From 29b0f844c04c1c7116b9cffb8d5ac12996324d7c Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Fri, 13 Jun 2025 17:10:05 -0700
Subject: [PATCH] Add a VLAN-aware flow tuple implementation.

This is a first "real" implementation of a custom tuple, adding additional
fields over the standard five-tuple.

Includes test cases.
---
 .../frameworks/conn_key/vlan_fivetuple.zeek   |  14 ++
 scripts/test-all-policy.zeek                  |   1 +
 scripts/zeekygen/__load__.zeek                |   1 +
 .../protocol/ip/conn_key/CMakeLists.txt       |   1 +
 .../ip/conn_key/vlan_fivetuple/CMakeLists.txt |   3 +
 .../ip/conn_key/vlan_fivetuple/Factory.cc     | 129 ++++++++++++++++++
 .../ip/conn_key/vlan_fivetuple/Factory.h      |  33 +++++
 .../ip/conn_key/vlan_fivetuple/Plugin.cc      |  24 ++++
 .../conn.log.cut                              |   5 +
 .../conn.log.cut                              |   5 +
 .../conn.log.cut                              |   5 +
 .../conn.log.cut                              |   5 +
 .../conn.log.cut                              |   5 +
 .../conn.log.cut                              |   3 +
 testing/btest/Traces/vlan-collisions.pcap     | Bin 0 -> 19125 bytes
 .../frameworks/conn_key/vlan_fivetuple.zeek   |  56 ++++++++
 16 files changed, 290 insertions(+)
 create mode 100644 scripts/policy/frameworks/conn_key/vlan_fivetuple.zeek
 create mode 100644 src/packet_analysis/protocol/ip/conn_key/vlan_fivetuple/CMakeLists.txt
 create mode 100644 src/packet_analysis/protocol/ip/conn_key/vlan_fivetuple/Factory.cc
 create mode 100644 src/packet_analysis/protocol/ip/conn_key/vlan_fivetuple/Factory.h
 create mode 100644 src/packet_analysis/protocol/ip/conn_key/vlan_fivetuple/Plugin.cc
 create mode 100644 testing/btest/Baseline/scripts.policy.frameworks.conn_key.vlan_fivetuple-2/conn.log.cut
 create mode 100644 testing/btest/Baseline/scripts.policy.frameworks.conn_key.vlan_fivetuple-3/conn.log.cut
 create mode 100644 testing/btest/Baseline/scripts.policy.frameworks.conn_key.vlan_fivetuple-4/conn.log.cut
 create mode 100644 testing/btest/Baseline/scripts.policy.frameworks.conn_key.vlan_fivetuple-5/conn.log.cut
 create mode 100644 testing/btest/Baseline/scripts.policy.frameworks.conn_key.vlan_fivetuple-6/conn.log.cut
 create mode 100644 testing/btest/Baseline/scripts.policy.frameworks.conn_key.vlan_fivetuple/conn.log.cut
 create mode 100644 testing/btest/Traces/vlan-collisions.pcap
 create mode 100644 testing/btest/scripts/policy/frameworks/conn_key/vlan_fivetuple.zeek

diff --git a/scripts/policy/frameworks/conn_key/vlan_fivetuple.zeek b/scripts/policy/frameworks/conn_key/vlan_fivetuple.zeek
new file mode 100644
index 0000000000..ebef3f1ec0
--- /dev/null
+++ b/scripts/policy/frameworks/conn_key/vlan_fivetuple.zeek
@@ -0,0 +1,14 @@
+##! This script adapts Zeek's connection key to include 802.1Q VLAN and
+##! Q-in-Q tags, when available. Zeek normally ignores VLAN tags for connection
+##! lookups; this change makes it factor them in and also makes those VLAN tags
+##! part of the :zeek:see:`conn_id` record.
+
+redef record conn_id += {
+	## The outer VLAN for this connection, if applicable.
+	vlan: int      &log &optional;
+
+	## The inner VLAN for this connection, if applicable.
