Using a BiF across C++ and Zeek Policy

I am working on improving the btests for the kafka writer plugin with the goal of validating some logic in KafkaWriter::DoInit. The best approach that I have so far is to write a BiF and use it in both DoInit and the btest via Zeek policy, but I have only been able to find limited documentation[1][2] on the topic.

I’ve looked around for examples of this approach without success, including in the past few years of the Zeek-dev mailing list archives. I explicitly want to stay away from the assumption that the Manager/Logger has a kafka broker available to it at the time of testing.

My BiF is fairly simple:

function SelectTopicName%(override: string, default: string, fallback: string%) : string

// Things


bifcl appears to be generating the following:

namespace BifFunc { namespace Kafka { extern Val* bro_SelectTopicName(Frame* frame, val_list*); } }

At this point I’m just randomly poking around in Zeek/src trying to find my way - any pointers regarding how to use this function in C++ (or another approach altogether) would be appreciated. Thanks,



If I understand what you want, I think you may treat this just like
calling any other script-layer function from the C++ layer. So for an
example, this would lookup the function you want to call (substitute
the name of the function you want):

You can also find the definition of "get_option" in the same file in
case that helps to look at.

Then here's an example of calling that function:

Note that the return value becomes your responsibility -- here it gets
used and then Unref()'d right away to take care of the required memory
management duties.

- Jon

If you just need to wrap some internal logic you could extract it into a normal C++ function and use a BiF to call that function out of a Bro-Script.


Re-reading the problem statement, I agree that does seem like all that
may be needed -- factor out a common C++ function that get's called
from inside both the BIF and the DoInit() function.

- Jon

Ah, that sounds like a better approach! Thanks Jan