Update PacketFilter/Discarder code for IP version independence.

The signatures of script-layer functions 'discarder_check_ip', 'discarder_check_tcp', 'discarder_check_udp', and 'discarder_check_icmp' were changed to use the more general 'pkt_hdr' type as a parameter instead of individual header types.
2025-10-02 14:48:21 +00:00 · 2012-03-08 13:12:04 -06:00 · 2012-03-08 13:12:04 -06:00 · 0b32c980bf
commit 0b32c980bf
parent 76ef36e048
13 changed files with 251 additions and 194 deletions
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@ -1167,7 +1167,7 @@ global discarder_maxlen = 128 &redef;
 ## analysis. If the function signals to discard a packet, no further processing
 ## will be performed on it.
 ##
-## i: The IP header of the considered packet.
+## p: The IP header of the considered packet.
 ##
 ## Returns: True if the packet should not be analyzed any further.
 ##
@ -1176,15 +1176,15 @@ global discarder_maxlen = 128 &redef;
 ##
 ## .. note:: This is very low-level functionality and potentially expensive.
 ##    Avoid using it.
-global discarder_check_ip: function(i: ip_hdr): bool;
+global discarder_check_ip: function(p: pkt_hdr): bool;
 ## Function for skipping packets based on their TCP header. If defined, this
 ## function will be called for all TCP packets before Bro performs any further
 ## analysis. If the function signals to discard a packet, no further processing
 ## will be performed on it.
 ##
-## i: The IP header of the considered packet.
+## p: The IP and TCP headers of the considered packet.
-## t: The TCP header.
+##
 ## d: Up to :bro:see:`discarder_maxlen` bytes of the TCP payload.
 ##
 ## Returns: True if the packet should not be analyzed any further.
@ -1194,15 +1194,15 @@ global discarder_check_ip: function(i: ip_hdr): bool;
 ##
 ## .. note:: This is very low-level functionality and potentially expensive.
 ##    Avoid using it.
-global discarder_check_tcp: function(i: ip_hdr, t: tcp_hdr, d: string): bool;
+global discarder_check_tcp: function(p: pkt_hdr, d: string): bool;
 ## Function for skipping packets based on their UDP header. If defined, this
 ## function will be called for all UDP packets before Bro performs any further
 ## analysis. If the function signals to discard a packet, no further processing
 ## will be performed on it.
 ##
-## i: The IP header of the considered packet.
+## p: The IP and UDP headers of the considered packet.
-## t: The UDP header.
+##
 ## d: Up to :bro:see:`discarder_maxlen` bytes of the UDP payload.
 ##
 ## Returns: True if the packet should not be analyzed any further.
@ -1212,15 +1212,14 @@ global discarder_check_tcp: function(i: ip_hdr, t: tcp_hdr, d: string): bool;
 ##
 ## .. note:: This is very low-level functionality and potentially expensive.
 ##    Avoid using it.
-global discarder_check_udp: function(i: ip_hdr, u: udp_hdr, d: string): bool;
+global discarder_check_udp: function(p: pkt_hdr, d: string): bool;
 ## Function for skipping packets based on their ICMP header. If defined, this
 ## function will be called for all ICMP packets before Bro performs any further
 ## analysis. If the function signals to discard a packet, no further processing
 ## will be performed on it.
 ##
-## i: The IP header of the considered packet.
+## p: The IP and ICMP headers of the considered packet.
