Merge remote-tracking branch 'origin/topic/jsiwek/ipv6-flow-label'

* origin/topic/jsiwek/ipv6-flow-label:
  Improve availability of IPv6 flow label in connection records.

Closes #821.

scripts/base/init-bare.bro

@@ -178,9 +178,9 @@ type endpoint_stats: record {
 ##    use ``count``. That should be changed.
 type AnalyzerID: count;
 
-## Statistics about an endpoint.
+## Statistics about a :bro:type:`connection` endpoint.
 ##
-## todo::Where is this used?
+## .. bro:see:: connection
 type endpoint: record {
 	size: count;	##< Logical size of data sent (for TCP: derived from sequence numbers).
 	## Endpoint state. For TCP connection, one of the constants:
@@ -194,6 +194,9 @@ type endpoint: record {
 	## Number of IP-level bytes sent. Only set if :bro:id:`use_conn_size_analyzer` is
 	## true.
 	num_bytes_ip: count &optional;
+	## The current IPv6 flow label that the connection endpoint is using.
+	## Always 0 if the connection is over IPv4.
+	flow_label: count;
 };
 
 # A connection. This is Bro's basic connection type describing IP- and

src/Conn.cc

@@ -111,7 +111,8 @@ unsigned int Connection::external_connections = 0;
 
 IMPLEMENT_SERIAL(Connection, SER_CONNECTION);
 
-Connection::Connection(NetSessions* s, HashKey* k, double t, const ConnID* id)
+Connection::Connection(NetSessions* s, HashKey* k, double t, const ConnID* id,
+                       uint32 flow)
 	{
 	sessions = s;
 	key = k;
@@ -122,6 +123,10 @@ Connection::Connection(NetSessions* s, HashKey* k, double t, const ConnID* id)
 	orig_port = id->src_port;
 	resp_port = id->dst_port;
 	proto = TRANSPORT_UNKNOWN;
+	orig_flow_label = flow;
+	resp_flow_label = 0;
+	saw_first_orig_packet = 1;
+	saw_first_resp_packet = 0;
 
 	conn_val = 0;
 	login_conn = 0;
@@ -323,10 +328,12 @@ RecordVal* Connection::BuildConnVal()
 		RecordVal *orig_endp = new RecordVal(endpoint);
 		orig_endp->Assign(0, new Val(0, TYPE_COUNT));
 		orig_endp->Assign(1, new Val(0, TYPE_COUNT));
+		orig_endp->Assign(4, new Val(orig_flow_label, TYPE_COUNT));
 
 		RecordVal *resp_endp = new RecordVal(endpoint);
 		resp_endp->Assign(0, new Val(0, TYPE_COUNT));
 		resp_endp->Assign(1, new Val(0, TYPE_COUNT));
+		resp_endp->Assign(4, new Val(resp_flow_label, TYPE_COUNT));
 
 		conn_val->Assign(0, id_val);
 		conn_val->Assign(1, orig_endp);
@@ -675,6 +682,14 @@ void Connection::FlipRoles()
 	resp_port = orig_port;
 	orig_port = tmp_port;
 
+	bool tmp_bool = saw_first_resp_packet;
+	saw_first_resp_packet = saw_first_orig_packet;
+	saw_first_orig_packet = tmp_bool;
+
+	uint32 tmp_flow = resp_flow_label;
+	resp_flow_label = orig_flow_label;
+	orig_flow_label = tmp_flow;
+
 	Unref(conn_val);
 	conn_val = 0;
 
@@ -882,3 +897,35 @@ void Connection::SetRootAnalyzer(TransportLayerAnalyzer* analyzer, PIA* pia)
 	root_analyzer = analyzer;
 	primary_PIA = pia;
 	}
+
+void Connection::CheckFlowLabel(bool is_orig, uint32 flow_label)
+	{
+	uint32& my_flow_label = is_orig ? orig_flow_label : resp_flow_label;
+
+	if ( my_flow_label != flow_label )
+		{
+		if ( conn_val )
+			{
+			RecordVal *endp = conn_val->Lookup(is_orig ? 1 : 2)->AsRecordVal();
+			endp->Assign(4, new Val(flow_label, TYPE_COUNT));
+			}
+
+		if ( connection_flow_label_changed &&
+		     (is_orig ? saw_first_orig_packet : saw_first_resp_packet) )
+			{
+			val_list* vl = new val_list(4);
+			vl->append(BuildConnVal());
+			vl->append(new Val(is_orig, TYPE_BOOL));
+			vl->append(new Val(my_flow_label, TYPE_COUNT));
+			vl->append(new Val(flow_label, TYPE_COUNT));
+			ConnectionEvent(connection_flow_label_changed, 0, vl);
+			}
+
+		my_flow_label = flow_label;
+		}
+
+	if ( is_orig )
+		saw_first_orig_packet = 1;
+	else
+		saw_first_resp_packet = 1;
+	}

src/Conn.h

@@ -50,7 +50,8 @@ class Analyzer;
 
 class Connection : public BroObj {
 public:
-	Connection(NetSessions* s, HashKey* k, double t, const ConnID* id);
+	Connection(NetSessions* s, HashKey* k, double t, const ConnID* id,
+	           uint32 flow);
 	virtual ~Connection();
 
 	// Invoked when connection is about to be removed.  Use Ref(this)
@@ -241,6 +242,8 @@ public:
 
 	void SetUID(uint64 arg_uid)	 { uid = arg_uid; }
 
+	void CheckFlowLabel(bool is_orig, uint32 flow_label);
+
 protected:
 
