Move all of the rule matching code to zeek::detail

src/Conn.cc

@@ -449,7 +449,8 @@ static inline bool is_version_sep(const char* s, const char* end)
 			isspace(s[0]);
 	}
 
-void Connection::Match(Rule::PatternType type, const u_char* data, int len, bool is_orig, bool bol, bool eol, bool clear_state)
+void Connection::Match(zeek::detail::Rule::PatternType type, const u_char* data, int len,
+                       bool is_orig, bool bol, bool eol, bool clear_state)
 	{
 	if ( primary_PIA )
 		primary_PIA->Match(type, data, len, is_orig, bol, eol, clear_state);

src/Conn.h

@@ -25,11 +25,11 @@ class Connection;
 class ConnectionTimer;
 class NetSessions;
 class LoginConn;
-class RuleHdrTest;
 class Specific_RE_Matcher;
-class RuleEndpointState;
 class EncapsulationStack;
 
+ZEEK_FORWARD_DECLARE_NAMESPACED(RuleEndpointState, zeek::detail);
+ZEEK_FORWARD_DECLARE_NAMESPACED(RuleHdrTest, zeek::detail);
 ZEEK_FORWARD_DECLARE_NAMESPACED(Val, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(RecordVal, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(TransportLayerAnalyzer, zeek, analyzer);
@@ -179,7 +179,7 @@ public:
 
 	LoginConn* AsLoginConn()		{ return login_conn; }
 
-	void Match(Rule::PatternType type, const u_char* data, int len,
+	void Match(zeek::detail::Rule::PatternType type, const u_char* data, int len,
 	           bool is_orig, bool bol, bool eol, bool clear_state);
 
 	/**

src/Rule.cc

@@ -5,6 +5,8 @@
 #include "RuleCondition.h"
 #include "RuleMatcher.h"
 
+namespace zeek::detail {
+
 // Start at one as we want search for this within a list,
 // and List's is_member returns zero for non-membership ...
 unsigned int Rule::rule_counter = 1;
@@ -99,3 +101,5 @@ void Rule::SortHdrTests()
 	// FIXME: Do nothing for now - we may want to come up with
 	// something clever here.
 	}
+
+} // namespace zeek::detail

src/Rule.h

@@ -9,10 +9,13 @@
 #include <limits.h>
 #include <stdint.h>
 
-class RuleCondition;
+ZEEK_FORWARD_DECLARE_NAMESPACED(RuleCondition, zeek::detail);
-class RuleAction;
+ZEEK_FORWARD_DECLARE_NAMESPACED(RuleAction, zeek::detail);
-class RuleHdrTest;
+ZEEK_FORWARD_DECLARE_NAMESPACED(RuleHdrTest, zeek::detail);
-class Rule;
+ZEEK_FORWARD_DECLARE_NAMESPACED(RuleMatcher, zeek::detail);
+ZEEK_FORWARD_DECLARE_NAMESPACED(Rule, zeek::detail);
+
+namespace zeek::detail {
 
 using rule_list = zeek::PList<Rule>;
 using rule_dict = std::map<std::string, Rule*>;
@@ -107,3 +110,9 @@ private:
 	// Array of rules indexed by payloadid.
 	static rule_list rule_table;
 	};
+
+} // namespace zeek::detail
+
+using Rule [[deprecated("Remove in v4.1. Use zeek::detail::Rule.")]] = zeek::detail::Rule;
+using rule_list [[deprecated("Remove in v4.1. Use zeek::detail::rule_list.")]] = zeek::detail::rule_list;
+using rule_dict [[deprecated("Remove in v4.1. Use zeek::detail::rule_dict.")]] = zeek::detail::rule_dict;

src/RuleAction.cc

@@ -12,6 +12,8 @@ using std::string;
 
 #include "analyzer/Manager.h"
 
+namespace zeek::detail {
+
 RuleActionEvent::RuleActionEvent(const char* arg_msg)
 	{
 	msg = copy_string(arg_msg);
@@ -124,3 +126,5 @@ void RuleActionDisable::PrintDebug()
 	fprintf(stderr, "  RuleActionDisable: ");
 	RuleActionAnalyzer::PrintDebug();
 	}
+
+} // namespace zeek::detail

src/RuleAction.h

@@ -6,8 +6,10 @@
 
 #include <sys/types.h> // for u_char
 
-class Rule;
+ZEEK_FORWARD_DECLARE_NAMESPACED(Rule, zeek::detail);
-class RuleEndpointState;
+ZEEK_FORWARD_DECLARE_NAMESPACED(RuleEndpointState, zeek::detail);
+
+namespace zeek::detail {
 
 // Base class of all rule actions.
 class RuleAction {
@@ -96,3 +98,12 @@ public:
 
 	void PrintDebug() override;
 };
+
+} // namespace zeek::detail
+
+using RuleAction [[deprecated("Remove in v4.1. Use zeek::detail::RuleAction.")]] = zeek::detail::RuleAction;
+using RuleActionEvent [[deprecated("Remove in v4.1. Use zeek::detail::RuleActionEvent.")]] = zeek::detail::RuleActionEvent;
+using RuleActionMIME [[deprecated("Remove in v4.1. Use zeek::detail::RuleActionMIME.")]] = zeek::detail::RuleActionMIME;
+using RuleActionAnalyzer [[deprecated("Remove in v4.1. Use zeek::detail::RuleActionAnalyzer.")]] = zeek::detail::RuleActionAnalyzer;
+using RuleActionEnable [[deprecated("Remove in v4.1. Use zeek::detail::RuleActionEnable.")]] = zeek::detail::RuleActionEnable;
+using RuleActionDisable [[deprecated("Remove in v4.1. Use zeek::detail::RuleActionDisable.")]] = zeek::detail::RuleActionDisable;

src/RuleCondition.cc

@@ -20,6 +20,8 @@ static inline bool is_established(const analyzer::tcp::TCP_Endpoint* e)
 	       e->state != analyzer::tcp::TCP_ENDPOINT_SYN_ACK_SENT;
 	}
 
+namespace zeek::detail {
+
 bool RuleConditionTCPState::DoMatch(Rule* rule, RuleEndpointState* state,
 					const u_char* data, int len)
 	{
@@ -28,7 +30,7 @@ bool RuleConditionTCPState::DoMatch(Rule* rule, RuleEndpointState* state,
 	if ( ! root || ! root->IsAnalyzer("TCP") )
 		return false;
 
-	analyzer::tcp::TCP_Analyzer* ta = static_cast<analyzer::tcp::TCP_Analyzer*>(root);
+	::analyzer::tcp::TCP_Analyzer* ta = static_cast<::analyzer::tcp::TCP_Analyzer*>(root);
 
 	if ( tcpstates & STATE_STATELESS )
 		return true;
@@ -196,3 +198,5 @@ void RuleConditionEval::PrintDebug()
 	{
 	fprintf(stderr, "	RuleConditionEval: %s\n", id->Name());
 	}
+
+} // namespace zeek::detail

src/RuleCondition.h

@@ -4,11 +4,12 @@
 #include <sys/types.h> // for u_char
 #include "util.h"
 
-class Rule;
+ZEEK_FORWARD_DECLARE_NAMESPACED(RuleEndpointState, zeek::detail);
-class RuleEndpointState;
+ZEEK_FORWARD_DECLARE_NAMESPACED(Rule, zeek::detail);
-
 ZEEK_FORWARD_DECLARE_NAMESPACED(ID, zeek::detail);
 
