mirror of
https://github.com/zeek/zeek.git
synced 2025-10-11 19:18:19 +00:00
Checkpointing the merge. Not done yet.
Merge remote-tracking branch 'origin/topic/tunnels' into topic/robin/tunnels-merge * origin/topic/tunnels: (41 commits) Extend weird names that occur in core packet processing during decapsulation. Add Teredo analysis option to reduce false positive decapsulation. Just some cleanup/documentation of new tunnel-handling code. Memory leak fixes Add a config.h definition for IPPROTO_IPV4. Add AYIYA tunnel decapsulation unit test. Add Teredo-specific events. Refactor some of the NetSessions routines that recurse on IP packets. Add independent options to toggle the different decapsulation methods Add more sanity checks before recursing on encapsulated IP packets. Suppress Teredo weirds unless decapsulation was successful once before. Tunnel support performance optimization. Add Teredo tunnel decapsulation. Fix for IP tunnel UID persistence. Fix AYIYA analyzer tag. Add summary documentation to tunnels/main.bro. Make tunnels always identifiable by UID, tunnel.log now gets populated. Some improvements to the AYIYA analyzer. Remove Tunnel::decapsulate_ip option. Remove invalid IP-in-IP encapsulated protocol value. ...
This commit is contained in:
Robin Sommer
commit
1acb9fd91d
81 changed files with 2535 additions and 166 deletions
16
src/Conn.h
16
src/Conn.h
|
|
@ -13,6 +13,7 @@
|
|||
#include "RuleMatcher.h"
|
||||
#include "AnalyzerTags.h"
|
||||
#include "IPAddr.h"
|
||||
#include "TunnelEncapsulation.h"
|
||||
|
||||
class Connection;
|
||||
class ConnectionTimer;
|
||||
|
|
@ -51,9 +52,16 @@ class Analyzer;
|
|||
class Connection : public BroObj {
|
||||
public:
|
||||
Connection(NetSessions* s, HashKey* k, double t, const ConnID* id,
|
||||
uint32 flow);
|
||||
uint32 flow, const Encapsulation* arg_encap);
|
||||
virtual ~Connection();
|
||||
|
||||
// Invoked when an encapsulation is discovered. It records the
|
||||
// encapsulation with the connection and raises a "tunnel_changed"
|
||||
// event if it's different from the previous encapsulation (or the
|
||||
// first encountered). encap can be null to indicate no
|
||||
// encapsulation.
|
||||
void CheckEncapsulation(const Encapsulation* encap);
|
||||
|
||||
// Invoked when connection is about to be removed. Use Ref(this)
|
||||
// inside Done to keep the connection object around (though it'll
|
||||
// no longer be accessible from the dictionary of active
|
||||
|
|
@ -242,6 +250,11 @@ public:
|
|||
|
||||
void SetUID(uint64 arg_uid) { uid = arg_uid; }
|
||||
|
||||
uint64 GetUID() const { return uid; }
|
||||
|
||||
const Encapsulation* GetEncapsulation() const
|
||||
{ return encapsulation; }
|
||||
|
||||
void CheckFlowLabel(bool is_orig, uint32 flow_label);
|
||||
|
||||
protected:
|
||||
|
|
@ -279,6 +292,7 @@ protected:
|
|||
double inactivity_timeout;
|
||||
RecordVal* conn_val;
|
||||
LoginConn* login_conn; // either nil, or this
|
||||
const Encapsulation* encapsulation; // tunnels
|
||||
int suppress_event; // suppress certain events to once per conn.
|
||||
|
||||
unsigned int installed_status_timer:1;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue