Merge remote-tracking branch 'pbcullen/topic/pbcullen/remove_exclude'

* pbcullen/topic/pbcullen/remove_exclude: Update core.pcap.filter-warning baseline Add PacketFilter::remove_exclude function
2025-10-02 06:38:20 +00:00 · 2024-04-18 09:02:14 -07:00 · 2024-04-18 09:02:14 -07:00 · d566961da5
commit d566961da5
parent eb0e20f0ac f1941186eb
5 changed files with 31 additions and 3 deletions
--- a/11
+++ b/11
@ -1,3 +1,14 @@
+7.0.0-dev.136 | 2024-04-18 09:02:14 -0700
+
+  * Update core.pcap.filter-warning baseline (Peter Cullen, Corelight)
+
+    Only the line numbers changed.
+
+  * Add PacketFilter::remove_exclude function (Peter Cullen, Corelight)
+
+    This adds a public function to the PacketFilter framework that
+    allows the caller to remove an exclude filter by filter id.
+
 7.0.0-dev.132 | 2024-04-17 14:59:43 -0700

  * Parse and store localversion string (Peter Cullen, Corelight)
--- a/2
+++ b/2
@ -1 +1 @@
-7.0.0-dev.132
+7.0.0-dev.136
--- a/scripts/base/frameworks/packet-filter/main.zeek
+++ b/scripts/base/frameworks/packet-filter/main.zeek
@ -101,6 +101,16 @@ export {
 	##          installed or not.
 	global exclude_for: function(filter_id: string, filter: string, span: interval): bool;

+	## Remove a previously added exclude filter fragment by name. The
+	## traffic that was being filtered will be allowed through the filter
+	## after calling this function.
+	##
+	## filter_id: The name given to the filter fragment which you'd like to remove.
+	##
+	## Returns: A boolean value to indicate if a filter fragment with the given name
+	##          actually installed.
+	global remove_exclude: function(filter_id: string): bool;
+
 	## Call this function to build and install a new dynamically built
 	## packet filter.
 	global install: function(): bool;
@ -194,12 +204,19 @@ function register_filter_plugin(fp: FilterPlugin)
 	}

 event remove_dynamic_filter(filter_id: string)
+	{
+	remove_exclude(filter_id);
+	}
+
+function remove_exclude(filter_id: string): bool
 	{
 	if ( filter_id in dynamic_restrict_filters )
 		{
 		delete dynamic_restrict_filters[filter_id];
 		install();
+		return T;
 		}
+	return F;
 	}

 function exclude(filter_id: string, filter: string): bool
--- a/testing/btest/Baseline/core.pcap.filter-warning/output
+++ b/testing/btest/Baseline/core.pcap.filter-warning/output
@ -1,2 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-warning in <...>/main.zeek, line 307: Warning while compiling pcap filter 'ip or not ip': IEEE 802.15.4 link-layer type filtering not implemented
+warning in <...>/main.zeek, line 324: Warning while compiling pcap filter 'ip or not ip': IEEE 802.15.4 link-layer type filtering not implemented
--- a/testing/btest/Baseline/core.pcap.filter-warning/reporter.log
+++ b/testing/btest/Baseline/core.pcap.filter-warning/reporter.log
@ -7,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	level	message	location
 #types	time	enum	string	string
-XXXXXXXXXX.XXXXXX	Reporter::WARNING	Warning while compiling pcap filter 'ip or not ip': IEEE 802.15.4 link-layer type filtering not implemented	<...>/main.zeek, line 307
+XXXXXXXXXX.XXXXXX	Reporter::WARNING	Warning while compiling pcap filter 'ip or not ip': IEEE 802.15.4 link-layer type filtering not implemented	<...>/main.zeek, line 324
 #close XXXX-XX-XX-XX-XX-XX