+namespace zeek::detail {
+
 // Base class for all rule conditions except patterns and "header".
 class RuleCondition {
 public:
@@ -115,3 +116,12 @@ public:
 private:
 	zeek::detail::ID* id;
 };
+
+} // namespace zeek::detail
+
+using RuleCondition [[deprecated("Remove in v4.1. Use zeek::detail::RuleCondition.")]] = zeek::detail::RuleCondition;
+using RuleConditionTCPState [[deprecated("Remove in v4.1. Use zeek::detail::RuleConditionTCPState.")]] = zeek::detail::RuleConditionTCPState;
+using RuleConditionIPOptions [[deprecated("Remove in v4.1. Use zeek::detail::RuleConditionIPOptions.")]] = zeek::detail::RuleConditionIPOptions;
+using RuleConditionSameIP [[deprecated("Remove in v4.1. Use zeek::detail::RuleConditionSameIP.")]] = zeek::detail::RuleConditionSameIP;
+using RuleConditionPayloadSize [[deprecated("Remove in v4.1. Use zeek::detail::RuleConditionPayloadSize.")]] = zeek::detail::RuleConditionPayloadSize;
+using RuleConditionEval [[deprecated("Remove in v4.1. Use zeek::detail::RuleConditionEval.")]] = zeek::detail::RuleConditionEval;

src/RuleMatcher.cc

@@ -25,6 +25,8 @@
 
 using namespace std;
 
+namespace zeek::detail {
+
 // FIXME: Things that are not fully implemented/working yet:
 //
 //		  - "ip-options" always evaluates to false
@@ -183,7 +185,7 @@ void RuleHdrTest::PrintDebug()
 
 RuleEndpointState::RuleEndpointState(zeek::analyzer::Analyzer* arg_analyzer, bool arg_is_orig,
 					  RuleEndpointState* arg_opposite,
-					  analyzer::pia::PIA* arg_PIA)
+					  ::analyzer::pia::PIA* arg_PIA)
 	{
 	payload_size = -1;
 	analyzer = arg_analyzer;
@@ -739,7 +741,7 @@ RuleMatcher::MIME_Matches* RuleMatcher::Match(RuleFileMagicState* state,
 RuleEndpointState* RuleMatcher::InitEndpoint(zeek::analyzer::Analyzer* analyzer,
                                              const zeek::IP_Hdr* ip, int caplen,
                                              RuleEndpointState* opposite,
-                                             bool from_orig, analyzer::pia::PIA* pia)
+                                             bool from_orig, ::analyzer::pia::PIA* pia)
 	{
 	RuleEndpointState* state =
 		new RuleEndpointState(analyzer, from_orig, opposite, pia);
@@ -1418,7 +1420,7 @@ uint32_t id_to_uint(const char* id)
 	}
 
 void RuleMatcherState::InitEndpointMatcher(zeek::analyzer::Analyzer* analyzer, const zeek::IP_Hdr* ip,
-                                           int caplen, bool from_orig, analyzer::pia::PIA* pia)
+                                           int caplen, bool from_orig, ::analyzer::pia::PIA* pia)
 	{
 	if ( ! rule_matcher )
 		return;
@@ -1492,3 +1494,5 @@ void RuleMatcherState::ClearMatchState(bool orig)
 	else if ( resp_match_state )
 		rule_matcher->ClearEndpointState(resp_match_state);
 	}
+
+} // namespace zeek::detail

src/RuleMatcher.h

@@ -19,7 +19,7 @@
 
 extern void rules_error(const char* msg);
 extern void rules_error(const char* msg, const char* addl);
-extern void rules_error(Rule* id, const char* msg);
+extern void rules_error(zeek::detail::Rule* id, const char* msg);
 extern int rules_lex(void);
 extern int rules_parse(void);
 extern "C" int rules_wrap(void);
@@ -31,9 +31,8 @@ class BroFile;
 class IntSet;
 class RE_Match_State;
 class Specific_RE_Matcher;
-class RuleMatcher;
-extern RuleMatcher* rule_matcher;
 
+ZEEK_FORWARD_DECLARE_NAMESPACED(RuleMatcher, zeek::detail);
 ZEEK_FORWARD_DECLARE_NAMESPACED(IP_Hdr, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(IPPrefix, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(Val, zeek);
@@ -43,6 +42,10 @@ namespace analyzer {
 	namespace pia { class PIA; }
 }
 
+namespace zeek::detail {
+
+extern RuleMatcher* rule_matcher;
+
 // RuleHdrTest and associated things:
 
 // Given a header expression like "ip[offset:len] & mask = val", we parse
@@ -151,7 +154,7 @@ public:
 	// Returns -1 if no chunk has been fed yet at all.
 	int PayloadSize()	{ return payload_size; }
 
-	analyzer::pia::PIA* PIA() const	{ return pia; }
+	::analyzer::pia::PIA* PIA() const	{ return pia; }
 
 private:
 	friend class RuleMatcher;
@@ -159,7 +162,7 @@ private:
 	// Constructor is private; use RuleMatcher::InitEndpoint()
 	// for creating an instance.
 	RuleEndpointState(zeek::analyzer::Analyzer* arg_analyzer, bool arg_is_orig,
-			  RuleEndpointState* arg_opposite, analyzer::pia::PIA* arg_PIA);
+	                  RuleEndpointState* arg_opposite, ::analyzer::pia::PIA* arg_PIA);
 
 	struct Matcher {
 		RE_Match_State* state;
@@ -170,7 +173,7 @@ private:
 
 	zeek::analyzer::Analyzer* analyzer;
 	RuleEndpointState* opposite;
-	analyzer::pia::PIA* pia;
+	::analyzer::pia::PIA* pia;
 
 	matcher_list matchers;
 	rule_hdr_test_list hdr_tests;
@@ -252,7 +255,6 @@ public:
 	MIME_Matches* Match(RuleFileMagicState* state, const u_char* data,
 	                    uint64_t len, MIME_Matches* matches = nullptr) const;
 
-
 	/**
 	 * Resets a state object used with matching file magic signatures.
 	 * @param state The state object to reset to an initial condition.
@@ -265,7 +267,7 @@ public:
 	// it needs to be given.
 	RuleEndpointState* InitEndpoint(zeek::analyzer::Analyzer* analyzer, const zeek::IP_Hdr* ip,
 	                                int caplen, RuleEndpointState* opposite, bool is_orig,
-	                                analyzer::pia::PIA* pia);
+	                                ::analyzer::pia::PIA* pia);
 
 	// Finish matching for this stream.
 	void FinishEndpoint(RuleEndpointState* state);
@@ -374,7 +376,7 @@ public:
 
 	// ip may be nil.
 	void InitEndpointMatcher(zeek::analyzer::Analyzer* analyzer, const zeek::IP_Hdr* ip,
-	                         int caplen, bool from_orig, analyzer::pia::PIA* pia = nullptr);
+	                         int caplen, bool from_orig, ::analyzer::pia::PIA* pia = nullptr);
 