+	inner_vlan: int      &log &optional;
+};
+
+redef ConnKey::factory = ConnKey::CONNKEY_VLAN_FIVETUPLE;
diff --git a/scripts/test-all-policy.zeek b/scripts/test-all-policy.zeek
index 6b63659cc8..cc22fd4e55 100644
--- a/scripts/test-all-policy.zeek
+++ b/scripts/test-all-policy.zeek
@@ -114,6 +114,7 @@
 @load protocols/conn/mac-logging.zeek
 @load protocols/conn/vlan-logging.zeek
 @load protocols/conn/weirds.zeek
+#@load frameworks/conn_key/vlan_fivetuple.zeek
 #@load protocols/conn/speculative-service.zeek
 @load protocols/dhcp/msg-orig.zeek
 @load protocols/dhcp/software.zeek
diff --git a/scripts/zeekygen/__load__.zeek b/scripts/zeekygen/__load__.zeek
index c5717b310e..d392c027b6 100644
--- a/scripts/zeekygen/__load__.zeek
+++ b/scripts/zeekygen/__load__.zeek
@@ -2,6 +2,7 @@
 
 # Scripts which are commented out in test-all-policy.zeek.
 @load frameworks/analyzer/deprecated-dpd-log.zeek
+@load frameworks/conn_key/vlan_fivetuple.zeek
 
 # Remove in v8.1: replaced by frameworks/analyzer/detect-protocols.zeek
 @pragma push ignore-deprecations
diff --git a/src/packet_analysis/protocol/ip/conn_key/CMakeLists.txt b/src/packet_analysis/protocol/ip/conn_key/CMakeLists.txt
index 2a780c21df..95a2dd90b9 100644
--- a/src/packet_analysis/protocol/ip/conn_key/CMakeLists.txt
+++ b/src/packet_analysis/protocol/ip/conn_key/CMakeLists.txt
@@ -1,3 +1,4 @@
 zeek_add_subdir_library(connkey-ip SOURCES IPBasedConnKey.cc)
 
 add_subdirectory(fivetuple)
+add_subdirectory(vlan_fivetuple)
diff --git a/src/packet_analysis/protocol/ip/conn_key/vlan_fivetuple/CMakeLists.txt b/src/packet_analysis/protocol/ip/conn_key/vlan_fivetuple/CMakeLists.txt
new file mode 100644
index 0000000000..bc4c11d944
--- /dev/null
+++ b/src/packet_analysis/protocol/ip/conn_key/vlan_fivetuple/CMakeLists.txt
@@ -0,0 +1,3 @@
+zeek_add_plugin(
+    Zeek Conntuple_VLAN
+    SOURCES Factory.cc Plugin.cc)
diff --git a/src/packet_analysis/protocol/ip/conn_key/vlan_fivetuple/Factory.cc b/src/packet_analysis/protocol/ip/conn_key/vlan_fivetuple/Factory.cc
new file mode 100644
index 0000000000..a9d5c32880
--- /dev/null
+++ b/src/packet_analysis/protocol/ip/conn_key/vlan_fivetuple/Factory.cc
@@ -0,0 +1,129 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/packet_analysis/protocol/ip/conn_key/vlan_fivetuple/Factory.h"
+
+#include <memory>
+
+#include "zeek/ID.h"
+#include "zeek/Val.h"
+#include "zeek/iosource/Packet.h"
+#include "zeek/packet_analysis/protocol/ip/conn_key/IPBasedConnKey.h"
+#include "zeek/packet_analysis/protocol/ip/conn_key/fivetuple/Factory.h"
+#include "zeek/util-types.h"
+
+namespace zeek::conn_key::vlan_fivetuple {
+
+class IPVlanConnKey : public zeek::IPBasedConnKey {
+public:
+    /**
+     * Constructor.
+     *
+     * Fill any holes in the key struct as we use the full tuple as a key.
+     */
+    IPVlanConnKey() { memset(static_cast<void*>(&key), 0, sizeof(key)); }
+
+    /**
+     * @copydoc
+     */
+    detail::PackedConnTuple& PackedTuple() override { return key.tuple; }
+
+    /**
+     * @copydoc
+     */
+    const detail::PackedConnTuple& PackedTuple() const override { return key.tuple; }
+
+protected:
+    zeek::session::detail::Key DoSessionKey() const override {
+        return {reinterpret_cast<const void*>(&key), sizeof(key), session::detail::Key::CONNECTION_KEY_TYPE};
+    }
+
+    void DoPopulateConnIdVal(RecordVal& conn_id) override {
+        if ( conn_id.NumFields() <= 5 )
+            return;
+
+        // Nothing to do if we have no VLAN tags at all.
