evl.c

Go to the documentation of this file.

/** \file evl.c

  \brief Rule evaluation code
*/

#include "evl.h"

/**AutomaticStart*************************************************************/

/*---------------------------------------------------------------------------*/
/* Static function prototypes                                                */
/*---------------------------------------------------------------------------*/

static int computeClassId (Evl_L4LookupTable_t * aRuleTable,
               Evl_L4Flow_t * aFlow);
static inline bool EthEvalSameIp (Pkt_EthernetHdr_t * anEth);
static int printRules (Evl_L4Manager_t * tcpMgr, array_t * rules);
static inline bool EthEvalAck (Pkt_EthernetHdr_t * anEth,
                   Rlp_AckAttribute_t * ackAttrib);
static inline bool EthEvalSample (Pkt_ProcessPkt_t * pp ,
                  Rlp_SampleAttribute_t * sampleAttribute);
static inline bool EthEvalIf (Pkt_ProcessPkt_t * pp,
                  Rlp_IfAttribute_t * ifAttribute);
static inline bool EthEvalSeq (Pkt_EthernetHdr_t * anEth,
                   Rlp_SeqAttribute_t * seqAttrib);
static inline bool EthEvalFlags (Pkt_EthernetHdr_t * anEthPkt,
                 Rlp_FlagsAttribute_t * flagsAttribute);
static inline bool EthEvalItype (Pkt_EthernetHdr_t * anEthPkt,
                 Rlp_ItypeAttribute_t * itypeAttrib);
static inline bool EthEvalIcode (Pkt_EthernetHdr_t * anEth,
                 Rlp_IcodeAttribute_t * icodeAttribute);
static inline bool EthEvalId (Pkt_EthernetHdr_t * anEthPkt,
                  Rlp_IdAttribute_t * idAttribute);
static inline bool EthEvalIcmpId (Pkt_EthernetHdr_t * anEth,
                  Rlp_IcmpIdAttribute_t * icmpIdAttribute);
static inline bool EthEvalIcmpSeqId (Pkt_EthernetHdr_t * anEth,
                     Rlp_IcmpSeqAttribute_t *
                     icmpSeqAttribute);
static inline bool EthEvalIpOpts (Pkt_EthernetHdr_t * anEth,
                  Rlp_IpOptsAttribute_t * ipOptsAttrib);
static inline bool EthEvalDsize (Pkt_EthernetHdr_t * anEthPkt,
                 Rlp_DsizeAttribute_t * dsizeAttrib);
static inline bool EthEvalTtl (Pkt_EthernetHdr_t * anEthPkt,
                   Rlp_TtlAttribute_t * ttlAttrib);
static inline bool EthEvalIpProto (Pkt_EthernetHdr_t * anEthPkt,
                   Rlp_IpProtoAttribute_t * ipProtoAttribute);
static inline bool EthEvalRpc (Pkt_EthernetHdr_t * anEthPkt ,
                   Rlp_RpcAttribute_t * rpcAttribute );
static inline bool EthEvalFrag (Pkt_EthernetHdr_t * anEthPkt,
                Rlp_FragbitsAttribute_t * fragAttribute);
static bool evalContentChecks (array_t * l7CheckArray, char *beginText,
                   char *endText);
static bool evalByteTest (char *beginText, char *current, char *endText,
              Rlp_ByteTestCheck_t * byteTestCheck);
static int computeByteJump (char *begin, char *current,
                Rlp_ByteJumpCheck_t * byteJumpCheck);
static bool evalContentCheck (char *beginText, char *endText,
                  char **lastMatchPtr, char **currentPtr,
                  Rlp_ContentCheck_t * contentCheck);
static bool myxor (bool A, bool B);
static int evalPcreCheck (char *beginText, char *endText,
              Rlp_PcreCheck_t * pcreCheck);
static void updateL4RuleArrays (Evl_L4Manager_t * l4mgr);
static void updateL3RuleArrays (Evl_Manager_t * mgr);

/**AutomaticEnd***************************************************************/


/** \brief  Core evaluation function - takes a flow, returns
  set of applicable L7 rules
*/

int
Evl_ComputeL7RuleSet (Evl_L4LookupTable_t * aRuleTable, Evl_L4Flow_t * aFlow)
{

  if (aRuleTable == NIL (Evl_L4LookupTable_t))
    {
      return -1;
    }

  int classId = computeClassId (aRuleTable, aFlow);
  return classId;

}


/**
  * \brief  Core evaluation function - takes a flow, returns
  * array of applicable L7 rules
  * 
  */
util_int_array_t *
Evl_ComputeL7RuleArray (Evl_L4LookupTable_t * aRuleTable,
            Evl_L4Flow_t * aFlow)
{
  if (aRuleTable == NIL (Evl_L4LookupTable_t))
    {
      return NIL (util_int_array_t);
    }
  int classId = computeClassId (aRuleTable, aFlow);
  util_int_array_t *result = aRuleTable->ruleArrays[classId];
  return result;
}

/**
  * \brief  Core evaluation function - takes a lookup table and a flow,
  * returns the class id applicable to the flow.
  * 
  */

static int
computeClassId (Evl_L4LookupTable_t * aRuleTable, Evl_L4Flow_t * aFlow)
{
  unsigned char lookupBytes[12];

  lookupBytes[0] = (aFlow->destPort >> 8);
  lookupBytes[1] = (aFlow->destPort);

  lookupBytes[2] = (aFlow->srcPort >> 8);
  lookupBytes[3] = (aFlow->srcPort);

  lookupBytes[4] = (aFlow->destIp >> 24);
  lookupBytes[5] = (aFlow->destIp >> 16);
  lookupBytes[6] = (aFlow->destIp >> 8);
  lookupBytes[7] = (aFlow->destIp);

  lookupBytes[8] = (aFlow->srcIp >> 24);
  lookupBytes[9] = (aFlow->srcIp >> 16);
  lookupBytes[10] = (aFlow->srcIp >> 8);
  lookupBytes[11] = (aFlow->srcIp);

  int currentNode = 0;
  int i;
  for (i = 0; i < 12; i++)
    {
      currentNode = aRuleTable->tree[256 * currentNode + lookupBytes[i]];
    }
  return currentNode;
}


/**
  * \brief  Check if src and dest ips in an eth packet are same.
  * 
  */

static inline bool
EthEvalSameIp (Pkt_EthernetHdr_t * anEth)
{
  Pkt_IpHdr_t *ipPkt = Pkt_EthernetExtractIp (anEth);
  return (ipPkt->destIp == ipPkt->sourceIp);
}


/**
  * \brief  Given an ethernet packet and Evl_Manager_t encoding
  * a set of rules, determine all rules applicable to the packet.
  *
  * Packet is assumed to be in host order. Caller must
  * pass in the array_t into which results are written.
  * 
  * Not handling icmp, just tcp, udp, ip
  */

void
Evl_ComputeRuleSetForEth (Pkt_ProcessPkt_t * pp, Evl_Manager_t * globalMgr)
{
  Pkt_EthernetHdr_t *anEthPkt = pp->pkt;
  array_t *result = pp->applicableRules;

  updateL3RuleArrays (globalMgr);

  array_t *genericResult = globalMgr->genericResult;
  array_t *layer3Result = globalMgr->layer3Result;
  array_t *layer4Result = globalMgr->layer4Result;


  if (globalMgr->genericMgr != NIL (Evl_GenericManager_t))
    {
      Evl_GenericManager_t *genericMgr = globalMgr->genericMgr;
      int i;
      for (i = 0; i < array_n (genericMgr->tcpIdToGlobalId); i++)
    {
      int id = array_fetch (int, genericMgr->tcpIdToGlobalId, i);
      Rlp_Formula_t *rlpFormula =
        array_fetch (Rlp_Formula_t *, genericMgr->L7RuleArray, i);
      if (Evl_EthEvalL7Rule (pp, rlpFormula, NIL (array_t)))
        {
          array_insert_last (int, genericResult, id);
        }
    }
    }
  // Evl_EvalRuleArray( l4mgr, pp, potentialRulesFromFsm, NIL(util_int_array_t), rulesFromFsm );

  if ((Pkt_EthernetReadL3Type (anEthPkt) == Pkt_L3ProtIp_c))
    {
      Evl_L4ComputeRuleSetForEth (pp, globalMgr->ipMgr, layer3Result);
    }
  else
    {
      // do nothing - we have no non ip rules
    }

  if ((Pkt_EthernetReadL3Type (anEthPkt) == Pkt_L3ProtIp_c))
    {
      Pkt_IpHdr_t *anIpPkt = Pkt_EthernetExtractIp (anEthPkt);

      u_int8_t layer4Prot = anIpPkt->protocol;

      if (layer4Prot == Pkt_L4ProtIcmp_c)
    {
      Evl_L4ComputeRuleSetForEth (pp, globalMgr->icmpMgr, layer4Result);
    }
      else if (layer4Prot == Pkt_L4ProtTcp_c)
    {
      Evl_L4ComputeRuleSetForEth (pp, globalMgr->tcpMgr, layer4Result);
    }
      else if (layer4Prot == Pkt_L4ProtUdp_c)
    {
      Evl_L4ComputeRuleSetForEth (pp, globalMgr->udpMgr, layer4Result);
    }
      else
    {
      // only handling tcp/icmp/udp layer 4 protocols right now
      // so do nothing
    }
    }

  array_merge (result, genericResult, layer3Result, layer4Result);

  return;
}


/**
  * \brief Compute rules for an ip packet based on the L4 structure.
  *
  * This only works  for certain l4 protocols, such as tcp, udp, icmp
  * (Currently, we use it for ip too)
  */

void
Evl_L4ComputeRuleSetForEth (Pkt_ProcessPkt_t * pp,
                Evl_L4Manager_t * l4mgr, array_t * result)
{
  Pkt_EthernetHdr_t *anEthPkt = pp->pkt;

  updateL4RuleArrays (l4mgr);

  array_t *potentialRulesFromFsm = l4mgr->potentialRulesFromFsm;
  array_t *rulesFromFsm = l4mgr->rulesFromFsm;
  array_t *rulesFromShortStringTable = l4mgr->rulesFromShortStringTable;
  array_t *rulesFromNoContentTable = l4mgr->rulesFromNoContentTable;


  Pkt_IpHdr_t *anIpPkt = Pkt_EthernetExtractIp (anEthPkt);

  Evl_L4Flow_t ipFlow;
  char *payload;
  int length = anIpPkt->length;
  int payloadLength;

  ipFlow.srcIp = anIpPkt->sourceIp;
  ipFlow.destIp = anIpPkt->destIp;

  if (anIpPkt->protocol == Pkt_L4ProtTcp_c)
    {               // tcp == 6
      Pkt_TcpHdr_t *aTcpPkt = Pkt_IpExtractTcp (anIpPkt);
      ipFlow.srcPort = aTcpPkt->srcPort;
      ipFlow.destPort = aTcpPkt->destPort;
      payload = Pkt_TcpHdrReadPayload (aTcpPkt);
      payloadLength = length - (payload - ((char *) anIpPkt));
    }
  else if (anIpPkt->protocol == Pkt_L4ProtUdp_c)
    {               // udp == 17
      Pkt_UdpHdr_t *aUdpPkt = Pkt_IpExtractUdp (anIpPkt);
      ipFlow.srcPort = aUdpPkt->srcPort;
      ipFlow.destPort = aUdpPkt->destPort;
      payload = Pkt_UdpHdrReadPayload (aUdpPkt);
      payloadLength = length - (payload - ((char *) anIpPkt));
    }
  else
    {
      // it's a generic ip pkt, doesn't really matter if it's icmp,
      // since the detailed checks Eth_EvalRuleArray will get them
      // there (should) be no dependence on port numbers so we just
      // set ports to 0
      ipFlow.srcPort = 0;
      ipFlow.destPort = 0;
      // there should be no content checks,  but the following will
      // look from the end of the ip layer to the end of the packet
      // ie it treats the l4 component as payload
      payload = ((char *) anIpPkt) + length;
      payloadLength = length;
    }

  int rulesFromDestPortTableIndex =
    Evl_ComputeL7RuleSet (l4mgr->destPortRuleTable, &ipFlow);
  var_set_t *rulesFromDestPortTable =
    (rulesFromDestPortTableIndex ==
     -1) ? NIL (var_set_t) : l4mgr->destPortRuleTable->
    ruleSets[rulesFromDestPortTableIndex];

  int rulesFromSrcPortTableIndex =
    Evl_ComputeL7RuleSet (l4mgr->srcPortRuleTable, &ipFlow);
  var_set_t *rulesFromSrcPortTable =
    (rulesFromSrcPortTableIndex ==
     -1) ? NIL (var_set_t) : l4mgr->srcPortRuleTable->
    ruleSets[rulesFromSrcPortTableIndex];

  int rulesFromNoPortTableIndex =
    Evl_ComputeL7RuleSet (l4mgr->noPortRuleTable, &ipFlow);
  var_set_t *rulesFromNoPortTable =
    (rulesFromNoPortTableIndex ==
     -1) ? NIL (var_set_t) : l4mgr->noPortRuleTable->
    ruleSets[rulesFromNoPortTableIndex];

