Now that custom rules loading implementations (and related, custom
rulesets) can be swapped into falco in a customizable way, there is
some functionality in evttype_index_ruleset that could be used by
other rulesets, specifically the part that segregates filters by
ruleset and enables/disables filters based on name substring + tags.
To allow for this, create a new template indexable_ruleset<class
filter_wrapper> which derives from filter_ruleset and segregates the
filter_wrappers by ruleset. It also optionally segregates
filter_wrappers by event type.
The filter_wrapper class is an object that can return a name, tags,
and sc/event codes.
The main interfaces for classes that derive from indexable_ruleset are:
- add_wrapper(), which provides a filter_wrapper to the
indexable_ruleset. This is generally called from
add()/add_compile_output(), which must be implemented by the derived class.
- run_wrappers(), which must be implemented by the derived class and
is called for event processing.
Most of the methods required by filter_ruleset are implemented by
indexable_ruleset and do not need to be implemented by the derived
class.
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>