+        if ( key.vlan == 0 && key.inner_vlan == 0 )
+            return;
+
+        auto [vlan_offset, inner_vlan_offset] = GetConnIdFieldOffsets();
+
+        if ( key.vlan && vlan_offset >= 0 )
+            conn_id.Assign(vlan_offset, static_cast<int>(key.vlan));
+        if ( key.inner_vlan && inner_vlan_offset >= 0 )
+            conn_id.Assign(inner_vlan_offset, static_cast<int>(key.inner_vlan));
+    };
+
+    std::pair<int, int> GetConnIdFieldOffsets() {
+        static int vlan_offset = -2, inner_vlan_offset = -2;
+
+        if ( vlan_offset == -2 && inner_vlan_offset == -2 ) {
+            vlan_offset = id::conn_id->FieldOffset("vlan");
+            if ( vlan_offset < 0 || id::conn_id->GetFieldType(vlan_offset)->Tag() != TYPE_INT )
+                vlan_offset = -1;
+
+            inner_vlan_offset = id::conn_id->FieldOffset("inner_vlan");
+            if ( inner_vlan_offset < 0 || id::conn_id->GetFieldType(inner_vlan_offset)->Tag() != TYPE_INT )
+                inner_vlan_offset = -1;
+        }
+
+        return {vlan_offset, inner_vlan_offset};
+    }
+
+protected:
+    void DoInit(const Packet& pkt) override {
+        key.vlan = pkt.vlan;
+        key.inner_vlan = pkt.inner_vlan;
+    }
+
+private:
+    friend class Factory;
+
+    // Key bytes:
+    struct {
+        struct detail::PackedConnTuple tuple;
+        // Add 802.1Q vlan tags to connection tuples. The tag representation
+        // here is as in the Packet class (where it's oddly 32-bit), since
+        // that's where we learn the tag values from. 0 indicates absence.
+        uint32_t vlan;
+        uint32_t inner_vlan;
+    } __attribute__((packed, aligned)) key;
+};
+
+zeek::ConnKeyPtr Factory::DoNewConnKey() const { return std::make_unique<IPVlanConnKey>(); }
+
+zeek::expected<zeek::ConnKeyPtr, std::string> Factory::DoConnKeyFromVal(const zeek::Val& v) const {
+    auto ck = zeek::conn_key::fivetuple::Factory::DoConnKeyFromVal(v);
+
+    if ( ! ck.has_value() )
+        return ck;
+
+    auto* k = static_cast<IPVlanConnKey*>(ck.value().get());
+    auto rt = v.GetType()->AsRecordType();
+    auto vl = v.AsRecordVal();
+
+    int vlan_offset, inner_vlan_offset;
+    if ( rt == id::conn_id ) {
+        std::tie(vlan_offset, inner_vlan_offset) = k->GetConnIdFieldOffsets();
+    }
+    else {
+        // We don't know what we've been passed.
+        vlan_offset = rt->FieldOffset("vlan");
+        inner_vlan_offset = rt->FieldOffset("inner_vlan");
+    }
+
+    if ( vlan_offset < 0 || inner_vlan_offset < 0 )
+        return zeek::unexpected<std::string>{"missing vlan or inner_vlan field"};
+
+    if ( rt->GetFieldType(vlan_offset)->Tag() != TYPE_INT || rt->GetFieldType(inner_vlan_offset)->Tag() != TYPE_INT )
+        return zeek::unexpected<std::string>{"vlan or inner_vlan field not of type int"};
+
+    if ( vl->HasField(vlan_offset) )
+        k->key.vlan = vl->GetFieldAs<zeek::IntVal>(vlan_offset);
+
+    if ( vl->HasField(inner_vlan_offset) )
+        k->key.inner_vlan = vl->GetFieldAs<zeek::IntVal>(inner_vlan_offset);
+
+    return ck;
+}
+
+} // namespace zeek::conn_key::vlan_fivetuple
diff --git a/src/packet_analysis/protocol/ip/conn_key/vlan_fivetuple/Factory.h b/src/packet_analysis/protocol/ip/conn_key/vlan_fivetuple/Factory.h
new file mode 100644
index 0000000000..6c941c029e
--- /dev/null
+++ b/src/packet_analysis/protocol/ip/conn_key/vlan_fivetuple/Factory.h
@@ -0,0 +1,33 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+#pragma once
+
+#include "zeek/ConnKey.h"
+#include "zeek/packet_analysis/protocol/ip/conn_key/fivetuple/Factory.h"
+
+namespace zeek::conn_key::vlan_fivetuple {
+
+class Factory : public zeek::conn_key::fivetuple::Factory {
+public:
+    static zeek::conn_key::FactoryPtr Instantiate() { return std::make_unique<Factory>(); }
+
+private:
+    /**
+     * Instantiates a clean ConnKey derivative and returns it.