  // short circuit eval seems to fail, hence the
  // nested grouping
  if (((rulesFromDestPortTable) == NIL (var_set_t)
       || (var_set_is_empty (rulesFromDestPortTable))))
    {
      if (((rulesFromSrcPortTable) == NIL (var_set_t)
       || (var_set_is_empty (rulesFromSrcPortTable))))
    {
      if ((rulesFromNoPortTable) == NIL (var_set_t)
          || (var_set_is_empty (rulesFromNoPortTable)))
        {
          /// \todo check that nil is acceptable return
          return;       
        }
    }
    }

  // if there are no states, just skip this check
  if (l4mgr->fsm->N != 0)
    {
      Evl_FsmComputeRules (l4mgr->fsm,
               l4mgr->cm->stringToId,
               l4mgr->cm->idToRules,
               rulesFromDestPortTable,
               rulesFromSrcPortTable,
               rulesFromNoPortTable,
               payload, payloadLength, potentialRulesFromFsm);
    }

  Evl_EvalRuleArray (l4mgr, pp, potentialRulesFromFsm, NIL (util_int_array_t),
             rulesFromFsm);

  util_int_array_t *potentialRulesFromShortStringTable =
    Evl_ComputeL7RuleArray (l4mgr->shortStringRuleTable, &ipFlow);

  Evl_EvalRuleArray (l4mgr, pp, NIL (array_t),
             potentialRulesFromShortStringTable,
             rulesFromShortStringTable);

  util_int_array_t *potentialRulesFromNoContentTable =
    Evl_ComputeL7RuleArray (l4mgr->noContentCheckTable, &ipFlow);

  Evl_EvalRuleArray (l4mgr, pp, NIL (array_t),
             potentialRulesFromNoContentTable,
             rulesFromNoContentTable);

  array_merge (result,
           rulesFromFsm,
           rulesFromShortStringTable, rulesFromNoContentTable);

  return;
}


/**
  * \brief  Print the set of rules given by an array
  */

static int
printRules (Evl_L4Manager_t * tcpMgr, array_t * rules)
{
  if (rules == NIL (array_t))
    {
      printf ("No applicable rules\n");
      return 0;
    }
  printf ("Applicable rules:\n");
  int i;
  for (i = 0; i < array_n (rules); i++)
    {
      int id = array_fetch (int, rules, i);
      int globalId = array_fetch (int, tcpMgr->tcpIdToGlobalId, id);
      char *text = array_fetch (char *, tcpMgr->mgr->rawRules, globalId);
      printf ("Rule %s\n", text);
    }
  return 0;
}


/** \brief  Check content of an Eth packet.
  aL7CheckArray is an array of Rlp_L7Check_t *
*/

int
Evl_EthEvalL7RuleContentCheck (Pkt_EthernetHdr_t * anEth,
                   array_t * aL7CheckArray)
{
  Pkt_IpHdr_t *anIp = Pkt_EthernetExtractIp (anEth);

  char *textEnd = ((char *) anIp) + anIp->length;
  char *textStart;

  /// \todo change magic numbers
  if (anIp->protocol == 1)
    {
      // icmp packet
      Pkt_IcmpHdr_t *anIcmp = Pkt_IpExtractIcmp (anIp);
      textStart = ((char *) anIcmp) + sizeof (Pkt_IcmpHdr_t);
    }
  else if (anIp->protocol == 6)
    {
      // tcp packet
      Pkt_TcpHdr_t *aTcp = Pkt_IpExtractTcp (anIp);
      textStart = ((char *) aTcp) + 4 * aTcp->doff;
    }
  else if (anIp->protocol == 17)
    {
      // udp packet
      Pkt_UdpHdr_t *aUdp = Pkt_IpExtractUdp (anIp);
      textStart = ((char *) aUdp) + sizeof (Pkt_UdpHdr_t);
    }
  else
    {
      printf ("Unknown layer 4 protocol, bailing\n");
      // rather than crash, we circumvent content checks
      textStart = textEnd;
    }

  bool result = evalContentChecks (aL7CheckArray, textStart, textEnd);

  return result;
}


/** \brief  Check the tcp ack field on an ethernet packet */

static inline bool
EthEvalAck (Pkt_EthernetHdr_t * anEth, Rlp_AckAttribute_t * ackAttrib)
{
  Pkt_IpHdr_t *ipPkt = Pkt_EthernetExtractIp (anEth);
  if (ipPkt->protocol != 6)
    {
      return true;      // defaults to true, since it's not an TCP pkt
    }
  Pkt_TcpHdr_t *tcpPkt = Pkt_IpExtractTcp (ipPkt);

  return (tcpPkt->ackNum == ackAttrib->ackValue);
}


/** \brief  Check  if we are to sample this entry.  */

static inline bool
EthEvalSample (Pkt_ProcessPkt_t * pp ,
           Rlp_SampleAttribute_t * sampleAttribute)
{
  double threshold = sampleAttribute->threshold;

  double trial = util_unit_rand ();

  if (trial < threshold)
    {
      return 1;
    }
  else
    {
      return 0;
    }
}


/** \brief  Check the originating interface */

static inline bool
EthEvalIf (Pkt_ProcessPkt_t * pp, Rlp_IfAttribute_t * ifAttribute)
{
  if (pp->inIf == NIL (Pkt_LibPcap_t))
    {
      // assuming that this is from synthetic traffic, so
      // return true
      return 1;
    }

  if (ifAttribute->interface != NIL (Pkt_LibPcap_t))
    {
      return (ifAttribute->interface == pp->inIf);
    }
  // ifAttribute->if has not been set, let's see if
  // we can set it now
  if (util_strequal (pp->inIf->interfaceName, ifAttribute->ifName))
    {
      // we have a match, so let's set the if field
      ifAttribute->interface = pp->inIf;
      return 1;
    }
  else
    {
      // we can't set ifAttribute->if, since we didn't have a match
      return 0;
    }
}


