[syslog-ng] turn off case sensitivity for match regex filter

Balazs Scheidler bazsi at balabit.hu
Sun Apr 29 19:21:11 CEST 2007


On Sat, 2007-04-28 at 12:44 -0700, stucky wrote:
> Baszi
> 
> Cool. I'm in the middle of building a new infrastructure and would
> like to use this feature. I'm not a programmer but I assume adding
> this feature shouldn't be very hard at all right ?
> If you had a rough ETA that'd help me. 

attached patch implements it using perl-like syntax, e.g.:

filter f_case { match('(?i)regexp'); };

It works in all filters that use regexps (e.g. match, host, program,
etc) The regexp must begin with '(?' or otherwise the flag will not be
recognized. 

Tomorrow's snapshot should contain it.

>From 47f53555268efb72ab8db2d620d7669b8e5dc7a4 Mon Sep 17 00:00:00 2001
From: Balazs Scheidler <bazsi at balabit.hu>
Date: Sun, 29 Apr 2007 18:53:46 +0200
Subject: [PATCH] added support for Perl-like regexp flags to support case-ignoring matches

2007-04-28  Balazs Scheidler <bazsi at balabit.hu>

	* src/filter.c (filter_re_compile): parse '(?i)' at the beginning of
	regexps as an ignore-case flag, just like Perl does
---
 src/filter.c              |   34 +++++++++++++++++++++++++++++++---
 tests/unit/test_filters.c |    5 +++++
 2 files changed, 36 insertions(+), 3 deletions(-)

diff --git a/src/filter.c b/src/filter.c
index 8e19440..cf7e3aa 100644
--- a/src/filter.c
+++ b/src/filter.c
@@ -230,11 +230,39 @@ typedef struct _FilterRE
 } FilterRE;
 
 static gboolean
-filter_re_compile(const char *re, regex_t *regex)
+filter_re_compile(const gchar *re, regex_t *regex)
 {
-  int rc;
+  gint rc;
+  const gchar *re_comp = re;
+  gint flags = REG_EXTENDED;
   
-  rc = regcomp(regex, re, REG_EXTENDED);
+  if (re[0] == '(' && re[1] == '?')
+    {
+      gint i;
+      
+      for (i = 2; re[i] && re[i] != ')'; i++)
+        {
+          switch (re[i])
+            {
+            case 'i':
+              flags |= REG_ICASE;
+              break;
+            }
+        }
+      if (re[i])
+        {
+          re_comp = &re[i + 1];
+        }
+      else
+        {
+          msg_error("Invalid regexp flags",
+                    evt_tag_str("re", re),
+                    NULL);
+          return FALSE;
+        }
+    }
+  
+  rc = regcomp(regex, re_comp, flags);
   if (rc)
     {
       gchar buf[256];
diff --git a/tests/unit/test_filters.c b/tests/unit/test_filters.c
index 58236d7..187b572 100644
--- a/tests/unit/test_filters.c
+++ b/tests/unit/test_filters.c
@@ -137,11 +137,16 @@ main(int argc G_GNUC_UNUSED, char *argv[] G_GNUC_UNUSED)
 
   testcase("<15>Oct 15 16:17:01 host openvpn[2499]: PTHREAD support initialized", 0, filter_host_new("^host$"), 1);
   testcase("<15>Oct 15 16:17:01 host openvpn[2499]: PTHREAD support initialized", 0, filter_host_new("^hos$"), 0);
+  testcase("<15>Oct 15 16:17:01 host openvpn[2499]: PTHREAD support initialized", 0, filter_host_new("pthread"), 0);
   fprintf(stderr, "One \"invalid regular expressions\" message is to be expected\n");
   TEST_ASSERT(filter_host_new("((") == NULL);
 
+  fprintf(stderr, "One \"invalid regular expressions\" message is to be expected\n");
+  TEST_ASSERT(filter_host_new("(?iana") == NULL);
+
   testcase("<15>Oct 15 16:17:01 host openvpn[2499]: PTHREAD support initialized", 0, filter_match_new(" PTHREAD "), 1);
   testcase("<15>Oct 15 16:17:01 host openvpn[2499]: PTHREAD support initialized", 0, filter_match_new("^PTHREAD$"), 0);
+  testcase("<15>Oct 15 16:17:01 host openvpn[2499]: PTHREAD support initialized", 0, filter_match_new("(?i)pthread"), 1);
   fprintf(stderr, "One \"invalid regular expression\" message is to be expected\n");
   TEST_ASSERT(filter_match_new("((") == NULL);
 


-- 
Bazsi



More information about the syslog-ng mailing list