[Bro-Dev] Configurable &write_expire interval

Jan Grashöfer jan.grashoefer at gmail.com
Wed Jun 8 11:30:14 PDT 2016 

My explanations might be hard to follow without examples. So I am adding
some pseudo code:

> I ran into an issue while trying to make the &write_expire interval
> configurable: Using a redefable constant does not work here, as the
> expression only gets evaluated when the table is initialized and thus
> later redefs do not influence the value.

# base script:
const exp_val = 5min &redef;
data: table[addr] of string &write_expire=exp_val;

# user script:
redef exp_val = 20min; # has no effect

> I thought about circumventing
> this by setting the value to 0 and maintain an extra variable to check
> against in my expire_func and return the right value. Unfortunately this
> won't work with write/read_expire as a write or read will reset the
> expiration to the initial value of 0.

# base script:
const exp_val = 5min &redef;

function do_exp(data: table[addr] of string, idx: addr): interval
	{
	if ( is_first_call() )
		return exp_val;
		# in case of a write, expire timer will be reset to 0
	else
		...
	}

data: table[addr] of string &write_expire=0 expire_func=do_exp;

> A solution could be to evaluate the interval expression every time it is
> used inside the table implementation. The drawback would be that there
> is no fixed value for serialization (I am not sure about the effects
> here). Another solution would be to provide a bif (or implement a
> language feature) to change the expire_time value from inside the
> expire_func.

# base script:
function do_exp(data: table[addr] of string, idx: addr): interval
	{
	if ( is_first_call() )
		expire exp_val; # sets expire timer instead of delay
	else
		...
	}

> There was a somehow similar discussion about per item expiration (see
> http://mailman.icsi.berkeley.edu/pipermail/bro-dev/2016-April/011731.html)
> in which Robin came up with the solution of multiple tables with
> different expiration values. Again this would be a solution but doesn't
> feel right (duplicate code, static and somehow counterintuitive for the
> user).

# base script:
type exp_interval enum { ei1m, ei10m, ... };
const exp_val = ei1m &redef;

data1m: table[addr] of string &write_expire=1min;
data10m: table[addr] of string &write_expire=10min;
...
data1d: table[addr] of string &write_expire=1day;

function insert(...)
	{
	switch ( exp_val )
		{
		case ei1m:
			data1m[...] = ...
			break;
		case ei10m:
			data10m[...] = ...
			break;
		...
		}
	}

# user script:
redef exp_val = ei30m;

> Maybe I am missing something regarding the loading sequence of scripts
> and this problem could be solved easier. So I am open for any
> suggestions or feedback!

More information about the bro-dev mailing list