 ## ih: The ICMP header.
 ##
 ## Returns: True if the packet should not be analyzed any further.
 ##
@ -1229,7 +1228,7 @@ global discarder_check_udp: function(i: ip_hdr, u: udp_hdr, d: string): bool;
 ##
 ## .. note:: This is very low-level functionality and potentially expensive.
 ##    Avoid using it.
-global discarder_check_icmp: function(i: ip_hdr, ih: icmp_hdr): bool;
+global discarder_check_icmp: function(p: pkt_hdr): bool;
 ## Bro's watchdog interval.
 const watchdog_interval = 10 sec &redef;
--- a/src/Discard.cc
+++ b/src/Discard.cc
@ -10,11 +10,6 @@
 Discarder::Discarder()
 	{
 	ip_hdr = internal_type("ip_hdr")->AsRecordType();
 	tcp_hdr = internal_type("tcp_hdr")->AsRecordType();
 	udp_hdr = internal_type("udp_hdr")->AsRecordType();
 	icmp_hdr = internal_type("icmp_hdr")->AsRecordType();
 	check_ip = internal_func("discarder_check_ip");
 	check_tcp = internal_func("discarder_check_tcp");
 	check_udp = internal_func("discarder_check_udp");
@ -36,12 +31,10 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
 	{
 	int discard_packet = 0;
 	const struct ip* ip4 = ip->IP4_Hdr();
 	if ( check_ip )
 		{
 		val_list* args = new val_list;
-		args->append(BuildHeader(ip4));
+		args->append(ip->BuildPktHdrVal());
 		try
 			{
@ -59,19 +52,18 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
 			return discard_packet;
 		}
-	int proto = ip4->ip_p;
+	int proto = ip->NextProto();
 	if ( proto != IPPROTO_TCP && proto != IPPROTO_UDP &&
 	     proto != IPPROTO_ICMP )
 		// This is not a protocol we understand.
 		return 0;
 	// XXX shall we only check the first packet???
-	uint32 frag_field = ntohs(ip4->ip_off);
+	if ( ip->IsFragment() )
 	if ( (frag_field & 0x3fff) != 0 )
 		// Never check any fragment.
 		return 0;
-	int ip_hdr_len = ip4->ip_hl * 4;
+	int ip_hdr_len = ip->HdrLen();
 	len -= ip_hdr_len;	// remove IP header
 	caplen -= ip_hdr_len;
@ -87,7 +79,7 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
 	// Where the data starts - if this is a protocol we know about,
 	// this gets advanced past the transport header.
-	const u_char* data = ((u_char*) ip4 + ip_hdr_len);
+	const u_char* data = ip->Payload();
 	if ( is_tcp )
 		{
@ -97,8 +89,7 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
 			int th_len = tp->th_off * 4;
 			val_list* args = new val_list;
-			args->append(BuildHeader(ip4));
+			args->append(ip->BuildPktHdrVal());
 			args->append(BuildHeader(tp, len));
 			args->append(BuildData(data, th_len, len, caplen));
 			try
@ -123,8 +114,7 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
 			int uh_len = sizeof (struct udphdr);
 			val_list* args = new val_list;
-			args->append(BuildHeader(ip4));
+			args->append(ip->BuildPktHdrVal());
 			args->append(BuildHeader(up));
 			args->append(BuildData(data, uh_len, len, caplen));
 			try
@ -148,8 +138,7 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
 			const struct icmp* ih = (const struct icmp*) data;
 			val_list* args = new val_list;
-			args->append(BuildHeader(ip4));
+			args->append(ip->BuildPktHdrVal());
 			args->append(BuildHeader(ih));
 			try
 				{
@ -168,62 +157,6 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
 	return discard_packet;
 	}
 Val* Discarder::BuildHeader(const struct ip* ip)
