Conditional rules #364

Add the ability to skip a rule if its condition refers to a filtercheck that doesn't exist. This allows defining a rules file that contains new conditions that can still has limited backward compatibility with older falco versions. When compiling a filter, return a list of filtercheck names that are present in the ast (which also includes filterchecks from any macros). This set of filtercheck names is matched against the set of filterchecks known to sinsp, expressed as lua patterns, and in the global table defined_filters. If no match is found, the rule loader throws an error. The pattern changes slightly depending on whether the filter has arguments or not. Two filters (proc.apid/proc.aname) can work with or without arguments, so both styles of patterns are used. If the rule has an attribute "skip-if-unknown-filter", the rule will be skipped instead.

New unit test for skipping unknown filter. Test cases: - A rule that refers to an unknown filter results in an error. - A rule that refers to an unknown filter, but has "skip-if-unknown-filter: true", can be read, but doesn't match any events. - A rule that refers to an unknown filter, but has "skip-if-unknown-filter: false", returns an error. Also test the case of a filtercheck like evt.arg.xxx working properly with the embedded patterns as well as proc.aname/apid which work both ways.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Conditional rules #364

Conditional rules #364

Commits on May 2, 2018