Add a VLAN-aware flow tuple implementation.

This is a first "real" implementation of a custom tuple, adding additional fields over the standard five-tuple. Includes test cases.
2025-10-02 06:38:20 +00:00 · 2025-06-13 17:10:05 -07:00 · 2025-06-13 17:10:05 -07:00 · 29b0f844c0
commit 29b0f844c0
parent a5122b5032
16 changed files with 290 additions and 0 deletions
--- a/scripts/policy/frameworks/conn_key/vlan_fivetuple.zeek
+++ b/scripts/policy/frameworks/conn_key/vlan_fivetuple.zeek
@ -0,0 +1,14 @@
+##! This script adapts Zeek's connection key to include 802.1Q VLAN and
+##! Q-in-Q tags, when available. Zeek normally ignores VLAN tags for connection
+##! lookups; this change makes it factor them in and also makes those VLAN tags
+##! part of the :zeek:see:`conn_id` record.
+
+redef record conn_id += {
+	## The outer VLAN for this connection, if applicable.
+	vlan: int      &log &optional;
+
+	## The inner VLAN for this connection, if applicable.
+	inner_vlan: int      &log &optional;
+};
+
+redef ConnKey::factory = ConnKey::CONNKEY_VLAN_FIVETUPLE;
--- a/scripts/test-all-policy.zeek
+++ b/scripts/test-all-policy.zeek
@ -114,6 +114,7 @@
@load protocols/conn/mac-logging.zeek
@load protocols/conn/vlan-logging.zeek
@load protocols/conn/weirds.zeek
+#@load frameworks/conn_key/vlan_fivetuple.zeek
 #@load protocols/conn/speculative-service.zeek
@load protocols/dhcp/msg-orig.zeek
@load protocols/dhcp/software.zeek
--- a/scripts/zeekygen/load.zeek
+++ b/scripts/zeekygen/load.zeek
@ -2,6 +2,7 @@

 # Scripts which are commented out in test-all-policy.zeek.
@load frameworks/analyzer/deprecated-dpd-log.zeek
+@load frameworks/conn_key/vlan_fivetuple.zeek

 # Remove in v8.1: replaced by frameworks/analyzer/detect-protocols.zeek
@pragma push ignore-deprecations