 	// bol/eol should be set to false for type Rule::PAYLOAD; they're
 	// deduced automatically.
@@ -391,3 +393,20 @@ private:
 	RuleEndpointState* orig_match_state;
 	RuleEndpointState* resp_match_state;
 };
+
+} // namespace zeek::detail
+
+using Range [[deprecated("Remove in v4.1. Use zeek::detail::Range.")]] = zeek::detail::Range;
+using MaskedValue [[deprecated("Remove in v4.1. Use zeek::detail::MaskedValue.")]] = zeek::detail::MaskedValue;
+using RuleHdrTest [[deprecated("Remove in v4.1. Use zeek::detail::RuleHdrTest.")]] = zeek::detail::RuleHdrTest;
+using RuleEndpointState [[deprecated("Remove in v4.1. Use zeek::detail::RuleEndpointState.")]] = zeek::detail::RuleEndpointState;
+using RuleFileMagicState [[deprecated("Remove in v4.1. Use zeek::detail::RuleFileMagicState.")]] = zeek::detail::RuleFileMagicState;
+using RuleMatcher [[deprecated("Remove in v4.1. Use zeek::detail::RuleMatcher.")]] = zeek::detail::RuleMatcher;
+using RuleMatcherState [[deprecated("Remove in v4.1. Use zeek::detail::RuleMatcherState.")]] = zeek::detail::RuleMatcherState;
+
+using maskedvalue_list [[deprecated("Remove in v4.1. Use zeek::detail::maskedvalue_list.")]] = zeek::detail::maskedvalue_list;
+using string_list [[deprecated("Remove in v4.1. Use zeek::detail::string_list.")]] = zeek::detail::string_list;
+using bstr_list [[deprecated("Remove in v4.1. Use zeek::detail::bstr_list.")]] = zeek::detail::bstr_list;
+using rule_hdr_test_list [[deprecated("Remove in v4.1. Use zeek::detail::rule_hdr_test_list.")]] = zeek::detail::rule_hdr_test_list;
+
+extern zeek::detail::RuleMatcher*& rule_matcher [[deprecated("Remove in v4.1. Use zeek::detail::rule_matcher.")]];

src/Stats.cc

@@ -168,10 +168,10 @@ void ProfileLogger::Log()
 		Reassembler::TotalMemoryAllocation() / 1024));
 
 	// Signature engine.
-	if ( expensive && rule_matcher )
+	if ( expensive && zeek::detail::rule_matcher )
 		{
-		RuleMatcher::Stats stats;
+		zeek::detail::RuleMatcher::Stats stats;
-		rule_matcher->GetStats(&stats);
+		zeek::detail::rule_matcher->GetStats(&stats);
 
 		file->Write(fmt("%06f RuleMatcher: matchers=%d nfa_states=%d dfa_states=%d "
 			"ncomputed=%d mem=%dK\n", network_time, stats.matchers,

src/analyzer/Analyzer.h

@@ -19,8 +19,8 @@
 class BroFile;
 using BroFilePtr = zeek::IntrusivePtr<BroFile>;
 
-class Rule;
 class Connection;
+ZEEK_FORWARD_DECLARE_NAMESPACED(Rule, zeek::detail);
 ZEEK_FORWARD_DECLARE_NAMESPACED(IP_Hdr, zeek);
 
 namespace zeek {
@@ -304,14 +304,14 @@ public:
 	 * If this analyzer was activated by a signature match, this returns
 	 * the signature that did so. Returns null otherwise.
 	 */
-	const Rule* Signature() const		{ return signature; }
+	const zeek::detail::Rule* Signature() const		{ return signature; }
 
 	/**
 	 * Sets the signature that activated this analyzer, if any.
 	 *
 	 * @param sig The signature.
 	 */
-	void SetSignature(const Rule* sig)	{ signature = sig; }
+	void SetSignature(const zeek::detail::Rule* sig)	{ signature = sig; }
 
 	/**
 	 * Signals the analyzer to skip all further input processsing. The \a
@@ -732,7 +732,7 @@ private:
 
 	Connection* conn;
 	Analyzer* parent;
-	const Rule* signature;
+	const zeek::detail::Rule* signature;
 	OutputHandler* output_handler;
 
 	analyzer_list children;

src/analyzer/protocol/file/File.cc

@@ -72,7 +72,7 @@ void File_Analyzer::Done()
 
 void File_Analyzer::Identify()
 	{
-	RuleMatcher::MIME_Matches matches;
+	zeek::detail::RuleMatcher::MIME_Matches matches;
 	file_mgr->DetectMIME(reinterpret_cast<const u_char*>(buffer), buffer_len,
 	                     &matches);
 	std::string match = matches.empty() ? "<unknown>"

src/analyzer/protocol/finger/Finger.cc

@@ -74,7 +74,7 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
 				zeek::make_intrusive<zeek::StringVal>(end_of_line - host, host)
 			);
 
-		Conn()->Match(Rule::FINGER, (const u_char *) line,
+		Conn()->Match(zeek::detail::Rule::FINGER, (const u_char *) line,
 		              end_of_line - line, true, true, true, true);
 
 		did_deliver = 1;

src/analyzer/protocol/ftp/FTP.cc

@@ -109,8 +109,8 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
 			     "AUTH", cmd_len) == 0 )
 			auth_requested = std::string(line, end_of_line - line);
 
-		if ( rule_matcher )
+		if ( zeek::detail::rule_matcher )
-			Conn()->Match(Rule::FTP, (const u_char *) cmd,
+			Conn()->Match(zeek::detail::Rule::FTP, (const u_char *) cmd,
 			              end_of_line - cmd, true, true, true, true);
 		}
 	else

src/analyzer/protocol/http/HTTP.cc

@@ -218,9 +218,9 @@ void HTTP_Entity::DeliverBodyClear(int len, const char* data, bool trailing_CRLF
 	if ( deliver_body )
 		MIME_Entity::Deliver(len, data, trailing_CRLF);
 
-	Rule::PatternType rule =
+	zeek::detail::Rule::PatternType rule =
 		http_message->IsOrig() ?
-			Rule::HTTP_REQUEST_BODY : Rule::HTTP_REPLY_BODY;
+			zeek::detail::Rule::HTTP_REQUEST_BODY : zeek::detail::Rule::HTTP_REPLY_BODY;
 
 	http_message->MyHTTP_Analyzer()->Conn()->
 		Match(rule, (const u_char*) data, len,
@@ -1244,7 +1244,7 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
 
 	request_method = zeek::make_intrusive<zeek::StringVal>(end_of_method - line, line);
 
-	Conn()->Match(Rule::HTTP_REQUEST,
+	Conn()->Match(zeek::detail::Rule::HTTP_REQUEST,
 			(const u_char*) unescaped_URI->AsString()->Bytes(),
 			unescaped_URI->AsString()->Len(), true, true, true, true);
 
@@ -1618,9 +1618,9 @@ void HTTP_Analyzer::HTTP_Header(bool is_orig, mime::MIME_Header* h)
 
 	if ( http_header )
 		{
-		Rule::PatternType rule =
+		zeek::detail::Rule::PatternType rule =
-			is_orig ?  Rule::HTTP_REQUEST_HEADER :
+			is_orig ?  zeek::detail::Rule::HTTP_REQUEST_HEADER :
-					Rule::HTTP_REPLY_HEADER;
+					zeek::detail::Rule::HTTP_REPLY_HEADER;
 
 		zeek::data_chunk_t hd_name = h->get_name();
 		zeek::data_chunk_t hd_value = h->get_value();

src/analyzer/protocol/icmp/ICMP.cc

@@ -78,7 +78,7 @@ void ICMP_Analyzer::DeliverPacket(int len, const u_char* data,
 
 	Conn()->SetLastTime(current_timestamp);
 
-	if ( rule_matcher )
+	if ( zeek::detail::rule_matcher )
 		{
 		if ( ! matcher_state.MatcherInitialized(is_orig) )
 			matcher_state.InitEndpointMatcher(this, ip, len, is_orig, nullptr);
@@ -113,8 +113,8 @@ void ICMP_Analyzer::DeliverPacket(int len, const u_char* data,
 	if ( caplen >= len )
 		ForwardPacket(len, data, is_orig, seq, ip, caplen);
 
