Introducing new filtering architecture.

Nikolay Marchuk marchuk.nikolay.a at gmail.com
Sun Jun 4 06:15:05 UTC 2017


Hello,
This message describes new filtering architecture. Please, review it and
give me feedback.

Filtering language.
The format of new filtering expression is:

	action(expr [, argument1=value1[,argument2=value2]...)
where action is equal with 'qualifier', expr is boolean expression with
pcap-filter[1] syntax with strace primitives and optional arguments are
action-specific.

Expression primitives.
*syscall set_of_syscalls
*class syscall_class
*regex /regex
*path path
*fd set_of_fds
*signal set_of_signals
 caller pid
 callnum [<=, >=] number
 command cmd
...
Primitives marked with * are already supported by strace for some
qualifiers.

Filtering architecture.
The new entry point of filtering is filter_main() in
trace_syscall_entering after getting arguments of syscall. It runs every
filter action and set tcp->qual_flg value.
Filter actions have boolean expression and filters attached to it. Each
filter type processes one expression primitive. Filter action runs every
attached filter with current tcp and passes results to boolean
expression and applies if it is true.
This architecture allows independent implementation of filters or
expressions and encapsulates filtering mechanism parts.

[1]http://www.tcpdump.org/manpages/pcap-filter.7.html


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20170604/1c429aed/attachment.bin>


More information about the Strace-devel mailing list