GH-1119: add base/protcols/conn/removal-hooks.zeek

This adds two new functions: `Conn::register_removal_hook()` and `Conn::unregister_removal_hook()` for registering a hook function to be called back during `connection_state_remove`. The benefit of using hook callback approach is better scalability: the overhead of unrelated protocols having to dispatch no-op `connection_state_remove` handlers is avoided.
2025-10-09 18:18:19 +00:00 · 2020-09-10 21:19:14 -07:00 · 2020-09-10 21:19:14 -07:00 · 05cf511f18
commit 05cf511f18
parent 49e2047da0
31 changed files with 659 additions and 386 deletions
--- a/scripts/base/protocols/smtp/main.zeek
+++ b/scripts/base/protocols/smtp/main.zeek
@ -1,6 +1,7 @@
@load base/utils/addrs
@load base/utils/directions-and-hosts
@load base/utils/email
+@load base/protocols/conn/removal-hooks

 module SMTP;

@ -82,6 +83,9 @@ export {
 	global describe: function(rec: Info): string;

 	global log_smtp: event(rec: Info);
+
+	## SMTP finalization hook.  Remaining SMTP info may get logged when it's called.
+	global finalize_smtp: Conn::RemovalHook;
 }

 redef record connection += {
@ -129,6 +133,7 @@ function new_smtp_log(c: connection): Info
 	# The lower values in the vector are the end of the path.
 	l$path = vector(c$id$resp_h, c$id$orig_h);

+	Conn::register_removal_hook(c, finalize_smtp);
 	return l;
 	}

@ -298,7 +303,7 @@ event mime_one_header(c: connection, h: mime_header_rec) &priority=3
 		c$smtp$path += ip;
 	}

-event connection_state_remove(c: connection) &priority=-5
+hook finalize_smtp(c: connection)
 	{
 	if ( c?$smtp )
 		smtp_message(c);