-	if ( rule_matcher )
+	if ( zeek::detail::rule_matcher )
-		matcher_state.Match(Rule::PAYLOAD, data, len, is_orig,
+		matcher_state.Match(zeek::detail::Rule::PAYLOAD, data, len, is_orig,
 		                    false, false, true);
 	}
 

src/analyzer/protocol/icmp/ICMP.h

@@ -87,7 +87,7 @@ protected:
 	int code;
 	int request_len, reply_len;
 
-	RuleMatcherState matcher_state;
+	zeek::detail::RuleMatcherState matcher_state;
 
 private:
 	void UpdateEndpointVal(const zeek::ValPtr& endp, bool is_orig);

src/analyzer/protocol/pia/PIA.cc

@@ -113,39 +113,39 @@ void PIA::PIA_DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t
 	DoMatch(data, len, is_orig, true, false, false, ip);
 
 	if ( clear_state )
-		RuleMatcherState::ClearMatchState(is_orig);
+		zeek::detail::RuleMatcherState::ClearMatchState(is_orig);
 
 	pkt_buffer.state = new_state;
 
 	current_packet.data = nullptr;
 	}
 
-void PIA::Match(Rule::PatternType type, const u_char* data, int len,
+void PIA::Match(zeek::detail::Rule::PatternType type, const u_char* data, int len,
                 bool is_orig, bool bol, bool eol, bool clear_state)
 	{
 	if ( ! MatcherInitialized(is_orig) )
 		InitEndpointMatcher(AsAnalyzer(), nullptr, 0, is_orig, this);
 
-	RuleMatcherState::Match(type, data, len, is_orig, bol, eol, clear_state);
+	zeek::detail::RuleMatcherState::Match(type, data, len, is_orig, bol, eol, clear_state);
 	}
 
 void PIA::DoMatch(const u_char* data, int len, bool is_orig, bool bol, bool eol,
                   bool clear_state, const zeek::IP_Hdr* ip)
 	{
-	if ( ! rule_matcher )
+	if ( ! zeek::detail::rule_matcher )
 		return;
 
-	if ( ! rule_matcher->HasNonFileMagicRule() )
+	if ( ! zeek::detail::rule_matcher->HasNonFileMagicRule() )
 		return;
 
 	if ( ! MatcherInitialized(is_orig) )
 		InitEndpointMatcher(AsAnalyzer(), ip, len, is_orig, this);
 
-	RuleMatcherState::Match(Rule::PAYLOAD, data, len, is_orig,
+	zeek::detail::RuleMatcherState::Match(zeek::detail::Rule::PAYLOAD, data, len, is_orig,
 	                                      bol, eol, clear_state);
 	}
 
-void PIA_UDP::ActivateAnalyzer(zeek::analyzer::Tag tag, const Rule* rule)
+void PIA_UDP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule* rule)
 	{
 	if ( pkt_buffer.state == MATCHING_ONLY )
 		{
@@ -292,7 +292,7 @@ void PIA_TCP::Undelivered(uint64_t seq, int len, bool is_orig)
 	// No check for buffer overrun here. I think that's ok.
 	}
 
-void PIA_TCP::ActivateAnalyzer(zeek::analyzer::Tag tag, const Rule* rule)
+void PIA_TCP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule* rule)
 	{
 	if ( stream_buffer.state == MATCHING_ONLY )
 		{

src/analyzer/protocol/pia/PIA.h

@@ -6,7 +6,7 @@
 #include "analyzer/protocol/tcp/TCP.h"
 #include "RuleMatcher.h"
 
-class RuleEndpointState;
+ZEEK_FORWARD_DECLARE_NAMESPACED(RuleEndpointState, zeek::detail);
 
 namespace analyzer { namespace pia {
 
@@ -17,7 +17,7 @@ namespace analyzer { namespace pia {
 // also keeps the matching state.  This is because (i) it needs to match
 // itself, and (ii) in case of tunnel-decapsulation we may have multiple
 // PIAs and then each needs its own matching-state.
-class PIA : public RuleMatcherState {
+class PIA : public zeek::detail::RuleMatcherState {
 public:
 	explicit PIA(zeek::analyzer::Analyzer* as_analyzer);
 	virtual ~PIA();
@@ -25,12 +25,12 @@ public:
 	// Called when PIA wants to put an Analyzer in charge.  rule is the
 	// signature that triggered the activitation, if any.
 	virtual void ActivateAnalyzer(zeek::analyzer::Tag tag,
-					const Rule* rule = nullptr) = 0;
+	                              const zeek::detail::Rule* rule = nullptr) = 0;
 
 	// Called when PIA wants to remove an Analyzer.
 	virtual void DeactivateAnalyzer(zeek::analyzer::Tag tag) = 0;
 
-	void Match(Rule::PatternType type, const u_char* data, int len,
+	void Match(zeek::detail::Rule::PatternType type, const u_char* data, int len,
 	           bool is_orig, bool bol, bool eol, bool clear_state);
 
 	void ReplayPacketBuffer(zeek::analyzer::Analyzer* analyzer);
@@ -112,7 +112,7 @@ protected:
 		PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen, true);
 		}
 
-	void ActivateAnalyzer(zeek::analyzer::Tag tag, const Rule* rule) override;
+	void ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule* rule) override;
 	void DeactivateAnalyzer(zeek::analyzer::Tag tag) override;
 };
 
@@ -161,7 +161,7 @@ protected:
 	void Undelivered(uint64_t seq, int len, bool is_orig) override;
 
 	void ActivateAnalyzer(zeek::analyzer::Tag tag,
-					const Rule* rule = nullptr) override;
+	                      const zeek::detail::Rule* rule = nullptr) override;
 	void DeactivateAnalyzer(zeek::analyzer::Tag tag) override;
 
 private:

src/analyzer/protocol/tcp/TCP_Reassembler.cc

@@ -282,7 +282,7 @@ void TCP_Reassembler::Undelivered(uint64_t up_to_seq)
 
 void TCP_Reassembler::MatchUndelivered(uint64_t up_to_seq, bool use_last_upper)
 	{
-	if ( block_list.Empty() || ! rule_matcher )
+	if ( block_list.Empty() || ! zeek::detail::rule_matcher )
 		return;
 
 	const auto& last_block = block_list.LastBlock();
@@ -312,7 +312,7 @@ void TCP_Reassembler::MatchUndelivered(uint64_t up_to_seq, bool use_last_upper)
 		if ( b.upper > last_reassem_seq )
 			break;
 
-		tcp_analyzer->Conn()->Match(Rule::PAYLOAD, b.block, b.Size(),
+		tcp_analyzer->Conn()->Match(zeek::detail::Rule::PAYLOAD, b.block, b.Size(),
 		                            false, false, IsOrig(), false);
 		}
 	}

src/file_analysis/File.cc

@@ -333,7 +333,7 @@ void File::InferMetadata()
 	if ( ! FileEventAvailable(file_sniff) )
 		return;
 
-	RuleMatcher::MIME_Matches matches;
+	zeek::detail::RuleMatcher::MIME_Matches matches;
 	const u_char* data = bof_buffer_val->AsString()->Bytes();
 	uint64_t len = bof_buffer_val->AsString()->Len();
 	len = std::min(len, LookupFieldDefaultCount(bof_buffer_size_idx));

src/file_analysis/Manager.cc

@@ -47,7 +47,7 @@ void Manager::InitPostScript()
 void Manager::InitMagic()
 	{
 	delete magic_state;
-	magic_state = rule_matcher->InitFileMagic();
+	magic_state = zeek::detail::rule_matcher->InitFileMagic();
 	}
 
 void Manager::Terminate()
@@ -495,20 +495,21 @@ Analyzer* Manager::InstantiateAnalyzer(const Tag& tag,
 	return a;
 	}
 
