Skip to content

suricata-ffi: nicer rust bindings to suricata c interfaces#14753

Draft
jasonish wants to merge 10 commits intoOISF:mainfrom
jasonish:suricata-ffi/v1
Draft

suricata-ffi: nicer rust bindings to suricata c interfaces#14753
jasonish wants to merge 10 commits intoOISF:mainfrom
jasonish:suricata-ffi/v1

Conversation

@jasonish
Copy link
Member

@jasonish jasonish commented Feb 4, 2026

A first take on a zero dependency crate for plugins, etc.

This has allowed me to remove my own ffi glue from my Redis output plugin, as well as remove the main "suricata" crate as a dependency.

Pushing for early comment to ease some near-future plugin exploration.

Related ticket: https://redmine.openinfosecfoundation.org/issues/7666

@jasonish
output-eve: cleanup include guards to reflect filename
ec0f0a0
@jasonish
output-eve: cleanup usage of output-eve-bindgen.h
75be204 
As output-eve-bindgen.h exists to support bindgen, its odd to see
other Suricata C files using it. Instead Suricata C code should import
"output-eve.h", which itself includes "output-eve-bindgen.h", only
broken out to support the external tool bindgen.
@jasonish
output-eve: expose SCEveFileType to Rust with bindgen
06c30ee 
There is an unfortunate side-affect that one has to read
output-eve-bindgen.h for the documentation on this type, however, I
think we can resolve that in time.
@jasonish
output-eve: bindgen SCRegisterEveFileType to Rust
df4a4ee 
Used by Rust output plugins.
@jasonish
rust/ffi: stub out a rust ffi crate
6bd0409 
This crate is for Rust wrappers around the -sys crate which includes
only raw bindings. This is the place to add nice wrappers around those
bindings, however it should remain clear of dependencies on the main
Suricata core crates.

Ticket: OISF#7666
@jasonish jasonish requested review from a team, jufajardini and victorjulien as code owners February 4, 2026 22:38
@jasonish jasonish marked this pull request as draft February 4, 2026 22:38
jasonish
jasonish commented Feb 4, 2026
View reviewed changes
rust/ffi/src/eve.rs Outdated
Comment on lines 38 to 42
assert!(init.is_none(), "init must not be None");
assert!(deinit.is_none(), "deinit must not be None");
assert!(write.is_none(), "write must not be None");
assert!(thread_init.is_none(), "thread_init must not be None");
assert!(thread_deinit.is_none(), "thread_deinit must not be None");
Copy link
Member Author

@jasonish jasonish Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bindgen crates callback types as Option<...>, but these are not optional. The idea with the assert is they get caught in development.

Copy link
Member Author

@jasonish jasonish Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These have been flipped to .is_some().. Oops.

@codecov
Copy link

codecov bot commented Feb 4, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 0% with 30 lines in your changes missing coverage. Please review.
✅ Project coverage is 82.16%. Comparing base (69eb567) to head (da5bb76).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #14753      +/-   ##
==========================================
+ Coverage   82.15%   82.16%   +0.01%     
==========================================
  Files        1003     1003              
  Lines      263643   263641       -2     
==========================================
+ Hits       216586   216618      +32     
+ Misses      47057    47023      -34
Flag Coverage Δ
fuzzcorpus 60.19% <0.00%> (+<0.01%) ⬆️
livemode 18.83% <0.00%> (+0.12%) ⬆️
netns 18.52% <0.00%> (-0.01%) ⬇️
pcap 44.60% <0.00%> (+<0.01%) ⬆️
suricata-verify 65.46% <0.00%> (+<0.01%) ⬆️
unittests 59.23% <0.00%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@suricata-qa
Copy link

suricata-qa commented Feb 5, 2026

Information: QA ran without warnings.

Pipeline = 29445

@suricata-qa
Copy link

suricata-qa commented Feb 5, 2026

Information: QA ran without warnings.

Pipeline = 29446

@jasonish
rust/ffi: add logging (debug) wrappers
48041b1 
Mostly a copy of Suricata core's logging wrappers into the ffi crate.

These are not yet used by Suricata-core as they do require the
Suricata library to be avaiable, which is not the case with tests. And
the `cfg(test)` parameter is not passed through to sub-crates.

However, this does allow a plugin (or library) to call the logging
macros without depending on the "suricata" crate.

Ticket: OISF#7666
@jasonish
examples/altemplate: use suricata-ffi for logging macros
de6c334
@jasonish
output-eve: bindgen SCEveFileType callback types
f13ff20
@jasonish
rust/ffi: rust wrapper around eve filetype registration
3a3d17c
@jasonish
rust/ffi: more rust friendly plugin registration
da5bb76 
A plugin can now create a "Plugin" struct with Rust strings.  The
`into_raw` method converts it to a run pointer suitable for returning
during plugin registration.
@suricata-qa
Copy link

suricata-qa commented Feb 5, 2026

Information: QA ran without warnings.

Pipeline = 29447

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini is a code owner

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jasonish @suricata-qa