/**
  * \brief  Check the tcp seq field on an ethernet packet 
  * 
  * No check to see if the eth packet is infact a tcp packet.
  * 
  */

static inline bool
EthEvalSeq (Pkt_EthernetHdr_t * anEth, Rlp_SeqAttribute_t * seqAttrib)
{
  Pkt_IpHdr_t *ipPkt = Pkt_EthernetExtractIp (anEth);
  Pkt_TcpHdr_t *tcpPkt = Pkt_IpExtractTcp (ipPkt);

  return (tcpPkt->seqNum == seqAttrib->seqValue);
}


/**
  * \brief  Check tcp flags
  * 
  * Do not see if packet is actually a tcp packet
  * 
  */

static inline bool
EthEvalFlags (Pkt_EthernetHdr_t * anEthPkt,
          Rlp_FlagsAttribute_t * flagsAttribute)
{
  Pkt_IpHdr_t *ipPkt = Pkt_EthernetExtractIp (anEthPkt);
  Pkt_TcpHdr_t *tcpPkt = Pkt_IpExtractTcp (ipPkt);

  if (flagsAttribute->F != X_c)
    if (tcpPkt->fin != flagsAttribute->F)
      return false;

  if (flagsAttribute->S != X_c)
    if (tcpPkt->syn != flagsAttribute->S)
      return false;

  if (flagsAttribute->R != X_c)
    if (tcpPkt->rst != flagsAttribute->R)
      return false;

  if (flagsAttribute->P != X_c)
    if (tcpPkt->psh != flagsAttribute->P)
      return false;

  if (flagsAttribute->A != X_c)
    if (tcpPkt->ack != flagsAttribute->A)
      return false;

  if (flagsAttribute->U != X_c)
    if (tcpPkt->urg != flagsAttribute->U)
      return false;

  // not sure about the order or the meaning of the next two
  // related to cong window resizing and explicit congestion notification
  if (flagsAttribute->r_2 != X_c)
    if (tcpPkt->ece != flagsAttribute->r_2)
      return false;

  if (flagsAttribute->r_1 != X_c)
    if (tcpPkt->cwr != flagsAttribute->r_1)
      return false;

  return true;
}


/**
  * \brief  Check the type field in an ICMP packet encapsulated
  * in an ethernet frame.
  */

static inline bool
EthEvalItype (Pkt_EthernetHdr_t * anEthPkt,
          Rlp_ItypeAttribute_t * itypeAttrib)
{
  Pkt_IcmpHdr_t *icmpPkt = Pkt_EthernetExtractIcmp (anEthPkt);

  return (icmpPkt != NIL (Pkt_IcmpHdr_t)
      && icmpPkt->type == itypeAttrib->itype);
}


/**
  * \brief  Check the icmp code value on an ethernet packet, assumed
  * to encapsulate an icmp packet
  */

static inline bool
EthEvalIcode (Pkt_EthernetHdr_t * anEth,
          Rlp_IcodeAttribute_t * icodeAttribute)
{
  Pkt_IcmpHdr_t *icmpPkt = Pkt_EthernetExtractIcmp (anEth);

  return (icmpPkt->code == icodeAttribute->icode);
}


/**
  * \brief  Check the ip id value on an ethernet packet, assumed
  * to encapsulate an ip packet
  * 
  */

static inline bool
EthEvalId (Pkt_EthernetHdr_t * anEthPkt, Rlp_IdAttribute_t * idAttribute)
{
  Pkt_IpHdr_t *ipPkt = Pkt_EthernetExtractIp (anEthPkt);
  int protId = idAttribute->value;
  int pktId = ipPkt->id;
  if (idAttribute->lessThan)
    {
      return (pktId < protId);
    }
  else if (idAttribute->greaterThan)
    {
      return (pktId > protId);
    }
  else if (idAttribute->negated)
    {
      return (pktId != protId);
    }
  else
    {
      return (pktId == pktId);
    }
}


/**
  * \brief  Check the icmp id on an ethernet packet, assumed
  * to encapsulate an icmp packet
  * 
  */

static inline bool
EthEvalIcmpId (Pkt_EthernetHdr_t * anEth,
           Rlp_IcmpIdAttribute_t * icmpIdAttribute)
{
  Pkt_IcmpHdr_t *icmpPkt = Pkt_EthernetExtractIcmp (anEth);

  return (icmpPkt->un.echo.id == icmpIdAttribute->icmpId);
}


/**
  * \brief  Check the icmp seq value on an ethernet packet, assumed
  * to encapsulate an icmp packet
  */

static inline bool
EthEvalIcmpSeqId (Pkt_EthernetHdr_t * anEth,
          Rlp_IcmpSeqAttribute_t * icmpSeqAttribute)
{
  Pkt_IcmpHdr_t *icmpPkt = Pkt_EthernetExtractIcmp (anEth);

  return (icmpPkt->un.echo.sequence == icmpSeqAttribute->seqValue);
}


/**
  * \brief  Check the ipopts field on the ip packet encapsulated by
  * an ethernet packet
  * 
  * Options are rare, but we have to support them.
  * 
  */

static inline bool
EthEvalIpOpts (Pkt_EthernetHdr_t * anEth,
           Rlp_IpOptsAttribute_t * ipOptsAttrib)
{

  Pkt_IpHdr_t *ipPkt = Pkt_EthernetExtractIp (anEth);

  int headerLength = ipPkt->ihl * 4;    // the header length is in multiples of
  // 4 bytes

  /* test for IP options */
  int ipOptionsLen = headerLength - sizeof (Pkt_IpHdr_t);
  if (ipOptionsLen == 0)
    {
      // no options so we can just return false, there's no match on
      // the options field
      return false;
    }

  char *options = ((char *) ipPkt) + sizeof (Pkt_IpHdr_t);

  // we walk down the array of options, taking care to advance
  // the pointer appropriately because of the following:

  //    "Options 0 and 1 are exactly one
  //    octet which is their type field.  All other options have their one
  //    octet type field, followed by a one octet length field, followed by
  //    length-2 octets of option data."  

  int i;
  for (i = 0; i < ipOptionsLen; /* increment appropriately in loop */ )
    {
      u_int8_t type = options[i];
      if (type == 0)
    {
      // it's eol
      if (ipOptsAttrib->ipOpt == Rlp_eol_c)
        {
          return true;
        }
      else
        {
          i = i + 1;    // the eol field is just one byte, the type
        }
    }
      if (type == 1)
    {
      // it's nop
      if (ipOptsAttrib->ipOpt == Rlp_nop_c)
        {
          return true;
        }
      else
        {
          i = i + 1;    // the eol field is just one byte, the type
        }
    }
      if (type == 7)
    {
      // it's rr
      if (ipOptsAttrib->ipOpt == Rlp_rr_c)
        {
          return true;
        }
      else
        {
          i = i + 4;
        }
    }
      if (type == 68)
    {
      // it's ts
      if (ipOptsAttrib->ipOpt == Rlp_ts_c)
        {
          return true;
        }
      else
        {
          i = i + 4;
        }
    }
      if (type == 130)
    {
      // it's sec
      if (ipOptsAttrib->ipOpt == Rlp_sec_c)
        {
          return true;
        }
      else
        {
          i = i + 4;
        }
    }
      if (type == 131)
    {
      // it's lsrr
      if (ipOptsAttrib->ipOpt == Rlp_lsrr_c)
        {
          return true;
        }
      else
        {
          i = i + 4;
        }
    }
      if (type == 137)
    {
      // it's ssrr
      if (ipOptsAttrib->ipOpt == Rlp_ssrr_c)
        {
          return true;
        }
      else
        {
          i = i + 4;
        }
    }
      if (type == 136)
    {
      // it's stream id
      if (ipOptsAttrib->ipOpt == Rlp_satid_c)
        {
          return true;
        }
      else
        {
          i = i + 4;
        }
    }
      // if we hit an unrecognized option, we'll stay in the loop forever,
      // unles we do something - so we jsut return true