+     *
+     * @return A unique pointer to the ConnKey instance.
+     */
+    zeek::ConnKeyPtr DoNewConnKey() const override;
+
+    /**
+     * Instantiates a filled-in ConnKey derivative from a script-layer
+     * record, usually a conn_id instance. Implementations are free to
+     * implement this liberally, i.e. the input does not _have_ to be a
+     * conn_id.
+     *
+     * @param v The script-layer value providing key input.
+     * @return A unique pointer to the ConnKey instance, or an error message.
+     */
+    zeek::expected<zeek::ConnKeyPtr, std::string> DoConnKeyFromVal(const zeek::Val& v) const override;
+};
+
+} // namespace zeek::conn_key::vlan_fivetuple
diff --git a/src/packet_analysis/protocol/ip/conn_key/vlan_fivetuple/Plugin.cc b/src/packet_analysis/protocol/ip/conn_key/vlan_fivetuple/Plugin.cc
new file mode 100644
index 0000000000..c8b443995c
--- /dev/null
+++ b/src/packet_analysis/protocol/ip/conn_key/vlan_fivetuple/Plugin.cc
@@ -0,0 +1,24 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+
+#include "zeek/conn_key/Component.h"
+#include "zeek/packet_analysis/protocol/ip/conn_key/vlan_fivetuple/Factory.h"
+
+namespace zeek::plugin::Zeek_ConnKey_VLAN {
+
+class Plugin : public zeek::plugin::Plugin {
+public:
+    zeek::plugin::Configuration Configure() override {
+        AddComponent(new conn_key::Component("VLAN_FIVETUPLE", zeek::conn_key::vlan_fivetuple::Factory::Instantiate));
+
+        zeek::plugin::Configuration config;
+        config.name = "Zeek::ConnKey_Vlan_Fivetuple";
+        config.description = "ConnKey factory for 802.1Q VLAN/Q-in-Q + IP/port/proto five-tuples";
+        return config;
+    }
+};
+
+Plugin plugin;
+
+} // namespace zeek::plugin::Zeek_ConnKey_VLAN
diff --git a/testing/btest/Baseline/scripts.policy.frameworks.conn_key.vlan_fivetuple-2/conn.log.cut b/testing/btest/Baseline/scripts.policy.frameworks.conn_key.vlan_fivetuple-2/conn.log.cut
new file mode 100644
index 0000000000..0326efbaec
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.frameworks.conn_key.vlan_fivetuple-2/conn.log.cut
@@ -0,0 +1,5 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	id.vlan	id.inner_vlan	orig_pkts	resp_pkts	service
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	141.142.228.5	59856	192.150.187.43	80	-	-	7	7	http
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	141.142.228.5	59856	192.150.187.43	80	10	20	7	7	http
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	141.142.228.5	59856	192.150.187.43	80	42	-	7	7	http
diff --git a/testing/btest/Baseline/scripts.policy.frameworks.conn_key.vlan_fivetuple-3/conn.log.cut b/testing/btest/Baseline/scripts.policy.frameworks.conn_key.vlan_fivetuple-3/conn.log.cut
new file mode 100644
index 0000000000..bb15ef37f3
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.frameworks.conn_key.vlan_fivetuple-3/conn.log.cut
@@ -0,0 +1,5 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p			orig_pkts	resp_pkts	service
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	141.142.228.5	59856	192.150.187.43	80			7	7	http
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	141.142.228.5	59856	192.150.187.43	80			7	7	http
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	141.142.228.5	59856	192.150.187.43	80			7	7	http
diff --git a/testing/btest/Baseline/scripts.policy.frameworks.conn_key.vlan_fivetuple-4/conn.log.cut b/testing/btest/Baseline/scripts.policy.frameworks.conn_key.vlan_fivetuple-4/conn.log.cut
new file mode 100644
index 0000000000..0326efbaec
