/**
* Special parser for iptables-like name/value pairs.
* The pull multiple fields. Note that once this parser has been selected,
* it is very unlikely to be left, as it is *very* generic. This parser is
* required because practice shows that already-structured data like iptables
* can otherwise not be processed by liblognorm in a meaningful way.
*
* @param[in] tree current tree to process
* @param[in] str string to be matched against (the to-be-normalized data)
* @param[in] strLen length of str
* @param[in/out] offs start position in input data, on exit first unparsed position
* @param[in/out] event handle to event that is being created during normalization
*
* @return 0 if parser was successfully, something else on error
*/
static int
ln_iptablesParser(struct ln_ptree *tree, const char *str, size_t strLen, size_t *offs,
struct json_object *json)
{
int r;
size_t o = *offs;
es_str_t *fname;
es_str_t *fval;
const char *pstr;
const char *end;
struct json_object *value;
ln_dbgprintf(tree->ctx, "%zu enter iptables parser, len %zu", *offs, strLen);
if(o == strLen) {
r = -1; /* can not be, we have no n/v pairs! */
goto done;
}
end = str + strLen;
pstr = str + o;
while(pstr < end) {
while(pstr < end && isspace(*pstr))
++pstr;
CHKN(fname = es_newStr(16));
while(pstr < end && !isspace(*pstr) && *pstr != '=') {
es_addChar(&fname, *pstr);
++pstr;
}
if(pstr < end && *pstr == '=') {
CHKN(fval = es_newStr(16));
++pstr;
/* error on space */
while(pstr < end && !isspace(*pstr)) {
es_addChar(&fval, *pstr);
++pstr;
}
} else {
CHKN(fval = es_newStrFromCStr("[*PRESENT*]",
sizeof("[*PRESENT*]")-1));
}
char *cn, *cv;
CHKN(cn = ln_es_str2cstr(&fname));
CHKN(cv = ln_es_str2cstr(&fval));
if (tree->ctx->debug) {
ln_dbgprintf(tree->ctx, "iptables parser extracts %s=%s", cn, cv);
}
CHKN(value = json_object_new_string(cv));
json_object_object_add(json, cn, value);
es_deleteStr(fval);
es_deleteStr(fname);
}
r = 0;
*offs = strLen;
done:
ln_dbgprintf(tree->ctx, "%zu iptables parser returns %d", *offs, r);
return r;
}
void
ln_deletePTreeNode(ln_fieldList_t *node)
{
ln_deletePTree(node->subtree);
es_deleteStr(node->name);
if(node->data != NULL)
es_deleteStr(node->data);
if(node->raw_data != NULL)
es_deleteStr(node->raw_data);
if(node->parser_data != NULL && node->parser_data_destructor != NULL)
node->parser_data_destructor(&(node->parser_data));
free(node);
}
void
ee_deleteValue(struct ee_value *value)
{
assert(value != NULL); assert(value->objID == ObjID_VALUE);
if(value->val.str != NULL)
es_deleteStr(value->val.str);
free(value);
}
void
ln_displayPTree(struct ln_ptree *tree, int level)
{
int i;
int nChildLit;
int nChildField;
es_str_t *str;
char *cstr;
ln_fieldList_t *node;
char indent[2048];
if(level > 1023)
level = 1023;
memset(indent, ' ', level * 2);
indent[level * 2] = '\0';
nChildField = 0;
for(node = tree->froot ; node != NULL ; node = node->next ) {
++nChildField;
}
nChildLit = 0;
for(i = 0 ; i < 256 ; ++i) {
if(tree->subtree[i] != NULL) {
nChildLit++;
}
}
str = es_newStr(sizeof(tree->prefix));
es_addBuf(&str, (char*) prefixBase(tree), tree->lenPrefix);
cstr = es_str2cstr(str, NULL);
es_deleteStr(str);
ln_dbgprintf(tree->ctx, "%ssubtree%s %p (prefix: '%s', children: %d literals, %d fields)",
indent, tree->flags.isTerminal ? " TERM" : "", tree, cstr, nChildLit, nChildField);
free(cstr);
/* display char subtrees */
for(i = 0 ; i < 256 ; ++i) {
if(tree->subtree[i] != NULL) {
ln_dbgprintf(tree->ctx, "%schar %2.2x(%c):", indent, i, i);
ln_displayPTree(tree->subtree[i], level + 1);
}
}
/* display field subtrees */
for(node = tree->froot ; node != NULL ; node = node->next ) {
cstr = es_str2cstr(node->name, NULL);
ln_dbgprintf(tree->ctx, "%sfield %s:", indent, cstr);
free(cstr);
ln_displayPTree(node->subtree, level + 1);
}
}
int
ln_exitCtx(ln_ctx ctx)
{
int r = 0;
CHECK_CTX;
ctx->objID = LN_ObjID_None; /* prevent double free */
if(ctx->ptree != NULL)
ln_deletePTree(ctx->ptree);
if(ctx->rulePrefix != NULL)
es_deleteStr(ctx->rulePrefix);
if(ctx->pas != NULL)
ln_deleteAnnotSet(ctx->pas);
free(ctx);
done:
return r;
}