 	{
 	RecordVal* hdr = new RecordVal(ip_hdr);
 	hdr->Assign(0, new Val(ip->ip_hl * 4, TYPE_COUNT));
 	hdr->Assign(1, new Val(ip->ip_tos, TYPE_COUNT));
 	hdr->Assign(2, new Val(ntohs(ip->ip_len), TYPE_COUNT));
 	hdr->Assign(3, new Val(ntohs(ip->ip_id), TYPE_COUNT));
 	hdr->Assign(4, new Val(ip->ip_ttl, TYPE_COUNT));
 	hdr->Assign(5, new Val(ip->ip_p, TYPE_COUNT));
 	hdr->Assign(6, new AddrVal(ip->ip_src.s_addr));
 	hdr->Assign(7, new AddrVal(ip->ip_dst.s_addr));
 	return hdr;
 	}
 Val* Discarder::BuildHeader(const struct tcphdr* tp, int tcp_len)
 	{
 	RecordVal* hdr = new RecordVal(tcp_hdr);
 	hdr->Assign(0, new PortVal(ntohs(tp->th_sport), TRANSPORT_TCP));
 	hdr->Assign(1, new PortVal(ntohs(tp->th_dport), TRANSPORT_TCP));
 	hdr->Assign(2, new Val(uint32(ntohl(tp->th_seq)), TYPE_COUNT));
 	hdr->Assign(3, new Val(uint32(ntohl(tp->th_ack)), TYPE_COUNT));
 	int tcp_hdr_len = tp->th_off * 4;
 	hdr->Assign(4, new Val(tcp_hdr_len, TYPE_COUNT));
 	hdr->Assign(5, new Val(tcp_len - tcp_hdr_len, TYPE_COUNT));
 	hdr->Assign(6, new Val(tp->th_flags, TYPE_COUNT));
 	hdr->Assign(7, new Val(ntohs(tp->th_win), TYPE_COUNT));
 	return hdr;
 	}
 Val* Discarder::BuildHeader(const struct udphdr* up)
 	{
 	RecordVal* hdr = new RecordVal(udp_hdr);
 	hdr->Assign(0, new PortVal(ntohs(up->uh_sport), TRANSPORT_UDP));
 	hdr->Assign(1, new PortVal(ntohs(up->uh_dport), TRANSPORT_UDP));
 	hdr->Assign(2, new Val(ntohs(up->uh_ulen), TYPE_COUNT));
 	return hdr;
 	}
 Val* Discarder::BuildHeader(const struct icmp* icmp)
 	{
 	RecordVal* hdr = new RecordVal(icmp_hdr);
 	hdr->Assign(0, new Val(icmp->icmp_type, TYPE_COUNT));
 	return hdr;
 	}
 Val* Discarder::BuildData(const u_char* data, int hdrlen, int len, int caplen)
 	{
 	len -= hdrlen;
--- a/src/Discard.h
+++ b/src/Discard.h
@ -25,17 +25,8 @@ public:
 	int NextPacket(const IP_Hdr* ip, int len, int caplen);
 protected:
 	Val* BuildHeader(const struct ip* ip);
 	Val* BuildHeader(const struct tcphdr* tp, int tcp_len);
 	Val* BuildHeader(const struct udphdr* up);
 	Val* BuildHeader(const struct icmp* icmp);
 	Val* BuildData(const u_char* data, int hdrlen, int len, int caplen);
 	RecordType* ip_hdr;
 	RecordType* tcp_hdr;
 	RecordType* udp_hdr;
 	RecordType* icmp_hdr;
 	Func* check_ip;
 	Func* check_tcp;
 	Func* check_udp;
--- a/src/IP.cc
+++ b/src/IP.cc
@ -141,7 +141,7 @@ RecordVal* IPv6_ESP::BuildRecordVal() const
 	return rv;
 	}
-RecordVal* IP_Hdr::BuildRecordVal() const
+RecordVal* IP_Hdr::BuildIPHdrVal() const
 	{
 	RecordVal* rval = 0;
@ -226,6 +226,88 @@ RecordVal* IP_Hdr::BuildRecordVal() const
 	return rval;
 	}
 RecordVal* IP_Hdr::BuildPktHdrVal() const
 	{
 	static RecordType* pkt_hdr_type = 0;
 	static RecordType* tcp_hdr_type = 0;
 	static RecordType* udp_hdr_type = 0;
 	static RecordType* icmp_hdr_type = 0;
 	if ( ! pkt_hdr_type )
 		{
 		pkt_hdr_type = internal_type("pkt_hdr")->AsRecordType();
 		tcp_hdr_type = internal_type("tcp_hdr")->AsRecordType();
 		udp_hdr_type = internal_type("udp_hdr")->AsRecordType();
 		icmp_hdr_type = internal_type("icmp_hdr")->AsRecordType();
 		}
 	RecordVal* pkt_hdr = new RecordVal(pkt_hdr_type);
 	if ( ip4 )
 		pkt_hdr->Assign(0, BuildIPHdrVal());
 	else
 		pkt_hdr->Assign(1, BuildIPHdrVal());
 	// L4 header.
