Merge remote-tracking branch 'origin/topic/johanna/netcontrol-updates'

* origin/topic/johanna/netcontrol-updates: Netcontrol: add rule_added_policy Netcontrol: more logging in catch-and-release Netcontrol: allow supplying explicit name to Debug plugin
2025-10-06 16:48:19 +00:00 · 2024-02-06 11:51:26 +00:00 · 2024-02-06 11:51:26 +00:00 · 160ccda45f
commit 160ccda45f
parent f8a7f3699c 737f828bcb
17 changed files with 494 additions and 33 deletions
--- a/scripts/base/frameworks/netcontrol/main.zeek
+++ b/scripts/base/frameworks/netcontrol/main.zeek
@ -262,6 +262,20 @@ export {
 	## r: The rule to be added.
 	global NetControl::rule_policy: hook(r: Rule);

+	## Hook that allows the modification of rule states after they are returned from
+	## the plugins and have been added to the rules database. This allows low-level
+	## modification of the handling of rules like, e.g., changing rule expiration depending
+	## on context.
+	##
+	## r: The rule now in place.
+	##
+	## p: The state for the plugin that put it into place.
+	##
+	## exists: If the adding plugin flagged the rule as already existing.
+	##
+	## msg: An optional informational message by the plugin.
+	global NetControl::rule_added_policy: hook(r: Rule, p: PluginState, exists: bool, msg: string);
+
 	##### Plugin functions

 	## Function called by plugins once they finished their activation. After all
@ -945,6 +959,8 @@ function rule_added_impl(r: Rule, p: PluginState, exists: bool, msg: string &def
 		# rule was completely added.
 		rule$_added = T;
 		}
+
+	hook NetControl::rule_added_policy(rule, p, exists, msg);
 	}

 function rule_removed_impl(r: Rule, p: PluginState, msg: string &default="") &is_used
--- a/scripts/base/frameworks/netcontrol/plugins/debug.zeek
+++ b/scripts/base/frameworks/netcontrol/plugins/debug.zeek
@ -12,7 +12,21 @@ export {
 	##
 	## do_something: If true, the plugin will claim it supports all operations; if
 	##               false, it will indicate it doesn't support any.
-	global create_debug: function(do_something: bool) : PluginState;
+	##
+	## name: Optional name that for the plugin.
+	global create_debug: function(do_something: bool, name: string &default="") : PluginState;
+
+	## Instantiates a debug plugin for the NetControl framework. This variation
+	## of the plugin will return "exists" to any rule operations.
+	##
+	## name: Name of this plugin.
+	global create_debug_exists: function(name: string) : PluginState;
+
+	## Instantiates a debug plugin for the NetControl framework. This variation
+	## of the plugin will return "error" to any rule operations.
+	##
+	## name: Name of this plugin.
+	global create_debug_error: function(name: string) : PluginState;
 }

 function do_something(p: PluginState) : bool
@ -22,7 +36,7 @@ function do_something(p: PluginState) : bool

 function debug_name(p: PluginState) : string
 	{
-	return fmt("Debug-%s", (do_something(p) ? "All" : "None"));
+	return p$config["name"];
 	}

 function debug_log(p: PluginState, msg: string)
@ -55,6 +69,34 @@ function debug_add_rule(p: PluginState, r: Rule) : bool
 	return F;
 	}

+function debug_add_rule_exists(p: PluginState, r: Rule) : bool
+	{
+	local s = fmt("add_rule_exists: %s", r);
+	debug_log(p, s);
+
+	if ( do_something(p) )
+		{
+		event NetControl::rule_exists(r, p);
+		return T;
+		}
+
+	return F;
+	}
+
+function debug_add_rule_error(p: PluginState, r: Rule) : bool
+	{
+	local s = fmt("add_rule_error: %s", r);
+	debug_log(p, s);
+
+	if ( do_something(p) )
+		{
+		event NetControl::rule_error(r, p, "debug error");
+		return T;
+		}
+
+	return F;
+	}
+
 function debug_remove_rule(p: PluginState, r: Rule, reason: string) : bool
 	{
 	local s = fmt("remove_rule (%s): %s", reason, r);
@ -73,13 +115,35 @@ global debug_plugin = Plugin(
 	$remove_rule = debug_remove_rule
 	);

-function create_debug(do_something: bool) : PluginState
+function create_debug(do_something: bool, name: string) : PluginState
 	{
 	local p: PluginState = [$plugin=debug_plugin];

 	# FIXME: Why's the default not working?
 	p$config = table();
 	p$config["all"] = (do_something ? "1" : "0");
+	if ( name == "" )
+		p$config["name"] = fmt("Debug-%s", (do_something ? "All" : "None"));
+	else
+		p$config["name"] = name;

 	return p;
 	}
+
+function create_debug_error(name: string) : PluginState
+	{
+	local p: PluginState = copy([$plugin=debug_plugin]);
+	p$config["name"] = name;
+	p$config["all"] = "1";
+	p$plugin$add_rule = debug_add_rule_error;
+	return p;
+	}
+
+function create_debug_exists(name: string) : PluginState
+	{
+	local p: PluginState = copy([$plugin=debug_plugin]);
+	p$config["name"] = name;
+	p$config["all"] = "1";
+	p$plugin$add_rule = debug_add_rule_exists;
+	return p;
+	}