      /// \todo Understand exactly what the desired behavior should be
      if (!
      ((type == 0) || (type == 1) || (type == 7) || (type == 68)
       || (type == 130) || (type == 131) || (type == 137)
       || (type == 136)))
    {
      return true;
    }
    }
  return false;
}


/**
  * \brief  Check the dsize field on a packet
  */

static inline bool
EthEvalDsize (Pkt_EthernetHdr_t * anEthPkt,
          Rlp_DsizeAttribute_t * dsizeAttrib)
{
  Pkt_IpHdr_t *ipPkt = Pkt_EthernetExtractIp (anEthPkt);

  if (dsizeAttrib->greaterThan)
    {
      return (ipPkt->length > dsizeAttrib->dsize);
    }
  if (dsizeAttrib->lessThan)
    {
      return (ipPkt->length < dsizeAttrib->dsize);
    }
  return (ipPkt->length == dsizeAttrib->dsize);
}


/**
  * \brief  Check the Ttl field on a packet
  */

static inline bool
EthEvalTtl (Pkt_EthernetHdr_t * anEthPkt, Rlp_TtlAttribute_t * ttlAttrib)
{
  Pkt_IpHdr_t *ipPkt = Pkt_EthernetExtractIp (anEthPkt);

  if (ttlAttrib->greaterThan)
    {
      return (ipPkt->TTL > ttlAttrib->ttl);
    }
  if (ttlAttrib->lessThan)
    {
      return (ipPkt->TTL < ttlAttrib->ttl);
    }
  return (ipPkt->TTL == ttlAttrib->ttl);
}


/**
  * \brief  Check proto field
  * 
  */

static inline bool
EthEvalIpProto (Pkt_EthernetHdr_t * anEthPkt,
        Rlp_IpProtoAttribute_t * ipProtoAttribute)
{
  Pkt_IpHdr_t *ipPkt = Pkt_EthernetExtractIp (anEthPkt);
  int ruleProt = ipProtoAttribute->value;
  int pktProt = ipPkt->protocol;
  if (ipProtoAttribute->lessThan)
    {
      return (pktProt < ruleProt);
    }
  else if (ipProtoAttribute->greaterThan)
    {
      return (pktProt > ruleProt);
    }
  else if (ipProtoAttribute->negated)
    {
      return (pktProt != ruleProt);
    }
  else
    {
      return (ruleProt == pktProt);
    }
}


/**
  * \brief  Implement RPC checks
  * 
  * Peterson and Davie 
  * talk about these in Computer Networks, 2nd edition,
  * but the packet format is unclear.
  * 
  * There are very few rules with RPC checks.
  */

static inline bool
EthEvalRpc (Pkt_EthernetHdr_t * anEthPkt ,
        Rlp_RpcAttribute_t * rpcAttribute )
{
  printf ("Have not implemented RPC checks, returning fails\n");
  return 0;
}


/**
  * \brief  Check frag bits
  * 
  * Do not see if packet is actually an ip packet
  * 
  */

static inline bool
EthEvalFrag (Pkt_EthernetHdr_t * anEthPkt,
         Rlp_FragbitsAttribute_t * fragAttribute)
{
  Pkt_IpHdr_t *ipPkt = Pkt_EthernetExtractIp (anEthPkt);

  if (fragAttribute->MF != X_c)
    {
      if (ipPkt->MF != fragAttribute->MF)
    {
      return false;
    }
    }
  if (fragAttribute->DF != X_c)
    {
      if (ipPkt->DF != fragAttribute->DF)
    {
      return false;
    }
    }
  if (fragAttribute->RB != X_c)
    {
      if (ipPkt->RB != fragAttribute->RB)
    {
      return false;
    }
    }
  return true;

};


/**
  * \brief  Given an array_t or util_int_array_t of rules, return the subset that is applicable of
  * the given packet.
  * 
  * Result must be passed in, and be as long as there
  * are rules in the mgr.
  * 
  */

void
Evl_EvalRuleArray (Evl_L4Manager_t * mgr,
           Pkt_ProcessPkt_t * pp,
           array_t * ruleArray,
           util_int_array_t * ruleIntArray, array_t * result)
{
  int arrayLength;
  int index;
  int i;

  if (ruleArray != NIL (array_t))
    {
      arrayLength = array_n (ruleArray);
    }
  else if (ruleIntArray != NIL (util_int_array_t))
    {
      arrayLength = ruleIntArray->length;
    }
  else
    {
      return;
    }

  for (i = 0; i < arrayLength; i++)
    {
      if (ruleArray)
    {
      index = array_fetch (int, ruleArray, i);
    }
      else
    {
      index = ruleIntArray->entries[i];
    }
      Rlp_Formula_t *rlpFormula =
    array_fetch (Rlp_Formula_t *, mgr->L7RuleArray, index);
      array_t *l7CheckArray =
    array_fetch (array_t *, mgr->contentChecks, index);
      if (Evl_EthEvalL7Rule (pp, rlpFormula, l7CheckArray))
    {
      /** \todo confirm fix
      was inserting index, but should have converted it to the index
      from the global manager
      */
      // before: array_insert_last( int, result, index ); 
      int globalIndex = array_fetch (int, mgr->tcpIdToGlobalId, index);

      array_insert_last (int, result, globalIndex);
    }
    }
  return;
}


/**
  * \brief  Given text, defined by beginning and end pointers, and
  * an array of content checks, determine if the content
  * checks hold of the text.
  * 
  */

static bool
evalContentChecks (array_t * l7CheckArray, char *beginText, char *endText)
{
  char *lastMatch = beginText;
  char *current = beginText;
  int i;
  for (i = 0; i < array_n (l7CheckArray); i++)
    {
      Rlp_L7Check_t *aCheck = array_fetch (Rlp_L7Check_t *, l7CheckArray, i);
      if (aCheck->type == Rlp_L7ByteTestCheck_c)
    {
      if (!evalByteTest
          (beginText, current, endText, aCheck->entryData.byteTestCheck))
        {
          return false;
        }
      else
        {
          continue;
        }
    }
      else if (aCheck->type == Rlp_L7ByteJumpCheck_c)
    {
      current +=
        computeByteJump (beginText, current,
                 aCheck->entryData.byteJumpCheck);
      assert (current <= endText);  // not sure what's supposed to happen 
      // if the byte jump takes us past endText
      continue;
    }
      else if ((aCheck->type == Rlp_L7ContentCheck_c) ||
           (aCheck->type == Rlp_L7UriContentCheck_c))
    {
      // the evalContentCheck routine is responsible for updating the 
      // last match pointer and the current pointer
      if (!evalContentCheck
          (beginText, endText, &lastMatch, &current,
           aCheck->entryData.contentCheck))
        {
          return false;
        }
    }
      else
    {
      assert (aCheck->type == Rlp_L7PcreCheck_c);
      if (!evalPcreCheck
          (beginText, endText, aCheck->entryData.pcreCheck))
        {
          return false;
        }
    }
    }
  // all checks were met for us to get here, ergo
  // the check is true
  return true;
}


