add hook to pacf that allows users to modify all rules or implement

whitelists or similar.

scripts/base/frameworks/pacf/main.bro

@@ -159,6 +159,13 @@ export {
 	## msg: An optional informational message by the plugin.
 	global rule_error: event(r: Rule, p: PluginState, msg: string &default="");
 
+	## Hook that allows the modification of rules passed to add_rule before they
+	## are passed on to the plugins. If one of the hooks uses break, the rule is
+	## ignored and not passed on to any plugin.
+	##
+	## r: The rule to be added
+	global Pacf::rule_policy: hook(r: Rule);
+
 	## Type of an entry in the PACF log.
 	type InfoCategory: enum {
 		## A log entry reflecting a framework message.
@@ -402,6 +409,9 @@ function add_rule_impl(rule: Rule) : string
 	if ( ! rule?$id || rule$id == "" )
 		rule$id = cat(rule$cid);
 
+	if ( ! hook Pacf::rule_policy(rule) )
+		return "";
+
 	local accepted = F;
 	local priority: int = +0;
 	local r = rule;

testing/btest/Baseline/scripts.base.frameworks.pacf.hook/pacf.log

@@ -0,0 +1,18 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	pacf
+#open	2015-06-02-21-23-05
+#fields	ts	category	cmd	state	action	target	entity_type	entity	msg	location	plugin
+#types	time	enum	string	enum	string	enum	string	string	string	string	string
+0.000000	Pacf::MESSAGE	-	-	-	-	-	-	activated plugin with priority 0	-	Debug-All
+1254722767.875996	Pacf::RULE	ADD	Pacf::REQUESTED	Pacf::DROP	Pacf::MONITOR	Pacf::FLOW	0.0.0.0/0/1470->74.53.140.153/32/25	-	(empty)	Debug-All
+1254722767.875996	Pacf::RULE	ADD	Pacf::REQUESTED	Pacf::REDIRECT	Pacf::FORWARD	Pacf::FLOW	0.0.0.0/0/1470->74.53.140.153/32/25	-	(empty)	Debug-All
+1254722767.875996	Pacf::RULE	ADD	Pacf::SUCCEEDED	Pacf::DROP	Pacf::MONITOR	Pacf::FLOW	0.0.0.0/0/1470->74.53.140.153/32/25	-	(empty)	Debug-All
+1254722767.875996	Pacf::RULE	ADD	Pacf::SUCCEEDED	Pacf::REDIRECT	Pacf::FORWARD	Pacf::FLOW	0.0.0.0/0/1470->74.53.140.153/32/25	-	(empty)	Debug-All
+1254722776.690444	Pacf::RULE	REMOVE	Pacf::REQUESTED	Pacf::REDIRECT	Pacf::FORWARD	Pacf::FLOW	0.0.0.0/0/1470->74.53.140.153/32/25	-	(empty)	Debug-All
+1254722776.690444	Pacf::RULE	REMOVE	Pacf::REQUESTED	Pacf::DROP	Pacf::MONITOR	Pacf::FLOW	0.0.0.0/0/1470->74.53.140.153/32/25	-	(empty)	Debug-All
+1254722776.690444	Pacf::RULE	REMOVE	Pacf::SUCCEEDED	Pacf::REDIRECT	Pacf::FORWARD	Pacf::FLOW	0.0.0.0/0/1470->74.53.140.153/32/25	-	(empty)	Debug-All
+1254722776.690444	Pacf::RULE	REMOVE	Pacf::SUCCEEDED	Pacf::DROP	Pacf::MONITOR	Pacf::FLOW	0.0.0.0/0/1470->74.53.140.153/32/25	-	(empty)	Debug-All
+#close	2015-06-02-21-23-05

testing/btest/scripts/base/frameworks/pacf/hook.bro

@@ -0,0 +1,27 @@
+# @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT
+# @TEST-EXEC: btest-diff pacf.log
+
+@load base/frameworks/pacf
+
+event bro_init()
+	{
+	local pacf_debug = Pacf::create_debug(T);
+	Pacf::activate(pacf_debug, 0);
+	}
+
+event connection_established(c: connection)
+	{
+	local id = c$id;
+	Pacf::shunt_flow([$src_h=id$orig_h, $src_p=id$orig_p, $dst_h=id$resp_h, $dst_p=id$resp_p], 30sec);
+	Pacf::drop_address(id$orig_h, 15sec);
+	Pacf::whitelist_address(id$orig_h, 15sec);
+	Pacf::redirect_flow([$src_h=id$orig_h, $src_p=id$orig_p, $dst_h=id$resp_h, $dst_p=id$resp_p], 5, 30sec);
+	}
+
+hook Pacf::rule_policy(r: Pacf::Rule)
+	{
+	if ( r$expire == 15sec )
+		break;
+
+	r$entity$flow$src_h = 0.0.0.0/0;
+	}