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.frameworks.conn_key.vlan_fivetuple-4/conn.log.cut
@@ -0,0 +1,5 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	id.vlan	id.inner_vlan	orig_pkts	resp_pkts	service
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	141.142.228.5	59856	192.150.187.43	80	-	-	7	7	http
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	141.142.228.5	59856	192.150.187.43	80	10	20	7	7	http
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	141.142.228.5	59856	192.150.187.43	80	42	-	7	7	http
diff --git a/testing/btest/Baseline/scripts.policy.frameworks.conn_key.vlan_fivetuple-5/conn.log.cut b/testing/btest/Baseline/scripts.policy.frameworks.conn_key.vlan_fivetuple-5/conn.log.cut
new file mode 100644
index 0000000000..0326efbaec
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.frameworks.conn_key.vlan_fivetuple-5/conn.log.cut
@@ -0,0 +1,5 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	id.vlan	id.inner_vlan	orig_pkts	resp_pkts	service
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	141.142.228.5	59856	192.150.187.43	80	-	-	7	7	http
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	141.142.228.5	59856	192.150.187.43	80	10	20	7	7	http
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	141.142.228.5	59856	192.150.187.43	80	42	-	7	7	http
diff --git a/testing/btest/Baseline/scripts.policy.frameworks.conn_key.vlan_fivetuple-6/conn.log.cut b/testing/btest/Baseline/scripts.policy.frameworks.conn_key.vlan_fivetuple-6/conn.log.cut
new file mode 100644
index 0000000000..59bbcde6f1
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.frameworks.conn_key.vlan_fivetuple-6/conn.log.cut
@@ -0,0 +1,5 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	id.vlan	id.inner_vlan	orig_pkts	resp_pkts	service
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	141.142.228.5	59856	192.150.187.43	80	-	-	7	7	http
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	141.142.228.5	59856	192.150.187.43	80	-	-	7	7	http
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	141.142.228.5	59856	192.150.187.43	80	-	-	7	7	http
diff --git a/testing/btest/Baseline/scripts.policy.frameworks.conn_key.vlan_fivetuple/conn.log.cut b/testing/btest/Baseline/scripts.policy.frameworks.conn_key.vlan_fivetuple/conn.log.cut
new file mode 100644
index 0000000000..6a3949becc
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.frameworks.conn_key.vlan_fivetuple/conn.log.cut
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p			orig_pkts	resp_pkts	service
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	141.142.228.5	59856	192.150.187.43	80			21	21	http
diff --git a/testing/btest/Traces/vlan-collisions.pcap b/testing/btest/Traces/vlan-collisions.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..7c1ea4c6f989261dc1b8cbb90ed6cbad6c976b55
GIT binary patch
literal 19125
zcmeHPTWlOx86LYyTNa$8sDkp+o~A8v+|1s*zGTz1b$m<GI5GAn5fY*~o;kZa_3X?t
zGn=&|q`Ge)(u)K{w5rq#L?BTbg!)Dws$Qh1l%!4JA%dzzswhQ3MIVrOfbjiiX4W(7
zb&{ICB$`U2uI-us{OA9_|NAdzHotrASI>1T>y+@nix(B83qQR0x$R&3(`b*fAD`(`
zHvQo{=RQ9D^63-jp1n~SSCsqTf9!tc{_AV+KKj@P>t8wX>$^XCTbcgv?fD|z{LAi(
z7k9j(DBbJUztnZzb?dsiZcKe??|Y2?wyxWkp1om%GJ~J#ib{V(d7|&LSz%vkgR&RG
z>GC!A*OAii!4{Ov_1`R$?z9JG`lGi`o;q_c_ORpGFAhJEp7!-$*L`Cu^W9xvC;hRP
z8^|)w!41kTNTn;PyOdmb>lw1l(wR2P?11$9mNv1w8#`cQ-y&s_OcHN6v_W|j!suEd
z@#Vcwk;LwO9VOnv?q0VPmpD0IVj10TTBgnQ%;@fs{gdOf={d(%d1E2%EqH8qsWhF*
zrE@*0gRXGYk&3XqB0F3W9{sk!dUftJ4J(&V=hNA(J*g2*6Ls9tm+9+C?Y3Qfgt)Zr
zRC-dQwq*&;Gi<BK9uT6gj+n+#(Ua;)(ax6M+@Ku7rs#_9>=9);h3n?e#@A1Od1DK!
