Introducing new filtering architecture.

Eugene Syromiatnikov esyr at redhat.com
Mon Jun 5 17:14:08 UTC 2017 

On Sun, Jun 04, 2017 at 01:15:05PM +0700, Nikolay Marchuk wrote:
> Hello,
> This message describes new filtering architecture. Please, review it and
> give me feedback.
> 
> Filtering language.
> The format of new filtering expression is:
> 
> 	action(expr [, argument1=value1[,argument2=value2]...)
I suggest using semicolon as an expression and argument delimiter as
comma is useful inside both expression and argument value definitions.

BTW, what is the behaviour in case two options with the same action are
provided?

> where action is equal with 'qualifier',
As Masatake pointed out already, it is probably a good idea to include
backtrace printing to a list of possible actions. I suggest "backtrace",
"stacktrace" or "callstack" as a possible name for it. The same goes for
path tracing, since there is no specific qualifier for it at the moment,
one has to be chosen (like "path").

> expr is boolean expression with
> pcap-filter[1] syntax with strace primitives and optional arguments are
> action-specific.
> 
> Expression primitives.
> *syscall set_of_syscalls
> *class syscall_class
> *regex /regex
These three could be probably merged into one, "syscall", as current
syntax allows determining the type of the entity by its prefix. Also, since
you have a set as an argument, you should probably define the syntax for a
set (it is something like "item[,item]", but still)

So, the final definition looks more like this:
    set_of_syscalls = set_entity [ "," set_of_syscalls ]
    set_entity = syscall | %syscall_class | /syscall_regex

> *path path
Some provisions regarding spaces-commas-parenthes-etc in path should be
made here, probably.

> *fd set_of_fds
> *signal set_of_signals

>  caller pid
What do you mean by "caller" here?

>  callnum [<=, >=] number
pcap support relops (>, <, >=, <=, =, !=) only for arithmetic expressions, which
include "length operator, and special packet data accessors"; in case of
strace this probably should be replaced with something strace-specific.
One thing, as I understood, is the call serial number, is it correct? Not
sure about semantic here, which calls should be counted towards it — all
or only successfully filtered (by which action? Are you going to have
some per-action/per-filter state?) ones?

>  command cmd
What did you mean here? argv[0] of the tracee or something else?

> ...
For completeness sake, I'd like to cover the complete list of primitives which
are already supported by strace:
 * abbrev
 * verbose
 * raw
 * read/write

There are also some options for which it could make sense to be configured with
a filter expression:
 * hexadecimal output of strings (-x, -xx)
 * FD decoding (-y, -yy)
 * (aforementioned) Execution stack trace printing (-k)

Note that pcap-filter(7) allows omitting of repeated qualifiers (as in
"tcp dst port ftp or ftp-data"), are you going to support the similar
feature?

> Primitives marked with * are already supported by strace for some
> qualifiers.
> 
> Filtering architecture.
> The new entry point of filtering is filter_main() in
> trace_syscall_entering after getting arguments of syscall. It runs every
> filter action and set tcp->qual_flg value.
> Filter actions have boolean expression and filters attached to it. Each
> filter type processes one expression primitive. Filter action runs every
> attached filter with current tcp and passes results to boolean
> expression and applies if it is true.
> This architecture allows independent implementation of filters or
> expressions and encapsulates filtering mechanism parts.

Note that trace_syscall_entering is going to be split by Victor as per
posted patches.

Do you mean by "boolean expression" filter expression which was
designated as "expr" earlier?

I'm not sure how to interpret the phrase "Filter action runs every
attached filter with current tcp and passes results to boolean expression".
Are you referring to process of expression evaluation? If so, can you
please describe, how should the expression
    "syscall %net and ( syscall %file or not fd 3 and path /my/file)"
be evaluated?

> [1]http://www.tcpdump.org/manpages/pcap-filter.7.html

More information about the Strace-devel mailing list