Merge remote-tracking branch 'origin/topic/awelzel/4605-conn-id-context'

* origin/topic/awelzel/4605-conn-id-context: NEWS: Adapt for conn_id$ctx introduction conn_key/fivetuple: Drop support for non conn_id records Conn: Move conn_id init and flip to IPBasedConnKey IPBasedConnKey: Add GetTransportProto() helper input/Manager: Ignore empty record types external: Bump commit hashes for external suites ip/vlan_fivetuple: Populate nested conn_id_context, not conn_id ConnKey: Extend DoPopulateConnIdVal() with ctx btest: Update tests and baselines after adding ctx to conn_id init-bare: Add conn_id_ctx to conn_id
2025-10-02 06:38:20 +00:00 · 2025-07-03 18:41:29 +02:00 · 2025-07-03 18:41:29 +02:00 · 388cbcee48
commit 388cbcee48
parent 2a34cf3f46 a7bc144465
284 changed files with 96941 additions and 96655 deletions
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@ -203,6 +203,15 @@ type transport_proto: enum {
 	icmp	##< ICMP.
 };

+## A record type containing the context of a conn_id instance.
+##
+## This context is used to discriminate between :zeek:see:`conn_id` instances
+## with identical five tuples, but not otherwise related due to, e.g. being observed
+## on different VLANs, or within independent tunnel connections like VXLAN or Geneve.
+##
+## This record type is meant to be extended by custom ConnKey implementations.
+type conn_id_ctx: record { };
+
 ## A connection's identifying 4-tuple of endpoints and ports.
 ##
 ## .. note:: It's actually a 5-tuple: the transport-layer protocol is stored as
@ -218,6 +227,7 @@ type conn_id: record {
 	resp_h: addr &log;	##< The responder's IP address.
 	resp_p: port &log;	##< The responder's port number.
 	proto: count &default=65535;  ##< The transport protocol ID. Defaults to 65535 as an "unknown" value.
+	ctx: conn_id_ctx &log &default=conn_id_ctx();  ##< The context in which this connection exists.
 };

 ## The identifying 4-tuple of a uni-directional flow.
--- a/scripts/policy/frameworks/conn_key/vlan_fivetuple.zeek
+++ b/scripts/policy/frameworks/conn_key/vlan_fivetuple.zeek
@ -3,12 +3,11 @@
 ##! lookups; this change makes it factor them in and also makes those VLAN tags
 ##! part of the :zeek:see:`conn_id` record.

-redef record conn_id += {
+redef record conn_id_ctx += {
 	## The outer VLAN for this connection, if applicable.
-	vlan: int      &log &optional;
-
+	vlan: int &log &optional;
 	## The inner VLAN for this connection, if applicable.
-	inner_vlan: int      &log &optional;
+	inner_vlan: int &log &optional;
 };

 redef ConnKey::factory = ConnKey::CONNKEY_VLAN_FIVETUPLE;