teredo: Replace connection_state_remove() with RemovalHook

Remove overhead of unconditionally calling remove_teredo_connection() for *every* connection by installing a connection removal hook for only when state was allocated.
2025-10-02 14:48:21 +00:00 · 2024-09-12 21:52:19 +02:00 · 2024-09-12 21:52:19 +02:00 · 34956f4ca4
commit 34956f4ca4
parent 6a930c1cf8
3 changed files with 35 additions and 6 deletions
--- a/scripts/base/packet-protocols/teredo/main.zeek
+++ b/scripts/base/packet-protocols/teredo/main.zeek
@ -3,11 +3,15 @@ module PacketAnalyzer::TEREDO;
 # This needs to be loaded here so the functions are available. Function BIFs normally aren't
 # loaded until after the packet analysis init scripts are run, and then zeek complains it
 # can't find the function.
+@load base/bif/plugins/Zeek_Teredo.events.bif.zeek
@load base/bif/plugins/Zeek_Teredo.functions.bif

 # Needed for port registration for BPF
@load base/frameworks/analyzer/main

+# Needed to register Conn::RemovalHook
+@load base/protocols/conn/removal-hooks
+
 export {
        ## Default analyzer
        const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_IP &redef;
@ -22,7 +26,14 @@ event zeek_init() &priority=20
 	PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, teredo_ports);
 	}

-event connection_state_remove(c: connection)
+# The analyzer keeps state about each Teredo connection in the
+# orig_resp_map. Register cleanup.
+hook finalize_teredo(c: connection)
 	{
 	remove_teredo_connection(c$id);
 	}
+
+event new_teredo_state(c: connection)
+	{
+	Conn::register_removal_hook(c, finalize_teredo);
+	}