zQD3*v^ndyL)mt_y6HuS7_#OhRuF2<zzp_y|1A%mPlzP?r{S^GZ^L9TzC`O_l@nhup
zvlM;r{I)In?nCswwzNq(_Jdn}L?b?)LFAQ5V((pw^4InL)h==UACEsr65qOWHHm-!
zUR+`r0W6=*vI7tFq{g@>imX&^Y-8CWHpLzMCD+gLxniNeh~G?3m3mUM!Z|9OA{(i5
zttvA4bRpf(dMAW#I~-xMkGq~aW$Q-S5IW*X=-XI+I~!?KNLZfb`-_F`#e5)ayu>R-
zwmFv{%&7%!cqrRHFw6(bT6S|7aOw=VD#AsuEqcP0q2?h{)qTRMc-0~+3}pv;Qp-VC
zWS&tIcEj5_u#MID!p>YayLx~kaHX`;VjVm8#DbTpo7}K=Fs;fRS9m)QmL}9;isV!_
zogZZ1mb*~1!)m_3as$O&wwNt2H9M5erc#Xcu?b_ruqv!k*I`T*Qb_x4tXVa*D%0$S
zsk6GF%`>kmSktj_s|Fn$+hk?K6lvBwW6v2Do3(2-;cSh`oSdFyu2Hc_zN<M#-CKD(
zlpKgCna#0We{o=-SQvzo0}&-@*|Je-I3ke6Je!FH!(&aut1`>B)MLW2nd@<{;WFD|
z!f|Ye_3p*TS)(cDp&V8#v{oC!0xXv=4rBqBs7YqH;R;qWETh(_F-Lr>VK_o(qf>ld
zFks0AZ_?`d^dLbgx&T>pMAw&hO!w)+6rNx<Oj&N2=AsHqRUmNA;T9n2cC<>rnr~^E
zQ(+|7C0{7QKyYT%E}Upx)f!%~;hJz=ULntnamx@U;)5?r*I@Vk5t%vII$z8U7V#k>
zv(yxP-X*;q=*?jX-**5--GpU1vqTg26|4;NhW;fmxM?7Ytw02pjcz5EWmvNSC~oht
zEXh1j7uK%XG3GYvb=x7(w41oK;{`+mxdUohu&%K{)@;{+l#-gMY)=_T!F>Y0usBS`
zH~>{a^0Nps1ab{XCSj&w3B-ZG15H-vE=*E&>_(+3MKQ)r3IPbhiX*xMt3%oyg9Afp
z3IfJdHX~~GQ3(aRCfMZugN9pUWyh{D-kfhm1mLp#aDVGz{2CCk>y)IWrHLjOc%lwZ
zBj65}MrqyUX9tJdpY`wcH|vTzcen@Z1|rpo_~V7`t;YjO2yfJiFpas$T-rrda9udk
zI4+C><B@5gX~a0h{Qtf*^FJ?{|Bg8Gzx!dBOFpKW7WGz`OJGhYU&X>62#QR<GG+oY
zgFX)a4&2u$TnRvY&M*ycu?<InWlr7h$3srd<-mz73*sphQA|bRA+QEuQ3u8y*5nQ`
zn)G_h`u)Shox}&Y_r>Q~Zn#Jh7b6>pm+q|@E&xer@kFgI$(7t3=j9e?+F4g_CKug|
zzgo7~Pf^xl`+bJznTXtQQJ6@Lhj|C;2k2yENcxx9_IPEb14xIK23Zv;GdEN$fLsTn
z8U*GHB6y3-8pKvCU@aNO+^IBb$e975!Q(oDvBQew@?DJz?dHl&MGv)El_DH@%0?W@
z@Hae{A+hL&j{mvBEU(;bh&He<Dg~@g)X^q(wVX%Kh73kabF;}8v7&|CWtx(D@2ool
z+saUCom*r_B$k64j<g|-#2t`4As^-XLk$-WBf0>a*0?9}6)f0kCk!b<AWM~b!wk}?
