prefilter

package
v0.3.108 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 29, 2026 License: Apache-2.0 Imports: 6 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Direction 

type Direction uint8

Direction represents an HTTP traffic direction as a compact integer. 

const (
	DirNone     Direction = 0
	DirInbound  Direction = 1
	DirOutbound Direction = 2
)

type EventFields 

type EventFields struct {
	Path string // file path (open) or exe path (exec); empty otherwise
	// Exec-only fields; empty for other event types.
	// Comm and Pcomm are kernel-truncated to 15 chars.
	ParentExePath string
	Comm          string
	Pcomm         string
	DstPort       uint16     // destination port from network/SSH event
	Dir           Direction  // pre-computed from HTTP direction string
	MethodBit     MethodMask // pre-computed from HTTP method string
	PortEligible  bool       // true for SSH/network events (port filter applies)
	Extracted     bool       // true after extractEventFields has run
}

EventFields holds event data extracted once per event for pre-filtering. Passed by value, stack-allocated, extracted once before the rule loop and reused across all rules.

func (*EventFields) SetDirection 

func (f *EventFields) SetDirection(s string)

SetDirection converts a direction string to its compact representation.

func (*EventFields) SetMethod 

func (f *EventFields) SetMethod(method string)

SetMethod converts an HTTP method string to its bitmask representation.

type MethodMask 

type MethodMask uint16

MethodMask is a bitmask of HTTP methods for O(1) membership testing. 

const (
	MethodGET     MethodMask = 1 << iota
	MethodHEAD               // 2
	MethodPOST               // 4
	MethodPUT                // 8
	MethodPATCH              // 16
	MethodDELETE             // 32
	MethodCONNECT            // 64
	MethodOPTIONS            // 128
	MethodTRACE              // 256
)

type Params 

type Params struct {
	IgnorePrefixes         []string                // open, exec — skip if path starts with prefix
	IncludePrefixes        []string                // open, exec — skip if path does NOT match any prefix
	ExcludeProcesses       map[processKey]struct{} // exec — skip if (comm, exepath) matches
	ExcludeParentProcesses map[processKey]struct{} // exec — skip if (pcomm, parent_exepath) matches
	Ports                  []uint16                // SSH, network — skip if port is NOT in list
	Dir                    Direction               // HTTP — DirInbound or DirOutbound
	MethodMask             MethodMask              // HTTP — bitmask of allowed methods
}

Params holds parsed, typed parameters for cheap pre-CEL filtering. Parsed once at rule binding time. A non-nil *Params always has at least one active filter.

func ParseWithDefaults 

func ParseWithDefaults(ruleState map[string]any, bindingParams map[string]any) *Params

ParseWithDefaults merges pre-filter parameters from two sources:

  • ruleState: defaults from the rule library YAML (Rule.State)
  • bindingParams: per-deployment overrides from the rule binding CRD

Binding parameters override rule state for the same key. Returns nil if no pre-filterable parameters are present.

func (*Params) ShouldSkip 

func (p *Params) ShouldSkip(e *EventFields) bool

ShouldSkip returns true if the event should be skipped. Hot path — takes *EventFields to avoid copying the struct per call. Safe to call on nil receiver (returns false).

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.