-RuleMatcher::MIME_Matches* Manager::DetectMIME(const u_char* data, uint64_t len,
+zeek::detail::RuleMatcher::MIME_Matches* Manager::DetectMIME(
-        RuleMatcher::MIME_Matches* rval) const
+	const u_char* data, uint64_t len,
+	zeek::detail::RuleMatcher::MIME_Matches* rval) const
 	{
 	if ( ! magic_state )
 		reporter->InternalError("file magic signature state not initialized");
 
-	rval = rule_matcher->Match(magic_state, data, len, rval);
+	rval = zeek::detail::rule_matcher->Match(magic_state, data, len, rval);
-	rule_matcher->ClearFileMagicState(magic_state);
+	zeek::detail::rule_matcher->ClearFileMagicState(magic_state);
 	return rval;
 	}
 
 string Manager::DetectMIME(const u_char* data, uint64_t len) const
 	{
-	RuleMatcher::MIME_Matches matches;
+	zeek::detail::RuleMatcher::MIME_Matches matches;
 	DetectMIME(data, len, &matches);
 
 	if ( matches.empty() )
@@ -517,13 +518,13 @@ string Manager::DetectMIME(const u_char* data, uint64_t len) const
 	return *(matches.begin()->second.begin());
 	}
 
-zeek::VectorValPtr file_analysis::GenMIMEMatchesVal(const RuleMatcher::MIME_Matches& m)
+zeek::VectorValPtr file_analysis::GenMIMEMatchesVal(const zeek::detail::RuleMatcher::MIME_Matches& m)
 	{
 	static auto mime_matches = zeek::id::find_type<zeek::VectorType>("mime_matches");
 	static auto mime_match = zeek::id::find_type<zeek::RecordType>("mime_match");
 	auto rval = zeek::make_intrusive<zeek::VectorVal>(mime_matches);
 
-	for ( RuleMatcher::MIME_Matches::const_iterator it = m.begin();
+	for ( zeek::detail::RuleMatcher::MIME_Matches::const_iterator it = m.begin();
 	      it != m.end(); ++it )
 		{
 		auto element = zeek::make_intrusive<zeek::RecordVal>(mime_match);

src/file_analysis/Manager.h

@@ -326,8 +326,9 @@ public:
 	 * @return Set of all matching file magic signatures, which may be
 	 *         an object allocated by the method if \a rval is a null pointer.
 	 */
-	RuleMatcher::MIME_Matches* DetectMIME(const u_char* data, uint64_t len,
+	zeek::detail::RuleMatcher::MIME_Matches* DetectMIME(
-					      RuleMatcher::MIME_Matches* rval) const;
+		const u_char* data, uint64_t len,
+		zeek::detail::RuleMatcher::MIME_Matches* rval) const;
 
 	/**
 	 * Returns the strongest MIME magic signature match for a given data chunk.
@@ -421,7 +422,7 @@ private:
 	std::map<std::string, File*> id_map;  /**< Map file ID to file_analysis::File records. */
 	std::set<std::string> ignored; /**< Ignored files.  Will be finally removed on EOF. */
 	std::string current_file_id;	/**< Hash of what get_file_handle event sets. */
-	RuleFileMagicState* magic_state;	/**< File magic signature match state. */
+	zeek::detail::RuleFileMagicState* magic_state;	/**< File magic signature match state. */
 	MIMEMap mime_types;/**< Mapping of MIME types to analyzers. */
 
 	inline static zeek::TableVal* disabled = nullptr;	/**< Table of disabled analyzers. */
@@ -435,7 +436,7 @@ private:
  * Returns a script-layer value corresponding to the \c mime_matches type.
  * @param m The MIME match information with which to populate the value.
  */
-zeek::VectorValPtr GenMIMEMatchesVal(const RuleMatcher::MIME_Matches& m);
+zeek::VectorValPtr GenMIMEMatchesVal(const zeek::detail::RuleMatcher::MIME_Matches& m);
 
 } // namespace file_analysis
 

src/rule-parse.y

@@ -10,11 +10,13 @@
 #include "IPAddr.h"
 #include "net_util.h"
 
+using namespace zeek::detail;
+
 extern void begin_PS();
 extern void end_PS();
 
-Rule* current_rule = 0;
+zeek::detail::Rule* current_rule = nullptr;
-const char* current_rule_file = 0;
+const char* current_rule_file = nullptr;
 
 static uint8_t ip4_mask_to_len(uint32_t mask)
 	{
@@ -78,26 +80,26 @@ static uint8_t ip4_mask_to_len(uint32_t mask)
 %type <ptype> TOK_PATTERN_TYPE
 
 %union {
-	Rule* rule;
+	zeek::detail::Rule* rule;
-	RuleHdrTest* hdr_test;
+	zeek::detail::RuleHdrTest* hdr_test;
-	maskedvalue_list* vallist;
+	zeek::detail::maskedvalue_list* vallist;
 	std::vector<zeek::IPPrefix>* prefix_val_list;
 	zeek::IPPrefix* prefixval;
 
 	bool bl;
 	int val;
 	char* str;
-	MaskedValue mval;
+	zeek::detail::MaskedValue mval;
-	RuleHdrTest::Prot prot;
+	zeek::detail::RuleHdrTest::Prot prot;
-	Range range;
+	zeek::detail::Range range;
-	Rule::PatternType ptype;
+	zeek::detail::Rule::PatternType ptype;
 }
 
 %%
 
 rule_list:
 		rule_list rule
-			{ rule_matcher->AddRule($2); }
+			{ zeek::detail::rule_matcher->AddRule($2); }
 	|
 	;
 
@@ -105,7 +107,7 @@ rule:
 		TOK_SIGNATURE TOK_IDENT
 			{
 			zeek::detail::Location l(current_rule_file, rules_line_number+1, 0, 0, 0);
-			current_rule = new Rule(yylval.str, l);
+			current_rule = new zeek::detail::Rule(yylval.str, l);
 			}
 		'{' rule_attr_list '}'
 			{ $$ = current_rule; }
@@ -119,21 +121,21 @@ rule_attr_list:
 rule_attr:
 		TOK_DST_IP TOK_COMP prefix_value_list
 			{
-			current_rule->AddHdrTest(new RuleHdrTest(
+			current_rule->AddHdrTest(new zeek::detail::RuleHdrTest(
-				RuleHdrTest::IPDst,
+				zeek::detail::RuleHdrTest::IPDst,
-				(RuleHdrTest::Comp) $2, *($3)));
+				(zeek::detail::RuleHdrTest::Comp) $2, *($3)));
 			}
 
 	|	TOK_DST_PORT TOK_COMP value_list
 			{ // Works for both TCP and UDP
-			current_rule->AddHdrTest(new RuleHdrTest(
+			current_rule->AddHdrTest(new zeek::detail::RuleHdrTest(
-				RuleHdrTest::TCP, 2, 2,
+				zeek::detail::RuleHdrTest::TCP, 2, 2,
-				(RuleHdrTest::Comp) $2, $3));
+				(zeek::detail::RuleHdrTest::Comp) $2, $3));
 			}
 
 	|	TOK_EVAL { begin_PS(); } TOK_POLICY_SYMBOL { end_PS(); }
 			{
-			current_rule->AddCondition(new RuleConditionEval($3));
+			current_rule->AddCondition(new zeek::detail::RuleConditionEval($3));
 			}
 
 	|	TOK_HEADER hdr_expr
@@ -142,29 +144,29 @@ rule_attr:
 	|	TOK_IP_OPTIONS ipoption_list
 			{
 			current_rule->AddCondition(
-				new RuleConditionIPOptions($2));
+				new zeek::detail::RuleConditionIPOptions($2));
 			}
 
 	|	TOK_IP_PROTO TOK_COMP TOK_PROT
 			{
 			int proto = 0;
 			switch ( $3 ) {
-			case RuleHdrTest::ICMP: proto = IPPROTO_ICMP; break;
+			case zeek::detail::RuleHdrTest::ICMP: proto = IPPROTO_ICMP; break;
-			case RuleHdrTest::ICMPv6: proto = IPPROTO_ICMPV6; break;
+			case zeek::detail::RuleHdrTest::ICMPv6: proto = IPPROTO_ICMPV6; break;
 			// signature matching against outer packet headers of IP-in-IP
 			// tunneling not supported, so do a no-op there
-			case RuleHdrTest::IP: proto = 0; break;
+			case zeek::detail::RuleHdrTest::IP: proto = 0; break;
-			case RuleHdrTest::IPv6: proto = 0; break;
+			case zeek::detail::RuleHdrTest::IPv6: proto = 0; break;
-			case RuleHdrTest::TCP: proto = IPPROTO_TCP; break;
+			case zeek::detail::RuleHdrTest::TCP: proto = IPPROTO_TCP; break;
-			case RuleHdrTest::UDP: proto = IPPROTO_UDP; break;
+			case zeek::detail::RuleHdrTest::UDP: proto = IPPROTO_UDP; break;
 			default:
 				rules_error("internal_error: unknown protocol");
 			}
 
 			if ( proto )
 				{
-				maskedvalue_list* vallist = new maskedvalue_list;
+				auto* vallist = new zeek::detail::maskedvalue_list;
-				MaskedValue* val = new MaskedValue();
+				auto* val = new zeek::detail::MaskedValue();
 
 				val->val = proto;
 				val->mask = 0xffffffff;
@@ -172,9 +174,9 @@ rule_attr:
 
 				// offset & size params are dummies, actual next proto value in
 				// header is retrieved dynamically via IP_Hdr::NextProto()
-				current_rule->AddHdrTest(new RuleHdrTest(
+				current_rule->AddHdrTest(new zeek::detail::RuleHdrTest(
-					RuleHdrTest::NEXT, 0, 0,
+					zeek::detail::RuleHdrTest::NEXT, 0, 0,
-					(RuleHdrTest::Comp) $2, vallist));
+					(zeek::detail::RuleHdrTest::Comp) $2, vallist));
 				}
 			}
 
@@ -182,22 +184,22 @@ rule_attr:
 			{
 			// offset & size params are dummies, actual next proto value in
 			// header is retrieved dynamically via IP_Hdr::NextProto()
-			current_rule->AddHdrTest(new RuleHdrTest(
+			current_rule->AddHdrTest(new zeek::detail::RuleHdrTest(
-				RuleHdrTest::NEXT, 0, 0,
+				zeek::detail::RuleHdrTest::NEXT, 0, 0,
-				(RuleHdrTest::Comp) $2, $3));
+				(zeek::detail::RuleHdrTest::Comp) $2, $3));
 			}
 
 	|	TOK_EVENT string
-			{ current_rule->AddAction(new RuleActionEvent($2)); }
+			{ current_rule->AddAction(new zeek::detail::RuleActionEvent($2)); }
 
 	|	TOK_MIME string opt_strength
-			{ current_rule->AddAction(new RuleActionMIME($2, $3)); }
+			{ current_rule->AddAction(new zeek::detail::RuleActionMIME($2, $3)); }
 
 	|	TOK_ENABLE TOK_STRING
-			{ current_rule->AddAction(new RuleActionEnable($2)); }
+			{ current_rule->AddAction(new zeek::detail::RuleActionEnable($2)); }
 
 	|	TOK_DISABLE TOK_STRING
-			{ current_rule->AddAction(new RuleActionDisable($2)); }
+			{ current_rule->AddAction(new zeek::detail::RuleActionDisable($2)); }
 
 	|	TOK_PATTERN_TYPE pattern
 			{ current_rule->AddPattern($2, $1); }
@@ -212,7 +214,7 @@ rule_attr:
 	|	TOK_PAYLOAD_SIZE TOK_COMP integer
 			{
 			current_rule->AddCondition(
-				new RuleConditionPayloadSize($3, (RuleConditionPayloadSize::Comp) ($2)));
+				new zeek::detail::RuleConditionPayloadSize($3, (zeek::detail::RuleConditionPayloadSize::Comp) ($2)));
 			}
 
 	|	TOK_REQUIRES_SIGNATURE TOK_IDENT
@@ -228,25 +230,25 @@ rule_attr:
 			{ current_rule->AddRequires($3, 1, 1); }
 
 	|	TOK_SAME_IP
-			{ current_rule->AddCondition(new RuleConditionSameIP()); }
+			{ current_rule->AddCondition(new zeek::detail::RuleConditionSameIP()); }
 
 	|	TOK_SRC_IP TOK_COMP prefix_value_list
 			{
-			current_rule->AddHdrTest(new RuleHdrTest(
+			current_rule->AddHdrTest(new zeek::detail::RuleHdrTest(
-				RuleHdrTest::IPSrc,
+				zeek::detail::RuleHdrTest::IPSrc,
-				(RuleHdrTest::Comp) $2, *($3)));
+				(zeek::detail::RuleHdrTest::Comp) $2, *($3)));
 			}
 
 	|	TOK_SRC_PORT TOK_COMP value_list
 			{ // Works for both TCP and UDP
-			current_rule->AddHdrTest(new RuleHdrTest(
+			current_rule->AddHdrTest(new zeek::detail::RuleHdrTest(
-				RuleHdrTest::TCP, 0, 2,
+				zeek::detail::RuleHdrTest::TCP, 0, 2,
-				(RuleHdrTest::Comp) $2, $3));
+				(zeek::detail::RuleHdrTest::Comp) $2, $3));
 			}
 
 	|	TOK_TCP_STATE tcpstate_list
 			{
-			current_rule->AddCondition(new RuleConditionTCPState($2));
+			current_rule->AddCondition(new zeek::detail::RuleConditionTCPState($2));
 			}
 
 	|	TOK_ACTIVE TOK_BOOL
@@ -256,33 +258,33 @@ rule_attr:
 hdr_expr:
 		TOK_PROT '[' range ']' '&' integer TOK_COMP value
 			{
-			maskedvalue_list* vallist = new maskedvalue_list;
+			auto* vallist = new zeek::detail::maskedvalue_list;
-			MaskedValue* val = new MaskedValue();
+			auto* val = new zeek::detail::MaskedValue();
 
 			val->val = $8.val;
 			val->mask = $6;
 			vallist->push_back(val);
 
-			$$ = new RuleHdrTest($1, $3.offset, $3.len,
+			$$ = new zeek::detail::RuleHdrTest($1, $3.offset, $3.len,
-					(RuleHdrTest::Comp) $7, vallist);
+					(zeek::detail::RuleHdrTest::Comp) $7, vallist);
 			}
 
 	|	TOK_PROT '[' range ']' TOK_COMP value_list
 			{
-			$$ = new RuleHdrTest($1, $3.offset, $3.len,
+			$$ = new zeek::detail::RuleHdrTest($1, $3.offset, $3.len,
-						(RuleHdrTest::Comp) $5, $6);
+						(zeek::detail::RuleHdrTest::Comp) $5, $6);
 			}
 	;
 
 value_list:
 		value_list ',' value
-			{ $1->push_back(new MaskedValue($3)); $$ = $1; }
+			{ $1->push_back(new zeek::detail::MaskedValue($3)); $$ = $1; }
 	|	value_list ',' ranged_value
 			{
 			int numVals = $3->length();
 			for ( int idx = 0; idx < numVals; idx++ )
 				{
-				MaskedValue* val = (*$3)[idx];
+				zeek::detail::MaskedValue* val = (*$3)[idx];
 				$1->push_back(val);
 				}
 			$$ = $1;
@@ -291,8 +293,8 @@ value_list:
 			{ id_to_maskedvallist($3, $1); $$ = $1; }
 	|	value
 			{
-			$$ = new maskedvalue_list();
+			$$ = new zeek::detail::maskedvalue_list();
-			$$->push_back(new MaskedValue($1));
+			$$->push_back(new zeek::detail::MaskedValue($1));
 			}
 	|	ranged_value
 			{
@@ -300,7 +302,7 @@ value_list:
 			}
 	|	TOK_IDENT
 			{
-			$$ = new maskedvalue_list();
+			$$ = new zeek::detail::maskedvalue_list();
 			id_to_maskedvallist($1, $$);
 			}
 	;
@@ -340,10 +342,10 @@ prefix_value:
 ranged_value:
 		TOK_INT '-' TOK_INT
 			{
-			$$ = new maskedvalue_list();
+			$$ = new zeek::detail::maskedvalue_list();
 			for ( int val = $1; val <= $3; val++ )
 				{
-				MaskedValue* masked = new MaskedValue();
+				auto* masked = new zeek::detail::MaskedValue();
 				masked->val = val;
 				masked->mask = 0xffffffff;
 				$$->push_back(masked);
@@ -428,22 +430,22 @@ void rules_error(const char* msg)
 	{
 	reporter->Error("Error in signature (%s:%d): %s\n",
 	                current_rule_file, rules_line_number+1, msg);
-	rule_matcher->SetParseError();
+	zeek::detail::rule_matcher->SetParseError();
 	}
 
 void rules_error(const char* msg, const char* addl)
 	{
 	reporter->Error("Error in signature (%s:%d): %s (%s)\n",
 	                current_rule_file, rules_line_number+1, msg, addl);
-	rule_matcher->SetParseError();
+	zeek::detail::rule_matcher->SetParseError();
 	}
 
-void rules_error(Rule* r, const char* msg)
+void rules_error(zeek::detail::Rule* r, const char* msg)
 	{
 	const zeek::detail::Location& l = r->GetLocation();
 	reporter->Error("Error in signature %s (%s:%d): %s\n",
 	                r->ID(), l.filename, l.first_line, msg);
-	rule_matcher->SetParseError();
+	zeek::detail::rule_matcher->SetParseError();
 	}
 
 int rules_wrap(void)

src/rule-scan.l

@@ -12,6 +12,7 @@
 #include "rule-parse.h"
 
 int rules_line_number = 0;
+
 %}
 
 %x PS
@@ -55,61 +56,61 @@ PID  {PIDCOMPONENT}(::{PIDCOMPONENT})*
 
 [!\]\[{}&:,-]	return rules_text[0];
 
-"<="	{ rules_lval.val = RuleHdrTest::LE; return TOK_COMP; }
+"<="	{ rules_lval.val = zeek::detail::RuleHdrTest::LE; return TOK_COMP; }
-">="	{ rules_lval.val = RuleHdrTest::GE; return TOK_COMP; }
+">="	{ rules_lval.val = zeek::detail::RuleHdrTest::GE; return TOK_COMP; }
-"<"	{ rules_lval.val = RuleHdrTest::LT; return TOK_COMP; }
+"<"	{ rules_lval.val = zeek::detail::RuleHdrTest::LT; return TOK_COMP; }
-">"	{ rules_lval.val = RuleHdrTest::GT; return TOK_COMP; }
+">"	{ rules_lval.val = zeek::detail::RuleHdrTest::GT; return TOK_COMP; }
-"="	{ rules_lval.val = RuleHdrTest::EQ; return TOK_COMP; }
+"="	{ rules_lval.val = zeek::detail::RuleHdrTest::EQ; return TOK_COMP; }
-"=="	{ rules_lval.val = RuleHdrTest::EQ; return TOK_COMP; }
+"=="	{ rules_lval.val = zeek::detail::RuleHdrTest::EQ; return TOK_COMP; }
-"!="	{ rules_lval.val = RuleHdrTest::NE; return TOK_COMP; }
+"!="	{ rules_lval.val = zeek::detail::RuleHdrTest::NE; return TOK_COMP; }
 
-ip	{ rules_lval.val = RuleHdrTest::IP; return TOK_PROT; }
+ip	{ rules_lval.val = zeek::detail::RuleHdrTest::IP; return TOK_PROT; }
-ip6	{ rules_lval.val = RuleHdrTest::IPv6; return TOK_PROT; }
+ip6	{ rules_lval.val = zeek::detail::RuleHdrTest::IPv6; return TOK_PROT; }
-icmp	{ rules_lval.val = RuleHdrTest::ICMP; return TOK_PROT; }
+icmp	{ rules_lval.val = zeek::detail::RuleHdrTest::ICMP; return TOK_PROT; }
-icmp6	{ rules_lval.val = RuleHdrTest::ICMPv6; return TOK_PROT; }
+icmp6	{ rules_lval.val = zeek::detail::RuleHdrTest::ICMPv6; return TOK_PROT; }
-tcp	{ rules_lval.val = RuleHdrTest::TCP; return TOK_PROT; }
+tcp	{ rules_lval.val = zeek::detail::RuleHdrTest::TCP; return TOK_PROT; }
-udp	{ rules_lval.val = RuleHdrTest::UDP; return TOK_PROT; }
+udp	{ rules_lval.val = zeek::detail::RuleHdrTest::UDP; return TOK_PROT; }
 
 true	{ rules_lval.val = true; return TOK_BOOL; }
 false	{ rules_lval.val = false; return TOK_BOOL; }
 
 established	{
-		rules_lval.val = RuleConditionTCPState::STATE_ESTABLISHED;
+		rules_lval.val = zeek::detail::RuleConditionTCPState::STATE_ESTABLISHED;
 		return TOK_TCP_STATE_SYM;
 		}
 
 originator	{
-		rules_lval.val = RuleConditionTCPState::STATE_ORIG;
+		rules_lval.val = zeek::detail::RuleConditionTCPState::STATE_ORIG;
 		return TOK_TCP_STATE_SYM;
 		}
 
 responder	{
-		rules_lval.val = RuleConditionTCPState::STATE_RESP;
+		rules_lval.val = zeek::detail::RuleConditionTCPState::STATE_RESP;
 		return TOK_TCP_STATE_SYM;
 		}
 
 stateless	{
-		rules_lval.val = RuleConditionTCPState::STATE_STATELESS;
+		rules_lval.val = zeek::detail::RuleConditionTCPState::STATE_STATELESS;
 		return TOK_TCP_STATE_SYM;
 		}
 
 lsrr		{
-		rules_lval.val = RuleConditionIPOptions::OPT_LSRR;
+		rules_lval.val = zeek::detail::RuleConditionIPOptions::OPT_LSRR;
 		return TOK_IP_OPTION_SYM;
 		}
 
 lsrre		{
-		rules_lval.val = RuleConditionIPOptions::OPT_LSRRE;
+		rules_lval.val = zeek::detail::RuleConditionIPOptions::OPT_LSRRE;
 		return TOK_IP_OPTION_SYM;
 		}
 
 rr		{
-		rules_lval.val = RuleConditionIPOptions::OPT_RR;
+		rules_lval.val = zeek::detail::RuleConditionIPOptions::OPT_RR;
 		return TOK_IP_OPTION_SYM;
 		}
 
 ssrr		{
-		rules_lval.val = RuleConditionIPOptions::OPT_SSRR;
+		rules_lval.val = zeek::detail::RuleConditionIPOptions::OPT_SSRR;
 		return TOK_IP_OPTION_SYM;
 		}
 
@@ -133,18 +134,18 @@ src-port	return TOK_SRC_PORT;
 tcp-state	return TOK_TCP_STATE;
 active		return TOK_ACTIVE;
 
-file-magic { rules_lval.val = Rule::FILE_MAGIC; return TOK_PATTERN_TYPE; }
+file-magic { rules_lval.val = zeek::detail::Rule::FILE_MAGIC; return TOK_PATTERN_TYPE; }
-payload	{ rules_lval.val = Rule::PAYLOAD; return TOK_PATTERN_TYPE; }
+payload	{ rules_lval.val = zeek::detail::Rule::PAYLOAD; return TOK_PATTERN_TYPE; }
-http-request	{ rules_lval.val = Rule::HTTP_REQUEST; return TOK_PATTERN_TYPE; }
+http-request	{ rules_lval.val = zeek::detail::Rule::HTTP_REQUEST; return TOK_PATTERN_TYPE; }
-http-request-body	{ rules_lval.val = Rule::HTTP_REQUEST_BODY; return TOK_PATTERN_TYPE; }
+http-request-body	{ rules_lval.val = zeek::detail::Rule::HTTP_REQUEST_BODY; return TOK_PATTERN_TYPE; }
-http-reply-body	{ rules_lval.val = Rule::HTTP_REPLY_BODY; return TOK_PATTERN_TYPE; }
+http-reply-body	{ rules_lval.val = zeek::detail::Rule::HTTP_REPLY_BODY; return TOK_PATTERN_TYPE; }
-http-body	{ rules_lval.val = Rule::HTTP_REPLY_BODY; return TOK_PATTERN_TYPE; }
+http-body	{ rules_lval.val = zeek::detail::Rule::HTTP_REPLY_BODY; return TOK_PATTERN_TYPE; }
-http-request-header	{ rules_lval.val = Rule::HTTP_REQUEST_HEADER; return TOK_PATTERN_TYPE; }
+http-request-header	{ rules_lval.val = zeek::detail::Rule::HTTP_REQUEST_HEADER; return TOK_PATTERN_TYPE; }
-http-reply-header	{ rules_lval.val = Rule::HTTP_REPLY_HEADER; return TOK_PATTERN_TYPE; }
+http-reply-header	{ rules_lval.val = zeek::detail::Rule::HTTP_REPLY_HEADER; return TOK_PATTERN_TYPE; }
-http	{ rules_lval.val = Rule::HTTP_REQUEST; return TOK_PATTERN_TYPE; }
+http	{ rules_lval.val = zeek::detail::Rule::HTTP_REQUEST; return TOK_PATTERN_TYPE; }
 
-ftp	{ rules_lval.val = Rule::FTP; return TOK_PATTERN_TYPE; }
+ftp	{ rules_lval.val = zeek::detail::Rule::FTP; return TOK_PATTERN_TYPE; }
-finger	{ rules_lval.val = Rule::FINGER; return TOK_PATTERN_TYPE; }
+finger	{ rules_lval.val = zeek::detail::Rule::FINGER; return TOK_PATTERN_TYPE; }
 
 {D}("."{D}){3}{OWS}"/"{OWS}{D}	{
 	char* s = strchr(yytext, '/');

src/stats.bif

@@ -397,10 +397,10 @@ function get_matcher_stats%(%): MatcherStats
 	auto r = zeek::make_intrusive<zeek::RecordVal>(MatcherStats);
 	int n = 0;
 
-	RuleMatcher::Stats s;
+	zeek::detail::RuleMatcher::Stats s;
 	memset(&s, 0, sizeof(s));
-	if ( rule_matcher )
+	if ( zeek::detail::rule_matcher )
-		rule_matcher->GetStats(&s);
+		zeek::detail::rule_matcher->GetStats(&s);
 
 	r->Assign(n++, zeek::val_mgr->Count(s.matchers));
 	r->Assign(n++, zeek::val_mgr->Count(s.nfa_states));

src/zeek-setup.cc

@@ -93,6 +93,9 @@ zeek::analyzer::Manager*& analyzer_mgr = zeek::analyzer_mgr;
 zeek::plugin::Manager* zeek::plugin_mgr = nullptr;
 zeek::plugin::Manager*& plugin_mgr = zeek::plugin_mgr;
 
+zeek::detail::RuleMatcher* zeek::detail::rule_matcher = nullptr;
+zeek::detail::RuleMatcher*& rule_matcher = zeek::detail::rule_matcher;
+
 DNS_Mgr* dns_mgr;
 TimerMgr* timer_mgr;
 
@@ -108,7 +111,6 @@ zeek::detail::trigger::Manager* trigger_mgr = nullptr;
 
 std::vector<std::string> zeek_script_prefixes;
 zeek::detail::Stmt* stmts;
-RuleMatcher* rule_matcher = nullptr;
 EventRegistry* event_registry = nullptr;
 ProfileLogger* profiling_logger = nullptr;
 ProfileLogger* segment_logger = nullptr;
@@ -336,7 +338,7 @@ void zeek_terminate_loop(const char* reason)
 	// might write to connection content files.
 	BroFile::CloseOpenFiles();
 
-	delete rule_matcher;
+	delete zeek::detail::rule_matcher;
 
 	exit(0);
 	}

src/zeek.bif

@@ -998,7 +998,7 @@ function identify_data%(data: string, return_mime: bool &default=T%): string
 ## .. zeek:see:: identify_data
 function file_magic%(data: string%): mime_matches
 	%{
-	RuleMatcher::MIME_Matches matches;
+	zeek::detail::RuleMatcher::MIME_Matches matches;
 	file_mgr->DetectMIME(data->Bytes(), data->Len(), &matches);
 	return file_analysis::GenMIMEMatchesVal(matches);
 	%}
@@ -2092,8 +2092,8 @@ function is_local_interface%(ip: addr%) : bool
 ## .. zeek:see:: get_matcher_stats
 function dump_rule_stats%(f: file%): bool
 	%{
-	if ( rule_matcher )
+	if ( zeek::detail::rule_matcher )
-		rule_matcher->DumpStats(f);
+		zeek::detail::rule_matcher->DumpStats(f);
 
 	return zeek::val_mgr->True();
 	%}
@@ -5032,10 +5032,10 @@ function match_signatures%(c: connection, pattern_type: int, s: string,
 				bol: bool, eol: bool,
 				from_orig: bool, clear: bool%) : bool
 	%{
-	if ( ! rule_matcher )
+	if ( ! zeek::detail::rule_matcher )
 		return zeek::val_mgr->False();
 
-	c->Match((Rule::PatternType) pattern_type, s->Bytes(), s->Len(),
+	c->Match((zeek::detail::Rule::PatternType) pattern_type, s->Bytes(), s->Len(),
 	         from_orig, bol, eol, clear);
 
 	return zeek::val_mgr->True();