zik-WX`S#2n2*jl2ZIb+bR@$tNv3trj@7~Q46mDH;R7FvW(4Yc%&h?x!Dbl-Db-hIb
zp05yoFC98!dcv`|2mUn|xB1Y5D#AKypwy5UILaM^&*9NsGY1|VJy?3Mv}bC3VyeV6
z5CIAvY4|`accqA?06+MZNYu;?3(N%*TRKrW1p#G&Wn%QHt&@TJK;=Pj`lRSGwVF|P
zGxc7kY8iEOo5ZbdQ}{}nL~|xULrg;kwHkG3gXo9`2lDy$;s8pWp=fY~rGuaNq~9EY
z0#75sVddc)k1)r{0FYiMZj*JG+<&YV8<iCu^A++y)Q)X?OcRdB#`Z&qZfNjW1Sm5T
zqxt+mzm!CzXBwzdsGMj|!uwGMcs2?_UBG=ReI(|;>#LWn`F|{#e{-Dq&p#eA|I+v4
z%<pDUA!+k1lA^MtftV1`7_7nP$ua?htx|tbd@QTzX4;|@4Rouh@o}wks(w%%pbGG8
zX$XYlQNu>{L)8JO!6+lMxUK<UrrB5!IYGo&urHqPZOF7}Lsx>E6l0^HaScyw4gD3b
zn*(1>*~bjigc1$~vh-KrzM$}g*TjPKp-b%GHs&5eHxGYy@KPXCH(XDGkyMlE+@b13
zfW8bwfo?b*o|OeJJt>($KJJH(X4laz0qPA$6DyH1TchI0qe7CFBl2oF5Pl=HX?VP1
zc&ZfIVQHiZdX#L5;yGYeH!MY&Y1=4FVOGOI6ChCiN{*-t2YFN$gq>^A%V2@n7@|@B
zlA4@t36QmgA>%<G=|n>p=tRnkl0?8KL{33$`aG~@PI!Ea6hS;gKZQ4RglNE3V=%O1
z%r#`i7ZOK%Eej3$7)73+Tw=hE*%`*u9D$xL^pc16c#iVR>XvC0taG}?QFkAv&Wg4`
zq;J}lfF`!#cfdLdmMtD_Y!NwJptF(I;nrdeq1hSWA-~CH5K@qv+^XF~`~feh`eow;
zSg<m>@;WNMFdc{D<PtG{n+;?EW@uKZJsh1r=x0BK22In5A&@H!i|pY_iUy+WvXm9{
zHlh4@JfgjJxCW47ToxLfAfgM7G>yKK^`$GvWUbbri6c*y3=7tgy|oNHza$47xQXIo
zbOePoqKld*376T~eKM@2YVscBM%#jRvjWE04KoETc3{cPK}|qY!p#6F`bzjM+7{&V
zc)FdsSAkmVHkr;kHujc2JvuTi`2aN;0)<yFesDcv{tTG^e7AqKPkXw5bNna7{AcrV
z=6`=kGXE{gv6H=V<_A3BFY3e4Cj(>6Dta_bEvdc5kG&#Y@sT_|@!-s!{gWsqacf=U
z^{p#6yvMJt80sn16G(V+XaH2qOplayue|@T?aXs@d(>2d2__sNs3Y}90Mt`pJOG{n
zvUEWOVA<pqccqva(R4uf0GkY>w#>6yeV9$7VF-(b?4X(}&`1lNLxCFgRxJ-NQw8AT
zpR^2<1hfiL2yD{A7;d0YCWvv1n~Rv11WXXc7S?X9Tu^BoGg!<I7tz5-R>l+xVeirQ
z{q#|HZ1M|1T$-o@<XYUKl{3|HM&oLq-wRWI32DzSF=xg{#-_$umCL+r!+!9+<7ZH;
zP)7Qrt<(sGodb8Wt^Df9qI)dEGf<-$HR(|J2-RW+f#mBoduTs%hO+IA9RdAe0G)=U
zbVbL&{-E?<Z_w!f(9haN|F4}qb^h_CO}8C2j{88zkn{y=a7p4bmz22iEt0tN`IQnc
zoLSm*>nHr3l@ce?m(p?gJW0IyhaDx}#FQhiv?RV5>iEKs{G%T_{)vWn>{wvULwmBq
zxhMUjA3FYt+BLSqrykss<jPZuat=c2T2=B@J-mPP1OKpN0vn8bCp_?2%K(4jFN*RH
z4DjjdBsCf0%agNYh@TAcSL7IU{K*hM8RB2XL;O7-U6%cyPX_tR2dT1GNCx?Gpif6=
z$snI4gZyNW?;pTib%XrI<=H<O<|o7aWSActlqSRcWSD;~4D%lb`@e@_K3$zAKgmEJ
z!}MgJk0XF<V4!~%V5h+;UGed7I6Pg;Q2*o0N?prf|HMBpr|VjV`!Db4Y8`1r!##NS
z`y{pb@0^aG-Ca0?v%A-qZc>gt{GZm@-G?~Vc#%f#`|eqm7`3S{apXxlfcX6H+YTUJ
zKY8lHS$yL{Inv)cfcOLl5Fe7n_kP;d@!KKs<AJq|xljMROZfyNZn~nok4jEP-N~q1
zzQ&b|x|2~i-t6#Slc#g{<b8F#?2fk)@Jd(k&Nx}+>Uv-O$rr9D10>__=vPn3&B?es