 	const u_char* data = Payload();
 	int proto = NextProto();
 	switch ( proto ) {
 	case IPPROTO_TCP:
 		{
 		const struct tcphdr* tp = (const struct tcphdr*) data;
 		RecordVal* tcp_hdr = new RecordVal(tcp_hdr_type);
 		int tcp_hdr_len = tp->th_off * 4;
 		int data_len = PayloadLen() - tcp_hdr_len;
 		tcp_hdr->Assign(0, new PortVal(ntohs(tp->th_sport), TRANSPORT_TCP));
 		tcp_hdr->Assign(1, new PortVal(ntohs(tp->th_dport), TRANSPORT_TCP));
 		tcp_hdr->Assign(2, new Val(uint32(ntohl(tp->th_seq)), TYPE_COUNT));
 		tcp_hdr->Assign(3, new Val(uint32(ntohl(tp->th_ack)), TYPE_COUNT));
 		tcp_hdr->Assign(4, new Val(tcp_hdr_len, TYPE_COUNT));
 		tcp_hdr->Assign(5, new Val(data_len, TYPE_COUNT));
 		tcp_hdr->Assign(6, new Val(tp->th_flags, TYPE_COUNT));
 		tcp_hdr->Assign(7, new Val(ntohs(tp->th_win), TYPE_COUNT));
 		pkt_hdr->Assign(2, tcp_hdr);
 		break;
 		}
 	case IPPROTO_UDP:
 		{
 		const struct udphdr* up = (const struct udphdr*) data;
 		RecordVal* udp_hdr = new RecordVal(udp_hdr_type);
 		udp_hdr->Assign(0, new PortVal(ntohs(up->uh_sport), TRANSPORT_UDP));
 		udp_hdr->Assign(1, new PortVal(ntohs(up->uh_dport), TRANSPORT_UDP));
 		udp_hdr->Assign(2, new Val(ntohs(up->uh_ulen), TYPE_COUNT));
 		pkt_hdr->Assign(3, udp_hdr);
 		break;
 		}
 	case IPPROTO_ICMP:
 		{
 		const struct icmp* icmpp = (const struct icmp *) data;
 		RecordVal* icmp_hdr = new RecordVal(icmp_hdr_type);
 		icmp_hdr->Assign(0, new Val(icmpp->icmp_type, TYPE_COUNT));
 		pkt_hdr->Assign(4, icmp_hdr);
 		break;
 		}
 	default:
 		{
 		// This is not a protocol we understand.
 		break;
 		}
 	}
 	return pkt_hdr;
 	}
 static inline IPv6_Hdr* getIPv6Header(uint8 type, const u_char* d,
                                      bool set_next = false, uint16 nxt = 0)
 	{
--- a/src/IP.h
+++ b/src/IP.h
@ -249,7 +249,6 @@ public:
 			}
 		}
 	//TODO: audit usages of this for correct IPv6 support or IPv4 assumptions
 	const struct ip* IP4_Hdr() const	{ return ip4; }
 	const struct ip6_hdr* IP6_Hdr() const	{ return ip6; }
@ -355,7 +354,13 @@ public:
 	/**
 	 * Returns an ip_hdr or ip6_hdr_chain RecordVal.