/**
    \brief  Given some text, check to see if the byte-test holds
    
    Given some text, check to see if the byte-test holds.
    
    The byte test structure is as follows:
  
<pre>
    struct Rlp_ByteTestStruct {
    int bytesToConvert;
    char check; // can be one of '<' , '<' , '=' , '!'
    int value; // value to test the converted value against
    int offset; // number of bytes into the payload to being processing
    bool relative; // use an offset relative to the last pattern match
    bool useLittleEndian; // default is big endian
    bool isString; // data is stored in string packet format
    bool isHex; // converted string data is represented in hex
    bool isDec; // converted string data is represented in decimal
    bool isOct; // converted string data is represented in oct
    };
    
    complete set of checks:
    
    byte_test:1,>,6,2
    byte_test:1,>,7,1
    byte_test:2,>,1024,0,relative,little
    byte_test:4,>,100,20,relative
    byte_test:4,>,1000,28,relative
    byte_test:4,>,1024,20,relative
    byte_test:4,>,128,20,relative
    byte_test:4,>,128,8,relative
    byte_test:4,>,512,16,relative
    byte_test:4,>,512,240,relative
    byte_test:5,>,256,0,string,dec,relative
</pre>
    
*/

static bool
evalByteTest (char *beginText,
          char *current,
          char *endText, Rlp_ByteTestCheck_t * byteTestCheck)
{
  char *convertTextFromHere;
  if (byteTestCheck->relative)
    {
      convertTextFromHere = current + byteTestCheck->offset;
    }
  else
    {
      convertTextFromHere = beginText + byteTestCheck->offset;
    }
  char tmpBuf[100];
  assert (byteTestCheck->bytesToConvert < 100);
  /** \todo need to figure out how to handle the useLittleEndian flag
  since default is big endian, and our machine is little endian
  for now we're ignoring this issue, will have to fix it
  */
  memcpy (tmpBuf, convertTextFromHere, byteTestCheck->bytesToConvert);
  tmpBuf[byteTestCheck->bytesToConvert] = '\0';

  int value;
  sscanf (tmpBuf, "%d", &value);
  if (byteTestCheck->check == '=')
    {
      return (value == byteTestCheck->value);
    }
  else if (byteTestCheck->check == '>')
    {
      return (value > byteTestCheck->value);
    }
  else if (byteTestCheck->check == '<')
    {
      return (value < byteTestCheck->value);
    }
  else
    {
      // unclear what ! means in the manual, and it's never used
      printf ("Unknown type of byteTestCheck operator: %c\n",
          byteTestCheck->check );
      assert (0);
    }

  // unreachable code
  assert (0);
  return false;
}


/**
  \brief  Compute the number of bytes to advance the current pointer by.
  
  *All uses: 
  
  <pre>
  byte_jump:4,12,relative,align
  byte_jump:4,20,relative,align
  byte_jump:4,4,relative,align
  </pre>
   
  Format
  
  byte_jump: <bytes_to_convert>, <offset> \
  [, [relative],[big],[little],[string],[hex],[dec],[oct],[align]]
  
*/

static int
computeByteJump (char *begin,
         char *current, Rlp_ByteJumpCheck_t * byteJumpCheck)
{
  char *start;
  int jumpAmount;

  if (byteJumpCheck->relative)
    {
      start = current;
    }
  else
    {
      start = begin;
    }

  start += byteJumpCheck->offset;
  if (byteJumpCheck->doAlign)
    {
      if ((((u_int32_t) start) & 0x3) == 0x0)
    {
      // already aligned, do nothing
    }
      else
    {
      // set the 2 lsb bits to 0, and add 4
      start = (char *) (((((u_int32_t) start) & (~(u_int32_t) 0x3))) + 4);
    }
    }

  char tmpBuf[100];

  assert (byteJumpCheck->bytesToConvert < 100);
  memcpy (tmpBuf, start, byteJumpCheck->bytesToConvert);
  tmpBuf[byteJumpCheck->bytesToConvert] = '\0';
  sscanf (tmpBuf, "%d", &jumpAmount);

  assert (jumpAmount >= 0);
  assert (jumpAmount <= 65536); // sanity check, largest ip packet

  return jumpAmount;
}


/** \brief Trivial function implementing logic xor, cleans up logic below */

static bool
myxor (bool A, bool B)
{
  if ((A && B) || ((!A) && (!B)))
    {
      return false;
    }
  return true;
}


/**
  * \brief  Perform core content check
  * 
  */

static bool
evalContentCheck (char *beginText,
          char *endText,
          char **lastMatchPtr,
          char **currentPtr, Rlp_ContentCheck_t * contentCheck)
{
  /// \todo Ignoring case for now.

  char *current = *currentPtr;
  char *tightEndText;

  if (contentCheck->offset != -1)
    {
      // it's a local variable, so we can change it safely
      beginText = beginText + contentCheck->offset;
    }
  if (contentCheck->depth != -1)
    {
      // it's a local variable, so we can change it safely
      // depth is from beginning, so we add it to begin text
      // tightEndText = util_strmin( endText, beginText + contentCheck->depth);
      endText = util_strmin (endText, beginText + contentCheck->depth);
    }

  char *relativeLower = 0;  // encodes the closest we should check rel to last match
  if (contentCheck->distance != -1)
    {
      // taking this to be relative to the END of the last match
      // the rule listed below maps to a regular expression of qwert.{1}uiop
      // alert tcp any any -> any any ("qwert"; content: "uiop"; distance: 1;)
      relativeLower = current + contentCheck->distance;
    }

  char *relativeHigher = &current[10000000];    // encode the farthest we should check rel to last match
  if (contentCheck->within != -1)
    {
      // taking this to be relative to the END of the last match
      relativeHigher = current + contentCheck->within;
    }