z8Fwe|tuy&<Rr21t{KA$z2D|FU-EUl321rKU$;dkyc_$<9I(_pfd4K&{dVl>aGQb6l
zyXjhO3Y3h!ld-q|rS5BB?0wrWmItcQ5p8trsT9^S`o8aqB(G)s{pXjiMCY}Pz`t;@
zt91wv5C8BG;P@KG;7>=S#%&x*UCSu^8?Sa>$tZjc`u;5<Ij(QyAO9(QTAlv~@rD1j

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/policy/frameworks/conn_key/vlan_fivetuple.zeek b/testing/btest/scripts/policy/frameworks/conn_key/vlan_fivetuple.zeek
new file mode 100644
index 0000000000..2b3d55caf6
--- /dev/null
+++ b/testing/btest/scripts/policy/frameworks/conn_key/vlan_fivetuple.zeek
@@ -0,0 +1,56 @@
+# @TEST-DOC: Verify VLAN-aware flow tuples on colliding traffic.
+#
+# The test pcap has 3 overlapping healthy TCP connections, each with different VLAN tagging: none, one VLAN tag, two VLAN tags.
+# To create: tcprewrite --enet-vlan=add --enet-vlan-tag 20 --enet-vlan-cfi=1 --enet-vlan-pri=2 -i in.pcap -o out.pcap
+#
+# @TEST-EXEC: zeek -r $TRACES/vlan-collisions.pcap %INPUT
+# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p id.vlan id.inner_vlan orig_pkts resp_pkts service <conn.log >conn.log.cut
+# @TEST-EXEC: btest-diff conn.log.cut
+
+# Default operation: Zeek isn't VLAN-aware, a single conn.log entry results.
+
+# @TEST-START-NEXT
+
+# Switch to VLAN-aware flow tuples: multiple conn.log entries with full
+# information.
+
+@load frameworks/conn_key/vlan_fivetuple
+
+# @TEST-START-NEXT
+
+# Leave out the conn_id redef: Zeek still distinguishes flows so multiple
+# conn.log entries result, but conn.log doesn't show the VLAN fields.
+
+redef ConnKey::factory = ConnKey::CONNKEY_VLAN_FIVETUPLE;
+
+# @TEST-START-NEXT
+
+# Add an extra field before the VLAN ones, to throw off any fixed-offset code.
+
+redef record conn_id += {
+	foo: int &default=1;
+};
+
+@load frameworks/conn_key/vlan_fivetuple
+
+# @TEST-START-NEXT
+
+# Add the right fields, but in the wrong order. (zeek-cut obscures the difference.)
+
+redef record conn_id += {
+	inner_vlan: int      &log &optional;
+	vlan: int      &log &optional;
+};
+
+redef ConnKey::factory = ConnKey::CONNKEY_VLAN_FIVETUPLE;
+
+# @TEST-START-NEXT
+
+# Add the right fields, but with the wrong types.
+
+redef record conn_id += {
+	vlan: string      &log &optional;
+	inner_vlan: string      &log &optional;
+};
+
+redef ConnKey::factory = ConnKey::CONNKEY_VLAN_FIVETUPLE;