 	 */
-	RecordVal* BuildRecordVal() const;
+	RecordVal* BuildIPHdrVal() const;
 	/**
 	 * Returns a pkt_hdr RecordVal, which includes not only the IP header, but
 	 * also upper-layer (tcp/udp/icmp) headers.
 	 */
 	RecordVal* BuildPktHdrVal() const;
 private:
 	const struct ip* ip4;
--- a/src/PacketFilter.cc
+++ b/src/PacketFilter.cc
@ -71,9 +71,7 @@ bool PacketFilter::MatchFilter(const Filter& f, const IP_Hdr& ip,
 	if ( ip.NextProto() == IPPROTO_TCP && f.tcp_flags )
 		{
 		// Caution! The packet sanity checks have not been performed yet
-		const struct ip* ip4 = ip.IP4_Hdr();
+		int ip_hdr_len = ip.HdrLen();
 		int ip_hdr_len = ip4->ip_hl * 4;
 		len -= ip_hdr_len;	// remove IP header
 		caplen -= ip_hdr_len;
@ -82,8 +80,7 @@ bool PacketFilter::MatchFilter(const Filter& f, const IP_Hdr& ip,
 			// Packet too short, will be dropped anyway.
 			return false;
-		const struct tcphdr* tp =
+		const struct tcphdr* tp = (const struct tcphdr*) ip.Payload();
 			(const struct tcphdr*) ((u_char*) ip4 + ip_hdr_len);
 		if ( tp->th_flags & f.tcp_flags )
 			 // At least one of the flags is set, so don't drop
--- a/src/Sessions.cc
+++ b/src/Sessions.cc
@ -333,7 +333,7 @@ void NetSessions::NextPacketSecondary(double /* t */, const struct pcap_pkthdr*
 				new StringVal(sp->Event()->Filter());
 			args->append(cmd_val);
 			IP_Hdr ip_hdr(ip, false);
-			args->append(BuildHeader(&ip_hdr));
+			args->append(ip_hdr.BuildPktHdrVal());
 			// ### Need to queue event here.
 			try
 				{
@ -470,7 +470,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 		if ( esp_packet )
 			{
 			val_list* vl = new val_list();
-			vl->append(ip_hdr->BuildRecordVal());
+			vl->append(ip_hdr->BuildPktHdrVal());
 			mgr.QueueEvent(esp_packet, vl);
 			}
 		Remove(f);
@ -593,13 +593,13 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 	if ( ipv6_ext_headers && ip_hdr->NumHeaders() > 1 )
 		{
-		pkt_hdr_val = BuildHeader(ip_hdr);
+		pkt_hdr_val = ip_hdr->BuildPktHdrVal();
 		conn->Event(new_packet, 0, pkt_hdr_val);
 		}
 	if ( new_packet )
 		conn->Event(new_packet, 0,
-		        pkt_hdr_val ? pkt_hdr_val->Ref() : BuildHeader(ip_hdr));
+		        pkt_hdr_val ? pkt_hdr_val->Ref() : ip_hdr->BuildPktHdrVal());
 	conn->NextPacket(t, is_orig, ip_hdr, len, caplen, data,
 				record_packet, record_content,
@ -654,88 +654,6 @@ bool NetSessions::CheckHeaderTrunc(int proto, uint32 len, uint32 caplen,
 	return false;
 	}
 Val* NetSessions::BuildHeader(const IP_Hdr* ip)
 	{
 	static RecordType* pkt_hdr_type = 0;
 	static RecordType* tcp_hdr_type = 0;
 	static RecordType* udp_hdr_type = 0;
 	static RecordType* icmp_hdr_type;
 	if ( ! pkt_hdr_type )
 		{
 		pkt_hdr_type = internal_type("pkt_hdr")->AsRecordType();
 		tcp_hdr_type = internal_type("tcp_hdr")->AsRecordType();
 		udp_hdr_type = internal_type("udp_hdr")->AsRecordType();
 		icmp_hdr_type = internal_type("icmp_hdr")->AsRecordType();
 		}
 	RecordVal* pkt_hdr = new RecordVal(pkt_hdr_type);
 	if ( ip->IP4_Hdr() )
 		pkt_hdr->Assign(0, ip->BuildRecordVal());
 	else
 		pkt_hdr->Assign(1, ip->BuildRecordVal());
 	// L4 header.