  // tighten as much as possible
  // char *startSearch = ( relativeLower > beginText ) ? relativeLower : beginText;
  char *startSearch = util_strmax (relativeLower, beginText);
  // char *endSearch = ( relativeHigher < endText ) ? relativeHigher : endText; 
  char *endSearch = util_strmin (relativeHigher, endText);

  // want to search for the target pattern in this range
  char *text;
  util_byte_array_t *pattern = contentCheck->content;

  /** \todo a test like ... content:"HTTP/1.1 403"; depth:12; 
     fails even when the packet starts with 
     HTTP/1.1 403

     this is because the for loop
     for ( i = startSearch; i < endSearch - pattern->length ; i++ ) {
     never starts, since startSearch == endSearch - pattern->length
     (because endSearch = startSearch + depth

     for ( i = startSearch; i < endSearch - pattern->length ; i++ ) {

     one fix is to check the entire range, inclusive, as below
   */

  int nocase = contentCheck->nocase;
  for (text = startSearch; text <= endSearch - pattern->length; text++)
    {

      // rememember memcmp returns 0 on match!
      // int match = !memcmp( i, pattern->bytes, pattern->length );
      bool match = true;
      int i;
      if (nocase == false)
    {
      for (i = 0; i < pattern->length; i++)
        {
          if (text[i] != pattern->bytes[i])
        {
          match = false;
          break;
        }
        }
    }
      else
    {
      for (i = 0; i < pattern->length; i++)
        {
          unsigned char t = my_isupper (text[i]) ?
        my_uppertolower (text[i]) : text[i];
          unsigned char p = my_isupper (pattern->bytes[i]) ?
        my_uppertolower (pattern->bytes[i]) : pattern->bytes[i];
          if (t != p)
        {
          match = false;
          break;
        }
        }
    }

      if (match)
    {
      /// \todo look at old logic again, seems incorrect:
      /// && !( contentCheck->negated ) ) ||
      ///    ( ( contentCheck->negated ) && !match ) ) {
      /// not sure if we're supposed to update the match pointers 
      /// on a negative match
      *lastMatchPtr = text;
      *currentPtr = text + pattern->length;
      return myxor (true, (contentCheck->negated));
    }
    }
  return myxor (false, (contentCheck->negated));
}


/**
  * \brief  Given an ethernet packet and a layer 7 rule, determine 
  * if the rule holds of the packet.
  * 
  * Pass in an array of Rlp_L7Check_t for the content check;
  * if it's NIL there are no content checks.
  */

bool
Evl_EthEvalL7Rule (Pkt_ProcessPkt_t * pp,
           Rlp_Formula_t * aL7Formula, array_t * aL7CheckArray)
{
  Pkt_EthernetHdr_t *anEth = pp->pkt;
  Rlp_Formula_t *walkFormula = aL7Formula;
  Rlp_Formula_t *componentFormula;

  while (walkFormula != NIL (Rlp_Formula_t))
    {
      componentFormula = car (walkFormula);
      switch (componentFormula->type)
    {
    case Rlp_Ack_c:
      {
        Rlp_AckAttribute_t *ackAttribute =
          (Rlp_AckAttribute_t *) cdr (componentFormula);
        if (!EthEvalAck (anEth, ackAttribute))
          {         // implemented
        return false;
          }
        walkFormula = cdr (walkFormula);
        break;
      }
    case Rlp_Sameip_c:
      {
        if (!EthEvalSameIp (anEth))
          {         // implemented
        return false;
          }
        walkFormula = cdr (walkFormula);
        break;
      }
    case Rlp_Seq_c:
      {
        Rlp_SeqAttribute_t *seqAttribute =
          (Rlp_SeqAttribute_t *) cdr (componentFormula);
        if (!EthEvalSeq (anEth, seqAttribute))
          {         // implemented
        return false;
          }
        walkFormula = cdr (walkFormula);
        break;
      }
    case Rlp_Flags_c:
      {
        Rlp_FlagsAttribute_t *flagsAttribute =
          (Rlp_FlagsAttribute_t *) cdr (componentFormula);
        if (!EthEvalFlags (anEth, flagsAttribute))
          {
        return false;
          }
        walkFormula = cdr (walkFormula);
        break;
      }
    case Rlp_Fragbits_c:
      {
        Rlp_FragbitsAttribute_t *fragAttribute =
          (Rlp_FragbitsAttribute_t *) cdr (componentFormula);
        if (!EthEvalFrag (anEth, fragAttribute))
          {
        return false;
          }
        walkFormula = cdr (walkFormula);
        break;
      }
    case Rlp_Icmp_Id_c:
      {
        Rlp_IcmpIdAttribute_t *icmpIdAttribute =
          (Rlp_IcmpIdAttribute_t *) cdr (componentFormula);
        if (!EthEvalIcmpId (anEth, icmpIdAttribute))
          {
        return false;
          }
        walkFormula = cdr (walkFormula);
        break;
      }
    case Rlp_Icmp_Seq_c:
      {
        Rlp_IcmpSeqAttribute_t *icmpSeqAttribute =
          (Rlp_IcmpSeqAttribute_t *) cdr (componentFormula);
        if (!EthEvalIcmpSeqId (anEth, icmpSeqAttribute))
          {
        return false;
          }
        walkFormula = cdr (walkFormula);
        break;
      }
    case Rlp_Icode_c:
      {
        Rlp_IcodeAttribute_t *icodeAttribute =
          (Rlp_IcodeAttribute_t *) cdr (componentFormula);
        if (!EthEvalIcode (anEth, icodeAttribute))
          {
        return false;
          }
        walkFormula = cdr (walkFormula);
        break;
      }
    case Rlp_Id_c:
      {
        Rlp_IdAttribute_t *idAttribute =
          (Rlp_IdAttribute_t *) cdr (componentFormula);
        if (!EthEvalId (anEth, idAttribute))
          {
        return false;
          }
        walkFormula = cdr (walkFormula);
        break;
      }
    case Rlp_IpOpts_c:
      {
        Rlp_IpOptsAttribute_t *ipOptsAttribute =
          (Rlp_IpOptsAttribute_t *) cdr (componentFormula);
        if (!EthEvalIpOpts (anEth, ipOptsAttribute))
          {
        return false;
          }
        walkFormula = cdr (walkFormula);
        break;
      }
    case Rlp_Ip_Proto_c:
      {
        Rlp_IpProtoAttribute_t *ipProtoAttribute =
          (Rlp_IpProtoAttribute_t *) cdr (componentFormula);
        if (!EthEvalIpProto (anEth, ipProtoAttribute))
          {
        return false;
          }
        walkFormula = cdr (walkFormula);
        break;
      }
    case Rlp_Itype_c:
      {
        Rlp_ItypeAttribute_t *itypeAttribute =
          (Rlp_ItypeAttribute_t *) cdr (componentFormula);
        if (!EthEvalItype (anEth, itypeAttribute))
          {
        return false;
          }
        walkFormula = cdr (walkFormula);
        break;
      }

