prefilter

package

v0.3.91 Latest Latest Go to latest Published: Apr 15, 2026 License: Apache-2.0 Imports: 5 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/kubescape/node-agent

Links

Open Source Insights

Documentation ¶

Index ¶

type Direction
type EventFields
- func (f *EventFields) SetDirection(s string)
- func (f *EventFields) SetMethod(method string)
type MethodMask
type Params
- func ParseWithDefaults(ruleState map[string]any, bindingParams map[string]any) *Params
- func (p *Params) ShouldSkip(e EventFields) bool

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Direction ¶

type Direction uint8

Direction represents an HTTP traffic direction as a compact integer.

const (
	DirNone     Direction = 0
	DirInbound  Direction = 1
	DirOutbound Direction = 2
)

type EventFields ¶

type EventFields struct {
	Path         string     // file/exec path (empty if not applicable)
	DstPort      uint16     // destination port from network/SSH event
	Dir          Direction  // pre-computed from HTTP direction string
	MethodBit    MethodMask // pre-computed from HTTP method string
	PortEligible bool       // true for SSH/network events (port filter applies)
	Extracted    bool       // true after extractEventFields has run
}

EventFields holds event data extracted once per event for pre-filtering. Passed by value (stack-allocated, ~28 bytes) — extracted once before the rule loop, reused across all rules.

func (*EventFields) SetDirection ¶

func (f *EventFields) SetDirection(s string)

SetDirection converts a direction string to its compact representation.

func (*EventFields) SetMethod ¶

func (f *EventFields) SetMethod(method string)

SetMethod converts an HTTP method string to its bitmask representation.

type MethodMask ¶

type MethodMask uint16

MethodMask is a bitmask of HTTP methods for O(1) membership testing.

const (
	MethodGET     MethodMask = 1 << iota
	MethodHEAD               // 2
	MethodPOST               // 4
	MethodPUT                // 8
	MethodPATCH              // 16
	MethodDELETE             // 32
	MethodCONNECT            // 64
	MethodOPTIONS            // 128
	MethodTRACE              // 256
)

type Params ¶

type Params struct {
	IgnorePrefixes  []string   // open, exec — skip if path starts with prefix
	IncludePrefixes []string   // open, exec — skip if path does NOT match any prefix
	Ports           []uint16   // SSH, network — skip if port is NOT in list
	Dir             Direction  // HTTP — DirInbound or DirOutbound
	MethodMask      MethodMask // HTTP — bitmask of allowed methods
}

Params holds parsed, typed parameters for cheap pre-CEL filtering. Parsed once at rule binding time. A non-nil *Params always has at least one active filter.

func ParseWithDefaults ¶

func ParseWithDefaults(ruleState map[string]any, bindingParams map[string]any) *Params

ParseWithDefaults merges pre-filter parameters from two sources:

ruleState: defaults from the rule library YAML (Rule.State)
bindingParams: per-deployment overrides from the rule binding CRD

Binding parameters override rule state for the same key. Returns nil if no pre-filterable parameters are present.

func (*Params) ShouldSkip ¶

func (p *Params) ShouldSkip(e EventFields) bool

ShouldSkip returns true if the event should be skipped. Hot path — integer/bitmask comparisons only, no allocations. Safe to call on nil receiver (returns false).

Source Files ¶

View all Source files

prefilter.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL