-
Notifications
You must be signed in to change notification settings - Fork 466
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
F/dbparser code refinements #723
Conversation
The methods were already renamed, the struct was not, so do that in this patch. Signed-off-by: Balazs Scheidler <balazs.scheidler@balabit.com>
Signed-off-by: Balazs Scheidler <balazs.scheidler@balabit.com>
Signed-off-by: Balazs Scheidler <balazs.scheidler@balabit.com>
Signed-off-by: Balazs Scheidler <balazs.scheidler@balabit.com>
Signed-off-by: Balazs Scheidler <balazs.scheidler@balabit.com>
Both in db-parser and in the upcoming correllate() parser we need two data pointers in the timerwheel expiration callback: 1) one that relates to the entry being freed 2) one that is global to a TimerWheel, a PatternDB reference in the case of db-parser() and a Correllate reference in correllate() In db-parser() this was solved by adding an extra pointer to _all_ PDBContext entries. This is a lot of extra storage if there are 10s of thousands of entries and is a circular dependency. To resolve this an "associated data" pointer is added to TimerWheel, which can be set and queried and is automatically destroyed when the timerwheel is freed using a GDestroyNotify callback. Signed-off-by: Balazs Scheidler <balazs.scheidler@balabit.com>
Instead of adding the PatternDB reference to all PDBContext entries, use the associated_data mechanism in TimerWheel to store that. Signed-off-by: Balazs Scheidler <balazs.scheidler@balabit.com>
As we were invoking these from two call-sites (once in new/free and once in forget_state()), extract these into a separate function. Signed-off-by: Balazs Scheidler <balazs.scheidler@balabit.com>
If you are interested in correllate(), see my work-in-progress patches in f/correllate |
void | ||
stateful_parser_set_inject_mode(StatefulParser *self, const gchar *inject_mode) | ||
{ | ||
self->inject_mode = stateful_parser_lookup_inject_mode(inject_mode); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the -1
value handled correctly in other places? The default is pass-through
so I'd expect to fallback to that. stateful_parser_emit_synthetic()
will create an internal message in this case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed in 33af212 by pushing the validation up to the parser.
Signed-off-by: Balazs Scheidler <balazs.scheidler@balabit.com>
This is a couple of patches against dbparser that help the implementation of the upcoming correllate()
parser, a component that can do correllation with a similar model that we have in db-parser() but without the message parsing/matching logic.