 	const u_char* data = ip->Payload();
 	int proto = ip->NextProto();
 	switch ( proto ) {
 	case IPPROTO_TCP:
 		{
 		const struct tcphdr* tp = (const struct tcphdr*) data;
 		RecordVal* tcp_hdr = new RecordVal(tcp_hdr_type);
 		int tcp_hdr_len = tp->th_off * 4;
 		int data_len = ip->PayloadLen() - tcp_hdr_len;
 		tcp_hdr->Assign(0, new PortVal(ntohs(tp->th_sport), TRANSPORT_TCP));
 		tcp_hdr->Assign(1, new PortVal(ntohs(tp->th_dport), TRANSPORT_TCP));
 		tcp_hdr->Assign(2, new Val(uint32(ntohl(tp->th_seq)), TYPE_COUNT));
 		tcp_hdr->Assign(3, new Val(uint32(ntohl(tp->th_ack)), TYPE_COUNT));
 		tcp_hdr->Assign(4, new Val(tcp_hdr_len, TYPE_COUNT));
 		tcp_hdr->Assign(5, new Val(data_len, TYPE_COUNT));
 		tcp_hdr->Assign(6, new Val(tp->th_flags, TYPE_COUNT));
 		tcp_hdr->Assign(7, new Val(ntohs(tp->th_win), TYPE_COUNT));
 		pkt_hdr->Assign(2, tcp_hdr);
 		break;
 		}
 	case IPPROTO_UDP:
 		{
 		const struct udphdr* up = (const struct udphdr*) data;
 		RecordVal* udp_hdr = new RecordVal(udp_hdr_type);
 		udp_hdr->Assign(0, new PortVal(ntohs(up->uh_sport), TRANSPORT_UDP));
 		udp_hdr->Assign(1, new PortVal(ntohs(up->uh_dport), TRANSPORT_UDP));
 		udp_hdr->Assign(2, new Val(ntohs(up->uh_ulen), TYPE_COUNT));
 		pkt_hdr->Assign(3, udp_hdr);
 		break;
 		}
 	case IPPROTO_ICMP:
 		{
 		const struct icmp* icmpp = (const struct icmp *) data;
 		RecordVal* icmp_hdr = new RecordVal(icmp_hdr_type);
 		icmp_hdr->Assign(0, new Val(icmpp->icmp_type, TYPE_COUNT));
 		pkt_hdr->Assign(4, icmp_hdr);
 		break;
 		}
 	default:
 		{
 		// This is not a protocol we understand.
 		}
 	}
 	return pkt_hdr;
 	}
 FragReassembler* NetSessions::NextFragment(double t, const IP_Hdr* ip,
 					const u_char* pkt)
 	{
--- a/src/Sessions.h
+++ b/src/Sessions.h
@ -190,11 +190,6 @@ protected:
 	void Internal(const char* msg, const struct pcap_pkthdr* hdr,
 			const u_char* pkt);
 	// Builds a record encapsulating a packet.  This should be more
 	// general, including the equivalent of a union of tcp/udp/icmp
 	// headers .
 	Val* BuildHeader(const IP_Hdr* ip);
 	// For a given protocol, checks whether the header's length as derived
 	// from lower-level headers or the length actually captured is less
 	// than that protocol's minimum header size.
--- a/testing/btest/Baseline/bifs.install_src_addr_filter/output
+++ b/testing/btest/Baseline/bifs.install_src_addr_filter/output
@ -0,0 +1,8 @@
 [orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
--- a/testing/btest/Baseline/core.discarder/output
+++ b/testing/btest/Baseline/core.discarder/output
@ -0,0 +1,24 @@
 ################ IP Discarder ################
 [orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
 ################ TCP Discarder ################
 [orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
 [orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
 ################ UDP Discarder ################
 [orig_h=fe80::217:f2ff:fed7:cf65, orig_p=5353/udp, resp_h=ff02::fb, resp_p=5353/udp]
 [orig_h=fe80::3074:17d5:2052:c324, orig_p=65373/udp, resp_h=ff02::1:3, resp_p=5355/udp]
 [orig_h=fe80::3074:17d5:2052:c324, orig_p=65373/udp, resp_h=ff02::1:3, resp_p=5355/udp]
 [orig_h=fe80::3074:17d5:2052:c324, orig_p=54213/udp, resp_h=ff02::1:3, resp_p=5355/udp]
 [orig_h=fe80::3074:17d5:2052:c324, orig_p=54213/udp, resp_h=ff02::1:3, resp_p=5355/udp]
 ################ ICMP Discarder ################
 Discard icmp packet: [icmp_type=3]
--- a/testing/btest/Traces/icmp-unreach.trace
+++ b/testing/btest/Traces/icmp-unreach.trace
--- a/testing/btest/bifs/install_src_addr_filter.test
+++ b/testing/btest/bifs/install_src_addr_filter.test
@ -0,0 +1,13 @@
 # @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace %INPUT >output
 # @TEST-EXEC: btest-diff output
 event bro_init()
    {
    install_src_addr_filter(141.142.220.118, TH_SYN, 100.0);
    }
 event new_packet(c: connection, p: pkt_hdr)
    {
    if ( p?$tcp && p$ip$src == 141.142.220.118 )
            print c$id;
    }
--- a/testing/btest/core/discarder.bro
+++ b/testing/btest/core/discarder.bro
@ -0,0 +1,92 @@
 # @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace discarder-ip.bro >output
 # @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace discarder-tcp.bro >>output
 # @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace discarder-udp.bro >>output
 # @TEST-EXEC: bro -C -r $TRACES/icmp-unreach.trace discarder-icmp.bro >>output
 # @TEST-EXEC: btest-diff output
@TEST-START-FILE discarder-ip.bro
 event bro_init()
 	{
 	print "################ IP Discarder ################";
 	}
 function discarder_check_ip(p: pkt_hdr): bool
    {
    if ( p?$ip && p$ip$src == 141.142.220.118 && p$ip$dst == 208.80.152.2 )
        return F;
 	return T;
    }
 event new_packet(c: connection, p: pkt_hdr)
    {
    print c$id;
    }
@TEST-END-FILE
@TEST-START-FILE discarder-tcp.bro
 event bro_init()
    {
    print "################ TCP Discarder ################";
    }
 function discarder_check_tcp(p: pkt_hdr, d: string): bool
    {
    if ( p$tcp$flags == TH_SYN )
        return F;
    return T;
    }
 event new_packet(c: connection, p: pkt_hdr)
    {
    if ( p?$tcp )
        print c$id;
    }
@TEST-END-FILE
@TEST-START-FILE discarder-udp.bro
 event bro_init()
    {
    print "################ UDP Discarder ################";
    }
 function discarder_check_udp(p: pkt_hdr, d: string): bool
    {
    if ( p?$ip6 )
        return F;
    return T;
    }
 event new_packet(c: connection, p: pkt_hdr)
    {
    if ( p?$udp )
        print c$id;
    }
@TEST-END-FILE
@TEST-START-FILE discarder-icmp.bro
 event bro_init()
    {
    print "################ ICMP Discarder ################";
    }
 function discarder_check_icmp(p: pkt_hdr): bool
    {
    print fmt("Discard icmp packet: %s", p$icmp);
    return T;
    }
 event new_packet(c: connection, p: pkt_hdr)
    {
    if ( p?$icmp )
        print c$id;
    }
@TEST-END-FILE