From 81357853ed74ea9a0022c085bc154b6aa55dc3d4 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Thu, 13 Oct 2022 13:41:59 -0500
Subject: [PATCH] Restore reporting messages for pcap filter issues

---
 .../base/frameworks/packet-filter/main.zeek   | 31 ++++++++++------
 scripts/base/init-bare.zeek                   |  7 ++++
 src/iosource/pcap/pcap.bif                    | 35 ++++++++++++++++++-
 3 files changed, 62 insertions(+), 11 deletions(-)

diff --git a/scripts/base/frameworks/packet-filter/main.zeek b/scripts/base/frameworks/packet-filter/main.zeek
index 0d3964d28d..51015c307a 100644
--- a/scripts/base/frameworks/packet-filter/main.zeek
+++ b/scripts/base/frameworks/packet-filter/main.zeek
@@ -279,22 +279,33 @@ function install(): bool
 		return F;
 
 	local ts = current_time();
+
 	if ( ! Pcap::precompile_pcap_filter(DefaultPcapFilter, tmp_filter) )
 		{
-		NOTICE([$note=Compile_Failure,
-		        $msg=fmt("Compiling packet filter failed"),
-		        $sub=tmp_filter]);
+		local state = Pcap::get_filter_state(DefaultPcapFilter);
+		local error_string : string;
+		if ( state == Pcap::fatal )
+			{
+			NOTICE([$note=Compile_Failure,
+			        $msg=fmt("Compiling packet filter failed"),
+			        $sub=tmp_filter]);
 
-		local error_string = fmt("Bad pcap filter '%s': %s", tmp_filter, Pcap::get_filter_state_string(DefaultPcapFilter));
+			error_string = fmt("Bad pcap filter '%s': %s", tmp_filter,
+			                   Pcap::get_filter_state_string(DefaultPcapFilter));
 
-		local pkt_src_error : string = Pcap::error();
-		if ( pkt_src_error != "no error" )
-			error_string = pkt_src_error;
+			if ( network_time() == 0.0 )
+				Reporter::fatal(error_string);
+			else
+				Reporter::warning(error_string);
+			}
+		else if ( state == Pcap::warning )
+			{
+			error_string = fmt("Warning while compiling pcap filter '%s': %s",
+			                   tmp_filter,
+			                   Pcap::get_filter_state_string(DefaultPcapFilter));
 
-		if ( network_time() == 0.0 )
-			Reporter::fatal(error_string);
-		else
 			Reporter::warning(error_string);
+			}
 		}
 	local diff = current_time()-ts;
 	if ( diff > max_filter_compile_time )
diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index 43cd9edf74..fa8a674092 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -5146,6 +5146,13 @@ export {
 	};
 
 	type Interfaces: set[Pcap::Interface];
+
+	## The state of the compilation for a pcap filter.
+	type filter_state: enum {
+		ok,     # no issues encountered
+		fatal,  # fatal issue, something that would prevent zeek from continuing
+		warning # non-fatal issue that should just be logged
+	};
 } # end export
 
 module DCE_RPC;
diff --git a/src/iosource/pcap/pcap.bif b/src/iosource/pcap/pcap.bif
index 02e84af00c..4e8e863a5c 100644
--- a/src/iosource/pcap/pcap.bif
+++ b/src/iosource/pcap/pcap.bif
@@ -1,7 +1,6 @@
 
 module Pcap;
 
-
 const snaplen: count;
 const bufsize: count;
 
@@ -112,6 +111,40 @@ function error%(%): string
 	return zeek::make_intrusive<zeek::StringVal>("no error");
 	%}
 
+## Returns the initialization state of a PCAP filter, or OK if the either
+## there's no active packet source or the pcap filter ID does not exist.
+##
+## id: The PCAP filter id of a precompiled filter.
+##
+## Returns: A state value denoting whether any warnings or errors were
+##          encountered while initializing the filter.
+##
+## .. zeek:see:: Pcap::precompile_pcap_filter
+##               Pcap::install_pcap_filter
+function get_filter_state%(id: PcapFilterID%): filter_state
+	%{
+	EnumTypePtr filter_state = zeek::id::find_type<EnumType>("Pcap::filter_state");
+	zeek::iosource::PktSrc* ps = zeek::iosource_mgr->GetPktSrc();
+	if ( ps )
+		{
+		if ( auto filter = ps->GetBPFFilter(id->AsInt()) )
+			return filter_state->GetEnumVal(static_cast<zeek_int_t>(filter->GetState()));
+		}
+
+	return filter_state->GetEnumVal(static_cast<zeek_int_t>(iosource::FilterState::OK));
+	%}
+
+## Returns a string containing any error messages that were reported by
+## filter initialization.
+##
+## id: The PCAP filter id of a precompiled filter.
+##
+## Returns: Warning/error strings from the initialization process, a blank
+##          string if none were encountered, or '<unknown>' if either there
+##          is no active packet source or the filter ID doesn't exist.
+##
+## .. zeek:see:: Pcap::precompile_pcap_filter
+##               Pcap::install_pcap_filter
 function get_filter_state_string%(id: PcapFilterID%): string
 	%{
 	zeek::iosource::PktSrc* ps = zeek::iosource_mgr->GetPktSrc();