    case Rlp_Dsize_c:
      {
        Rlp_DsizeAttribute_t *dsizeAttribute =
          (Rlp_DsizeAttribute_t *) cdr (componentFormula);
        if (!EthEvalDsize (anEth, dsizeAttribute))
          {
        return false;
          }
        walkFormula = cdr (walkFormula);
        break;
      }
    case Rlp_Ttl_c:
      {
        Rlp_TtlAttribute_t *ttlAttribute =
          (Rlp_TtlAttribute_t *) cdr (componentFormula);
        if (!EthEvalTtl (anEth, ttlAttribute))
          {
        return false;
          }
        walkFormula = cdr (walkFormula);
        break;
      }
    case Rlp_Sample_c:
      {
        Rlp_SampleAttribute_t *sampleAttribute =
          (Rlp_SampleAttribute_t *) cdr (componentFormula);
        if (!EthEvalSample (pp, sampleAttribute))
          {
        return false;
          }
        walkFormula = cdr (walkFormula);
        break;
      }
    case Rlp_Interface_c:
      {
        Rlp_IfAttribute_t *ifAttribute =
          (Rlp_IfAttribute_t *) cdr (componentFormula);
        if (!EthEvalIf (pp, ifAttribute))
          {
        return false;
          }
        walkFormula = cdr (walkFormula);
        break;
      }
    case Rlp_Rpc_c:
      {
        Rlp_RpcAttribute_t *rpcAttribute =
          (Rlp_RpcAttribute_t *) cdr (componentFormula);
        if (!EthEvalRpc (anEth, rpcAttribute))
          {
        return false;
          }
        walkFormula = cdr (walkFormula);
        break;
      }
    case Rlp_Nocase_c:
    case Rlp_Within_c:
    case Rlp_Distance_c:
    case Rlp_Content_c:
    case Rlp_Uricontent_c:
    case Rlp_Depth_c:
    case Rlp_Offset_c:
    case Rlp_Byte_Jump_c:
    case Rlp_Byte_Test_c:
    case Rlp_Pcre_c:
      // the content checker is repsonsible for looking at these
      // and advancing through the list appropriately
      walkFormula = cdr (walkFormula);
      break;
    default:
      printf ("Illegal formula type, bailing\n");
      assert (0);
    }
    }

  if ((aL7CheckArray != NIL (array_t)) && (array_n (aL7CheckArray) != 0))
    {
      return Evl_EthEvalL7RuleContentCheck (anEth, aL7CheckArray);
    }
  else
    {
      return true;      // there are no content checks, and all other checks 
      // must have been true for us to get here
    }
}


/** \brief Pcre check */

static int
evalPcreCheck (char *beginText, char *endText, Rlp_PcreCheck_t * pcreCheck)
{
  int length = endText - beginText;
  int ovector[30];
  int rc = pcre_exec (pcreCheck->re,    // result of pcre_compile() 
              NULL, // we didn’t study the pattern 
              beginText,    // the subject string 
              length,   // the length of the subject string 
              0,    // start at offset 0 in the subject
              0,    // default options 
              ovector,  // vector for substring information 
              30);  // number of elements in the vector

  if (PCRE_ERROR_NOMATCH == rc)
    {
      return false;
    }
  else
    {
      return true;
    }
}


/** \brief Allocate or reset the arrays used for storing rules */

static void
updateL4RuleArrays (Evl_L4Manager_t * l4mgr)
{
  if (l4mgr->potentialRulesFromFsm == NIL (array_t))
    {
      // cannot just use the number of rules from 
      // the manager passed in, since that's
      // for the tcp/udp/other subset of rules
      Evl_Manager_t *globalMgr = l4mgr->mgr;
      int maxNumOfPossibleRules = globalMgr->numAllRules;
      // allocate all in one shot
      l4mgr->potentialRulesFromFsm = array_alloc (int, maxNumOfPossibleRules);
      l4mgr->rulesFromFsm = array_alloc (int, maxNumOfPossibleRules);
      l4mgr->rulesFromShortStringTable =
    array_alloc (int, maxNumOfPossibleRules);
      l4mgr->rulesFromNoContentTable =
    array_alloc (int, maxNumOfPossibleRules);
    }
  else
    {               // have already entered this function
      array_reset (l4mgr->potentialRulesFromFsm);
      array_reset (l4mgr->rulesFromFsm);
      array_reset (l4mgr->rulesFromShortStringTable);
      array_reset (l4mgr->rulesFromNoContentTable);
    }
}


/** \brief Update the L3 rules arrays */

static void
updateL3RuleArrays (Evl_Manager_t * mgr)
{
  if (mgr->layer3Result == NIL (array_t))
    {
      // cannot just use the number of rules from 
      // the manager passed in, since that's
      // for the tcp/udp/other subset of rules
      int maxNumOfPossibleRules = mgr->numAllRules;
      // allocate all in one shot
      mgr->preprocessorResult = array_alloc (int, maxNumOfPossibleRules);
      mgr->genericResult = array_alloc (int, maxNumOfPossibleRules);
      mgr->layer3Result = array_alloc (int, maxNumOfPossibleRules);
      mgr->layer4Result = array_alloc (int, maxNumOfPossibleRules);
    }
  else
    {               // have already entered this function
      array_reset (mgr->preprocessorResult);
      array_reset (mgr->genericResult);
      array_reset (mgr->layer3Result);
      array_reset (mgr->layer4Result);
    }
}


/** \brief Perform preprocessing actions. */

int
Evl_Preprocess (Evl_L4Manager_t * preprocessorMgr, Pkt_ProcessPkt_t * pp)
{
  int i;
  Evl_L4ComputeRuleSetForEth (pp, preprocessorMgr,
                  preprocessorMgr->mgr->preprocessorResult);
  for (i = 0; i < array_n (preprocessorMgr->mgr->preprocessorResult); i++)
    {
      int ruleId =
    array_fetch (int, preprocessorMgr->mgr->preprocessorResult, i);
      int globalIndex =
    array_fetch (int, preprocessorMgr->tcpIdToGlobalId, ruleId);
      Evl_Action_t *action =
    array_fetch (Evl_Action_t *, preprocessorMgr->mgr->actionArray,
             globalIndex);
      Evl_DoAction (action, preprocessorMgr->mgr, NIL (Evl_Bridge_t), pp);
    }
  return 0;
}