refactor: improve clarity of filter matching logic

pkg/ebpf/c/tracee.bpf.c

@@ -640,7 +640,7 @@ int tracepoint__sched__sched_process_fork(struct bpf_raw_tracepoint_args *ctx)
 
     policies_config_t *policies_cfg = &p.event->policies_config;
 
-    if (policies_cfg->proc_tree_filter_enabled_scopes) {
+    if (policies_cfg->proc_tree_filter_enabled) {
         u16 version = p.event->context.policies_version;
         // Give the compiler a hint about the map type, otherwise libbpf will complain
         // about missing type information. i.e.: "can't determine value size for type".

pkg/ebpf/c/types.h

@@ -294,43 +294,42 @@ typedef struct ksym_name {
 } ksym_name_t;
 
 typedef struct equality {
-    // bitmask with scopes on which a equal '=' filter is set
-    // its bit value will depend on the filter's equality precedence order
-    u64 equal_in_scopes;
-    // bitmask with scopes on which a filter equality is set
-    u64 equality_set_in_scopes;
+    // bitmap indicating which policies have a filter that uses the '=' operator (0 means '!=')
+    u64 equals_in_policies;
+    // bitmap indicating which policies have a filter that utilize the provided key
+    u64 key_used_in_policies;
 } eq_t;
 
 typedef struct policies_config {
-    // enabled scopes bitmask per filter
-    u64 uid_filter_enabled_scopes;
-    u64 pid_filter_enabled_scopes;
-    u64 mnt_ns_filter_enabled_scopes;
-    u64 pid_ns_filter_enabled_scopes;
-    u64 uts_ns_filter_enabled_scopes;
-    u64 comm_filter_enabled_scopes;
-    u64 cgroup_id_filter_enabled_scopes;
-    u64 cont_filter_enabled_scopes;
-    u64 new_cont_filter_enabled_scopes;
-    u64 new_pid_filter_enabled_scopes;
-    u64 proc_tree_filter_enabled_scopes;
-    u64 bin_path_filter_enabled_scopes;
-    u64 follow_filter_enabled_scopes;
-    // filter_out bitmask per filter
-    u64 uid_filter_out_scopes;
-    u64 pid_filter_out_scopes;
-    u64 mnt_ns_filter_out_scopes;
-    u64 pid_ns_filter_out_scopes;
-    u64 uts_ns_filter_out_scopes;
-    u64 comm_filter_out_scopes;
-    u64 cgroup_id_filter_out_scopes;
-    u64 cont_filter_out_scopes;
-    u64 new_cont_filter_out_scopes;
-    u64 new_pid_filter_out_scopes;
-    u64 proc_tree_filter_out_scopes;
-    u64 bin_path_filter_out_scopes;
-    // bitmask with scopes that have at least one filter enabled
-    u64 enabled_scopes;
+    // bitmap indicating which policies have the filter enabled
+    u64 uid_filter_enabled;
+    u64 pid_filter_enabled;
+    u64 mnt_ns_filter_enabled;
+    u64 pid_ns_filter_enabled;
+    u64 uts_ns_filter_enabled;
+    u64 comm_filter_enabled;
+    u64 cgroup_id_filter_enabled;
+    u64 cont_filter_enabled;
+    u64 new_cont_filter_enabled;
+    u64 new_pid_filter_enabled;
+    u64 proc_tree_filter_enabled;
+    u64 bin_path_filter_enabled;
+    u64 follow_filter_enabled;
+    // bitmap indicating whether to match a rule if the key is missing from its filter map
+    u64 uid_filter_match_if_key_missing;
+    u64 pid_filter_match_if_key_missing;
+    u64 mnt_ns_filter_match_if_key_missing;
+    u64 pid_ns_filter_match_if_key_missing;
+    u64 uts_ns_filter_match_if_key_missing;
+    u64 comm_filter_match_if_key_missing;
+    u64 cgroup_id_filter_match_if_key_missing;
+    u64 cont_filter_match_if_key_missing;
+    u64 new_cont_filter_match_if_key_missing;
+    u64 new_pid_filter_match_if_key_missing;
+    u64 proc_tree_filter_match_if_key_missing;
+    u64 bin_path_filter_match_if_key_missing;
+    // bitmap with policies that have at least one filter enabled
+    u64 enabled_policies;
     // global min max
     u64 uid_max;
     u64 uid_min;

pkg/filters/binary.go

@@ -130,7 +130,7 @@ func (f *BinaryFilter) Enabled() bool {
 	return f.enabled
 }
 
-func (f *BinaryFilter) FilterOut() bool {
+func (f *BinaryFilter) MatchIfKeyMissing() bool {
 	if len(f.equal) > 0 && len(f.notEqual) == 0 {
 		return false
 	}

pkg/filters/bool.go

@@ -144,7 +144,7 @@ func (f *BoolFilter) Value() bool {
 	return f.trueEnabled
 }
 
