Hello, This message describes new filtering architecture. Please, review it and give me feedback.
Filtering language.
The format of new filtering expression is:
action(expr [, argument1=value1[,argument2=value2]...)
where action is equal with 'qualifier', expr is boolean expression with
pcap-filter[1] syntax with strace primitives and optional arguments are
action-specific.
Expression primitives.
*syscall set_of_syscalls
*class syscall_class
*regex /regex
*path path
*fd set_of_fds
*signal set_of_signals
caller pid
callnum [<=, >=] number
command cmd
...
Primitives marked with * are already supported by strace for some
qualifiers.
Filtering architecture.
The new entry point of filtering is filter_main() in
trace_syscall_entering after getting arguments of syscall. It runs every
filter action and set tcp->qual_flg value.
Filter actions have boolean expression and filters attached to it. Each
filter type processes one expression primitive. Filter action runs every
attached filter with current tcp and passes results to boolean
expression and applies if it is true.
This architecture allows independent implementation of filters or
expressions and encapsulates filtering mechanism parts.
[1]http://www.tcpdump.org/manpages/pcap-filter.7.html
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Strace-devel mailing list Strace-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/strace-devel
