[FEATURE]expr_matcher support dual engine(hyperscan & rulescan)

scanner/expr_matcher/expr_matcher.h

@@ -0,0 +1,134 @@
+/*
+**********************************************************************************************
+*	File: expr_matcher.h
+*   Description: 
+*	Authors: Liu wentan <liuwentan@geedgenetworks.com>
+*	Date:    2023-06-30
+*   Copyright: (c) Since 2023 Geedge Networks, Ltd. All rights reserved.
+***********************************************************************************************
+*/
+
+#ifndef _EXPR_MATCHER_H_
+#define _EXPR_MATCHER_H_
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+#include <stddef.h>
+
+#include "log/log.h"
+
+#define MAX_EXPR_PATTERN_NUM  8   /* 每条与表达式最多由MAX_EXPR_ITEM_NUM个规则组成 */
+#define MAX_HIT_EXPR_NUM     1024
+
+enum expr_engine_type {
+    EXPR_ENGINE_TYPE_HS = 0, /* default engine */
+    EXPR_ENGINE_TYPE_RS,
+    EXPR_ENGINE_TYPE_MAX
+};
+
+enum expr_pattern_type {
+	EXPR_PATTERN_TYPE_STR = 0, /* pure literal string */
+	EXPR_PATTERN_TYPE_REG = 1, /* regex expression */
+};
+
+enum expr_case_sensitive {
+	EXPR_CASE_INSENSITIVE = 0,
+	EXPR_CASE_SENSITIVE
+};
+
+enum expr_match_mode {
+	EXPR_MATCH_MODE_INVALID = -1,
+	EXPR_MATCH_MODE_EXACTLY = 1, /* scan data must match pattern exactly */
+	EXPR_MATCH_MODE_PREFIX,      /* pattern must in the head of scan_data */
+	EXPR_MATCH_MODE_SUFFIX,	     /* pattern must in the tail of scan_data */
+	EXPR_MATCH_MODE_SUB          /* pattern must in the range[l_offset, r_offset] of scan_data */
+};
+
+struct expr_pattern {
+	enum expr_pattern_type type;
+	enum expr_match_mode match_mode;
+	enum expr_case_sensitive case_sensitive;
+
+	/* 
+     * just match in scan_data's range of [start_offset, end_offset], -1 means no limits
+     * for example:
+     *  [-1, end_offset] means the pattern must in scan_data's [0 ~ start_offset]
+     *  [start_offset, -1] means the pattern must in scan_data's [start_offset ~ data_end]
+    */
+	int start_offset;
+	int end_offset;
+
+	char *pat;
+	size_t pat_len;
+};
+
+struct expr_scan_result {
+	long long rule_id;
+	void *user_tag;
+};
+
+/* logic AND expression, such as (rule1 & rule2) */
+struct expr_rule {
+	long long expr_id;   /* AND expression ID */
+	size_t n_patterns;     
+	struct expr_pattern patterns[MAX_EXPR_PATTERN_NUM];
+	void *tag;           /* user defined data, return with hit result */
+};
+
+int expr_matcher_verify_regex_expression(const char *regex_expr,
+										 struct log_handle *logger);
+
+/**
+ * @brief new expr matcher instance
+ * 
+ * @param expr_array:       logic AND expression's array
+ * @param n_expr_array:     the number of logic AND expression's array
+ * @param n_worker_threads: the number of scan threads which will call adapter_rs_scan()
+ * 
+*/
+struct expr_matcher *
+expr_matcher_new(struct expr_rule *rules, size_t n_rule, enum expr_engine_type type,
+                 size_t n_worker_thread, struct log_handle *logger);
+
+void expr_matcher_free(struct expr_matcher *matcher);
+
+/**
+ * @brief scan input data to match logic AND expression, return all matched expr_id
+ * 
+ * @param matcher:  expr_matcher instance obtained by expr_matcher_new()
+ * @param thread_id:    the thread_id of caller
+ * @param scan_data:    data to be scanned
+ * @param data_len:     the length of data to be scanned
+ * @param result_array: the array to store hit expr_id which allocated by caller
+ * @param n_result_array: number of elements in array of expr_id
+*/
+int expr_matcher_match(struct expr_matcher *matcher, int thread_id, const char *scan_data,
+                       size_t data_len, struct expr_scan_result *result_array,
+                       size_t n_result_array, size_t *n_hit_results);
+
+/**
+ * @brief
+ */
+struct expr_matcher_stream *
+expr_matcher_stream_open(struct expr_matcher *matcher, int thread_id);
+
+/**
+ * @brief
+ */
+int expr_matcher_stream_match(struct expr_matcher_stream *stream, const char *scan_data,
+						      size_t data_len, struct expr_scan_result *result_array, 
+						      size_t n_result_array, size_t *n_hit_results);
+
+/**
+ * @brief
+ */
+void expr_matcher_stream_close(struct expr_matcher_stream *stream);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif