pub unsafe extern "C" fn ddwaf_subcontext_multieval(
subcontext: ddwaf_subcontext,
data: *mut ddwaf_object,
alloc: ddwaf_allocator,
result: *mut ddwaf_object,
timeout: u64,
) -> DDWAF_RET_CODEExpand description
Perform multiple matching operations on the provided data, evaluating each batch in sequence and returning a single combined result.
This function operates identically to ddwaf_subcontext_eval, with the distinction that data must be an array of maps. Each element is treated as a separate input batch and is evaluated in order. Addresses provided in earlier batches persist in the store and remain available when evaluating later batches, so a rule that requires multiple addresses can be satisfied by data spread across different batches within a single call. The result reflects all events, actions, and attributes accumulated across the entire sequence of batches.
@param subcontext WAF subcontext to be used in this run, this will determine the ruleset which will be used and it will also ensure that parameters are taken into account across runs. (nonnull)
@param data (nonnull) Array of input batches to evaluate. Each element must
be a map of {string,
@param alloc (nullable) Allocator used to free the data provided. If NULL, the data will not be freed.
@param result (nullable) Object map containing the following items:
- events: an array of all events generated across all batches.
- actions: a map of all actions generated across all batches
in the format: “{action type: {
@return Return code of the operation. @retval DDWAF_ERR_INVALID_ARGUMENT The subcontext is invalid, the data will not be freed. @retval DDWAF_ERR_INVALID_OBJECT The data provided didn’t match the desired structure or contained invalid objects, the data will be freed by this function. @retval DDWAF_ERR_INTERNAL There was an unexpected error and the operation did not succeed. The state of the WAF is undefined if this error is produced and the ownership of the data is unknown. The result structure will not be filled if this error occurs.
Notes on addresses:
- Within a single batch, addresses provided should be unique. If duplicate addresses are provided within the same batch, the latest one in the structure will be used for evaluation.
- Addresses from earlier batches persist in the store and are accessible during evaluation of subsequent batches within the same call. If the same address appears in a later batch, the later value replaces the earlier one.
- A rule that requires multiple addresses can be satisfied by data spread across different batches within a single call.