[Bro-Dev] eval?

Vern Paxson vern at icir.org
Wed Jun 15 19:24:50 PDT 2011


Yuck.

This strikes me as definitely going down the wrong path - making code less
clear rather than more clear.

> redef Notice::action_filters += {
>         [[DPD::ProtocolViolation]] = Notice::ignore_action,
> };
> 
> I would like to do something like this...
> 
> redef Notice::policy += { 
> 	Notice::ignore_it(DPD::ProtocolViolation),
> };

I'm not understanding how the second is better than the first.  Indeed,
now I have to go look at how ignore_it works to know what's going on.

> The problem is that to implement the ignore_it function requires me to dynamically implement the predicate for the notice policy which Bro doesn't currently like.  I tried implementing it similarly to this:
> 
> function ignore_it(nt: Notice::Type): Notice::PolicyItem
> 	{
> 	return [$result=ACTION_IGNORE,
> 	        $pred(n: Notice::Info) = { return n$note == nt; },
> 	        $priority=5];
> 	}

Here it seems if you must go this route, the right fix is either a notion
of currying (or partial application) of functions, or to have a single
PolicyItem for ignoring that looks up n$note in a table, and just add
DPD::ProtocolViolation to that table.

		Vern


More information about the bro-dev mailing list