Move IP and IP tunnel code from Sessions into packet analyzers

src/analyzer/protocol/ayiya/AYIYA.cc

@@ -1,6 +1,8 @@
+// See the file "COPYING" in the main distribution directory for copyright.
 
 #include "AYIYA.h"
 #include "Func.h"
+#include "packet_analysis/protocol/iptunnel/IPTunnel.h"
 
 namespace zeek::analyzer::ayiya {
 
@@ -48,9 +50,10 @@ void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6
 	if ( result == 0 )
 		{
 		ProtocolConfirmation();
+		const zeek::EncapsulationStack* e = Conn()->GetEncapsulation();
 		EncapsulatingConn ec(Conn(), BifEnum::Tunnel::AYIYA);
-		sessions->DoNextInnerPacket(run_state::network_time, nullptr,
-		                            inner, Conn()->GetEncapsulation(), ec);
+		packet_analysis::IPTunnel::ip_tunnel_analyzer->ProcessEncapsulatedPacket(
+			run_state::network_time, nullptr, inner, e, ec);
 		}
 	else if ( result == -2 )
 		ProtocolViolation("AYIYA next header internal mismatch",

src/analyzer/protocol/gtpv1/GTPv1.cc

@@ -1,6 +1,7 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "GTPv1.h"
+#include "packet_analysis/protocol/iptunnel/IPTunnel.h"
 
 #include "events.bif.h"
 
@@ -61,9 +62,10 @@ void GTPv1_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6
 			                                     std::move(gtp_hdr_val),
 			                                     inner->ToPktHdrVal());
 
+		const zeek::EncapsulationStack* e = Conn()->GetEncapsulation();
 		EncapsulatingConn ec(Conn(), BifEnum::Tunnel::GTPv1);
-		sessions->DoNextInnerPacket(run_state::network_time, nullptr,
-		                            inner, Conn()->GetEncapsulation(), ec);
+		zeek::packet_analysis::IPTunnel::ip_tunnel_analyzer->ProcessEncapsulatedPacket(
+			run_state::network_time, nullptr, inner, e, ec);
 		}
 	else if ( result == -2 )
 		ProtocolViolation("Invalid IP version in wrapped packet",

src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac

@@ -714,7 +714,6 @@ flow GTPv1_Flow(is_orig: bool)
 		%{
 		ZeekAnalyzer a = connection()->zeek_analyzer();
 		zeek::Connection* c = a->Conn();
-		const zeek::EncapsulationStack* e = c->GetEncapsulation();
 
 		if ( ${pdu.packet}.length() < (int)sizeof(struct ip) )
 			{

src/analyzer/protocol/teredo/Teredo.cc

@@ -7,6 +7,7 @@
 #include "Sessions.h"
 #include "ZeekString.h"
 #include "RunState.h"
+#include "packet_analysis/protocol/iptunnel/IPTunnel.h"
 
 #include "events.bif.h"
 
@@ -233,7 +234,8 @@ void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
 
 	EncapsulatingConn ec(Conn(), BifEnum::Tunnel::TEREDO);
 
-	sessions->DoNextInnerPacket(run_state::network_time, nullptr, inner, e, ec);
+	packet_analysis::IPTunnel::ip_tunnel_analyzer->ProcessEncapsulatedPacket(
+		run_state::network_time, nullptr, inner, e, ec);
 	}
 
 } // namespace zeek::analyzer::teredo

src/analyzer/protocol/vxlan/VXLAN.cc

@@ -10,6 +10,7 @@
 #include "Sessions.h"
 #include "Reporter.h"
 #include "packet_analysis/Manager.h"
+#include "packet_analysis/protocol/iptunnel/IPTunnel.h"
 
 #include "events.bif.h"
 
@@ -47,16 +48,27 @@ void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
 		return;
 		}
 
-	const EncapsulationStack* estack = Conn()->GetEncapsulation();
+	EncapsulationStack* outer = Conn()->GetEncapsulation();
 
-	if ( estack && estack->Depth() >= BifConst::Tunnel::max_depth )
+	if ( outer && outer->Depth() >= BifConst::Tunnel::max_depth )
 		{
 		reporter->Weird(Conn(), "tunnel_depth");
 		return;
 		}
 
+	bool delete_outer = false;
+	if ( ! outer )
+		{
+		outer = new EncapsulationStack();
+		delete_outer = true;
+		}
+
+	EncapsulatingConn inner(Conn(), BifEnum::Tunnel::VXLAN);
+	outer->Add(inner);
+
 	int vni = (data[4] << 16) + (data[5] << 8) + (data[6] << 0);
 
+	// Skip over the VXLAN header and create a new packet.
 	data += vxlan_len;
 	caplen -= vxlan_len;
 	len -= vxlan_len;
@@ -65,10 +77,14 @@ void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
 	ts.tv_sec = (time_t) run_state::current_timestamp;
 	ts.tv_usec = (suseconds_t) ((run_state::current_timestamp - (double)ts.tv_sec) * 1000000);
 	Packet pkt(DLT_EN10MB, &ts, caplen, len, data);
+	pkt.key_store["encap"] = outer;
 	packet_mgr->ProcessPacket(&pkt);
 
 	if ( ! pkt.l2_valid )
 		{
+		if ( delete_outer )
+			delete outer;
+
 		ProtocolViolation("VXLAN invalid inner ethernet frame",
 		                  (const char*) data, len);
 		return;
@@ -78,15 +94,15 @@ void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
 	len -= pkt.hdr_size;
 	caplen -= pkt.hdr_size;
 
-	IP_Hdr* inner = nullptr;
+	IP_Hdr* inner_hdr = nullptr;
 	int res = 0;
 
 	switch ( pkt.l3_proto ) {
 		case L3_IPV4:
-			res = sessions->ParseIPPacket(len, data, IPPROTO_IPV4, inner);
+			res = sessions->ParseIPPacket(len, data, IPPROTO_IPV4, inner_hdr);
 			break;
 		case L3_IPV6:
-			res = sessions->ParseIPPacket(len, data, IPPROTO_IPV6, inner);
+			res = sessions->ParseIPPacket(len, data, IPPROTO_IPV6, inner_hdr);
 			break;
 		default:
 			return;
@@ -94,7 +110,10 @@ void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
 
 	if ( res < 0 )
 		{
-		delete inner;
+		delete inner_hdr;
+		if ( delete_outer )
+			delete outer;
+
 		ProtocolViolation("Truncated VXLAN or invalid inner IP",
 		                  (const char*) data, len);
 		return;
@@ -104,10 +123,10 @@ void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
 
 	if ( vxlan_packet )
 		Conn()->EnqueueEvent(vxlan_packet, nullptr, ConnVal(),
-		                     inner->ToPktHdrVal(), val_mgr->Count(vni));
+		                     inner_hdr->ToPktHdrVal(), val_mgr->Count(vni));
 
-	EncapsulatingConn ec(Conn(), BifEnum::Tunnel::VXLAN);
-	sessions->DoNextInnerPacket(run_state::network_time, &pkt, inner, estack, ec);
+	if ( delete_outer )
+		delete outer;
 	}
 
 } // namespace zeek::analyzer::vxlan