Establish plugin infrastructure for ConnKey factories.

ConnKey factories are intermediaries that encapsulate the details of how to instantiate ConnKeys, which codify the hash input for connection lookups.
2025-10-02 06:38:20 +00:00 · 2025-04-09 18:49:25 -07:00 · 2025-04-09 18:49:25 -07:00 · 0c64f6a7b9
commit 0c64f6a7b9
parent d19fdfd17c
12 changed files with 257 additions and 0 deletions
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@ -629,6 +629,19 @@ export {
 	const add_missing_remote_network_timestamp: bool = F &redef;
 }

+module ConnKey;
+
+export {
+	## The connection key factory to use for Zeek's internal connection
+	## tracking. This is a ``ConnKey::Tag`` plugin component enum value,
+	## and the default is Zeek's traditional 5-tuple-tracking based on
+	## IP/port endpoint pairs, plus transport protocol. Plugins can provide
+	## their own implementation. You'll usually not adjust this value in
+	## isolation, but with a corresponding redef of the :zeek:type:`conn_id`
+	## record to represent additional connection tuple members.
+	const factory = ConnKey::CONNKEY_FIVETUPLE &redef;
+}
+
 module FTP;

 export {