-func (f *BoolFilter) FilterOut() bool {
+func (f *BoolFilter) MatchIfKeyMissing() bool {
 	return !f.Value()
 }
 

pkg/filters/bool_test.go

@@ -91,21 +91,21 @@ func TestBoolFilterParse(t *testing.T) {
 	}
 }
 
-func TestBoolFilterFilterOut(t *testing.T) {
+func TestBoolFilterMatchIfKeyMissing(t *testing.T) {
 	t.Parallel()
 
 	bf1 := NewBoolFilter()
 	bf1.Parse("=true")
-	assert.False(t, bf1.FilterOut())
+	assert.False(t, bf1.MatchIfKeyMissing())
 
 	bf3 := NewBoolFilter()
 	bf3.Parse("=true")
 	bf3.Parse("=false")
-	assert.False(t, bf3.FilterOut())
+	assert.False(t, bf3.MatchIfKeyMissing())
 
 	bf2 := NewBoolFilter()
 	bf2.Parse("=false")
-	assert.True(t, bf2.FilterOut())
+	assert.True(t, bf2.MatchIfKeyMissing())
 }
 
 func TestBoolFilterClone(t *testing.T) {

pkg/filters/processtree.go

@@ -80,7 +80,7 @@ func (f *ProcessTreeFilter) Parse(operatorAndValues string) error {
 	return nil
 }
 
-func (f *ProcessTreeFilter) FilterOut() bool {
+func (f *ProcessTreeFilter) MatchIfKeyMissing() bool {
 	if len(f.equal) > 0 && len(f.notEqual) == 0 {
 		return false
 	}

pkg/filters/processtree_test.go

@@ -113,32 +113,32 @@ func TestProcessTreeFilterParse(t *testing.T) {
 	}
 }
 
-func TestProcessTreeFilterFilterOut(t *testing.T) {
+func TestProcessTreeFilterMatchIfKeyMissing(t *testing.T) {
 	t.Parallel()
 
 	ptf1 := NewProcessTreeFilter()
 	ptf1.Parse("=0")
 	ptf1.Parse("=1")
 	ptf1.Parse("=2")
-	assert.False(t, ptf1.FilterOut())
+	assert.False(t, ptf1.MatchIfKeyMissing())
 
 	ptf2 := NewProcessTreeFilter()
 	ptf2.Parse("=0")
 	ptf2.Parse("!=1")
 	ptf2.Parse("=2")
-	assert.True(t, ptf2.FilterOut())
+	assert.True(t, ptf2.MatchIfKeyMissing())
 
 	ptf3 := NewProcessTreeFilter()
 	ptf3.Parse("!=0")
 	ptf3.Parse("=1")
 	ptf3.Parse("!=2")
-	assert.True(t, ptf3.FilterOut())
+	assert.True(t, ptf3.MatchIfKeyMissing())
 
 	ptf4 := NewProcessTreeFilter()
 	ptf4.Parse("!=0")
 	ptf4.Parse("!=1")
 	ptf4.Parse("!=2")
-	assert.True(t, ptf4.FilterOut())
+	assert.True(t, ptf4.MatchIfKeyMissing())
 }
 
 func TestProcessTreeFilterClone(t *testing.T) {

pkg/filters/string.go

@@ -230,7 +230,7 @@ func (f *StringFilter) NotEqual() []string {
 	return res
 }
 
-func (f *StringFilter) FilterOut() bool {
+func (f *StringFilter) MatchIfKeyMissing() bool {
 	if len(f.Equal()) > 0 && len(f.NotEqual()) == 0 {
 		return false
 	}

pkg/filters/string_test.go

@@ -151,7 +151,7 @@ func TestStringFilterParse(t *testing.T) {
 	}
 }
 
-func TestStringFilterFilterOut(t *testing.T) {
+func TestStringFilterMatchIfKeyMissing(t *testing.T) {
 	t.Parallel()
 
 	sf1 := NewStringFilter(nil)
@@ -163,7 +163,7 @@ func TestStringFilterFilterOut(t *testing.T) {
 	err = sf1.Parse("=here")
 	require.NoError(t, err)
 
-	assert.False(t, sf1.FilterOut())
+	assert.False(t, sf1.MatchIfKeyMissing())
 
 	sf2 := NewStringFilter(nil)
 
@@ -174,7 +174,7 @@ func TestStringFilterFilterOut(t *testing.T) {
 	err = sf2.Parse("=here")
 	require.NoError(t, err)
 
-	assert.True(t, sf2.FilterOut())
+	assert.True(t, sf2.MatchIfKeyMissing())
 
 	sf3 := NewStringFilter(nil)
 
@@ -185,7 +185,7 @@ func TestStringFilterFilterOut(t *testing.T) {
 	err = sf3.Parse("!=here")
 	require.NoError(t, err)
 
-	assert.True(t, sf3.FilterOut())
+	assert.True(t, sf3.MatchIfKeyMissing())
 
 	sf4 := NewStringFilter(nil)
 
@@ -196,7 +196,7 @@ func TestStringFilterFilterOut(t *testing.T) {
 	err = sf4.Parse("!=here")
 	require.NoError(t, err)
 
-	assert.True(t, sf4.FilterOut())
+	assert.True(t, sf4.MatchIfKeyMissing())
 }
 
 func TestStringFilterClone(t *testing.T) {

pkg/filters/uint.go

@@ -212,7 +212,7 @@ func (f *UIntFilter[T]) Parse(operatorAndValues string) error {
 	return nil
 }
 
-func (f *UIntFilter[T]) FilterOut() bool {
+func (f *UIntFilter[T]) MatchIfKeyMissing() bool {
 	if len(f.equal) > 0 && len(f.notEqual) == 0 && f.min == MinNotSetUInt && f.max == MaxNotSetUInt {
 		return false
 	}