From f46aef16114b1f4c86662370d81e3393b8199917 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 8 Nov 2023 11:23:19 -0500
Subject: [PATCH] remove comments from BPFs

---
 salt/bpf/macros.jinja       | 10 ++++++++++
 salt/bpf/pcap.map.jinja     |  3 +++
 salt/bpf/suricata.map.jinja |  3 +++
 salt/bpf/zeek.map.jinja     |  3 +++
 4 files changed, 19 insertions(+)
 create mode 100644 salt/bpf/macros.jinja

diff --git a/salt/bpf/macros.jinja b/salt/bpf/macros.jinja
new file mode 100644
index 000000000..38cb8ed0d
--- /dev/null
+++ b/salt/bpf/macros.jinja
@@ -0,0 +1,10 @@
+{% macro remove_comments(bpfmerged, app) %}
+
+{# remove comments from the bpf #}
+{% for bpf in bpfmerged[app] %}
+{%   if bpf.strip().startswith('#') %}
+{%     do bpfmerged[app].pop(loop.index0) %}
+{%   endif %}
+{% endfor %}
+
+{% endmacro %}
diff --git a/salt/bpf/pcap.map.jinja b/salt/bpf/pcap.map.jinja
index a160f2f7a..c1d7562cc 100644
--- a/salt/bpf/pcap.map.jinja
+++ b/salt/bpf/pcap.map.jinja
@@ -1,4 +1,7 @@
 {% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
 {% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
+{% import 'bpf/macros.jinja' as MACROS %}
+
+{{ MACROS.remove_comments(BPFMERGED, 'pcap') }}
 
 {% set PCAPBPF = BPFMERGED.pcap %}
diff --git a/salt/bpf/suricata.map.jinja b/salt/bpf/suricata.map.jinja
index bec763783..fe4adb663 100644
--- a/salt/bpf/suricata.map.jinja
+++ b/salt/bpf/suricata.map.jinja
@@ -1,4 +1,7 @@
 {% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
 {% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
+{% import 'bpf/macros.jinja' as MACROS %}
+
+{{ MACROS.remove_comments(BPFMERGED, 'suricata') }}
 
 {% set SURICATABPF = BPFMERGED.suricata %}
diff --git a/salt/bpf/zeek.map.jinja b/salt/bpf/zeek.map.jinja
index 1bfb6799e..fdcc5e99f 100644
--- a/salt/bpf/zeek.map.jinja
+++ b/salt/bpf/zeek.map.jinja
@@ -1,4 +1,7 @@
 {% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
 {% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
+{% import 'bpf/macros.jinja' as MACROS %}
+
+{{ MACROS.remove_comments(BPFMERGED, 'zeek') }}
 
 {% set ZEEKBPF = BPFMERGED.zeek %}