This is generally called from
  add()/add_compile_output(), which must be implemented by the derived class.
- run_wrappers(), which must be implemented by the derived class and
  is called for event processing.

Most of the methods required by filter_ruleset are implemented by
indexable_ruleset and do not need to be implemented by the derived
class.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2024-06-20 11:23:12 +02:00