 	Connection()	{ persistent = 0; }
@@ -271,6 +274,7 @@ protected:
 	IPAddr resp_addr;
 	uint32 orig_port, resp_port;	// in network order
 	TransportProto proto;
+	uint32 orig_flow_label, resp_flow_label; // most recent IPv6 flow labels
 	double start_time, last_time;
 	double inactivity_timeout;
 	RecordVal* conn_val;
@@ -286,6 +290,7 @@ protected:
 	unsigned int record_packets:1, record_contents:1;
 	unsigned int persistent:1;
 	unsigned int record_current_packet:1, record_current_content:1;
+	unsigned int saw_first_orig_packet:1, saw_first_resp_packet:1;
 
 	// Count number of connections.
 	static unsigned int total_connections;

src/IP.h

@@ -524,6 +524,12 @@ public:
 	int DF() const
 		{ return ip4 ? ((ntohs(ip4->ip_off) & 0x4000) != 0) : 0; }
 
+	/**
+	 * Returns value of an IPv6 header's flow label field or 0 if it's IPv4.
+	 */
+	uint32 FlowLabel() const
+		{ return ip4 ? 0 : (ntohl(ip6->ip6_flow) & 0x000fffff); }
+
 	/**
 	 * Returns number of IP headers in packet (includes IPv6 extension headers).
 	 */

src/Sessions.cc

@@ -602,7 +602,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 	conn = (Connection*) d->Lookup(h);
 	if ( ! conn )
 		{
-		conn = NewConn(h, t, &id, data, proto);
+		conn = NewConn(h, t, &id, data, proto, ip_hdr->FlowLabel());
 		if ( conn )
 			d->Insert(h, conn);
 		}
@@ -623,7 +623,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 				conn->Event(connection_reused, 0);
 
 			Remove(conn);
-			conn = NewConn(h, t, &id, data, proto);
+			conn = NewConn(h, t, &id, data, proto, ip_hdr->FlowLabel());
 			if ( conn )
 				d->Insert(h, conn);
 			}
@@ -644,6 +644,8 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 	int is_orig = (id.src_addr == conn->OrigAddr()) &&
 			(id.src_port == conn->OrigPort());
 
+	conn->CheckFlowLabel(is_orig, ip_hdr->FlowLabel());
+
 	Val* pkt_hdr_val = 0;
 
 	if ( ipv6_ext_headers && ip_hdr->NumHeaders() > 1 )
@@ -1002,7 +1004,7 @@ void NetSessions::GetStats(SessionStats& s) const
 	}
 
 Connection* NetSessions::NewConn(HashKey* k, double t, const ConnID* id,
-					const u_char* data, int proto)
+					const u_char* data, int proto, uint32 flow_label)
 	{
 	// FIXME: This should be cleaned up a bit, it's too protocol-specific.
 	// But I'm not yet sure what the right abstraction for these things is.
@@ -1058,7 +1060,7 @@ Connection* NetSessions::NewConn(HashKey* k, double t, const ConnID* id,
 		id = &flip_id;
 		}
 
-	Connection* conn = new Connection(this, k, t, id);
+	Connection* conn = new Connection(this, k, t, id, flow_label);
 	conn->SetTransport(tproto);
 	dpm->BuildInitialAnalyzerTree(tproto, conn, data);
 

src/Sessions.h

@@ -142,7 +142,7 @@ protected:
 	friend class TimerMgrExpireTimer;
 
 	Connection* NewConn(HashKey* k, double t, const ConnID* id,
-			const u_char* data, int proto);
+			const u_char* data, int proto, uint32 flow_label);
 
 	// Check whether the tag of the current packet is consistent with
 	// the given connection.  Returns:

src/event.bif

@@ -402,6 +402,20 @@ event connection_reused%(c: connection%);
 ##    new_connection new_connection_contents partial_connection
 event connection_status_update%(c: connection%);
 
+## Generated for a connection over IPv6 when one direction has changed
+## the flow label that it's using.
+##
+## c: The connection.
+##
+## is_orig: True if the event is raised for the originator side.
+##
+## old_label: The old flow label that the endpoint was using.
+##
+## new_label: The new flow label that the endpoint is using.
+##
+## .. bro:see:: connection_established new_connection
+event connection_flow_label_changed%(c: connection, is_orig: bool, old_label: count, new_label: count%);
+
 ## Generated at the end of reassembled TCP connections. The TCP reassembler
 ## raised the event once for each endpoint of a connection when it finished
 ## reassembling the corresponding side of the communication.

testing/btest/Baseline/core.ipv6-flow-labels/output

@@ -0,0 +1,74 @@
+new_connection: [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49185/tcp, resp_h=2001:470:4867:99::21, resp_p=21/tcp]
+    orig_flow 0
+    resp_flow 0
+connection_established: [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49185/tcp, resp_h=2001:470:4867:99::21, resp_p=21/tcp]
+    orig_flow 0
+    resp_flow 0
+connection_flow_label_changed(resp): [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49185/tcp, resp_h=2001:470:4867:99::21, resp_p=21/tcp]
+    orig_flow 0
+    resp_flow 7407
+    old_label 0
+    new_label 7407
+new_connection: [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49186/tcp, resp_h=2001:470:4867:99::21, resp_p=57086/tcp]
+    orig_flow 0
+    resp_flow 0
+connection_established: [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49186/tcp, resp_h=2001:470:4867:99::21, resp_p=57086/tcp]
+    orig_flow 0
+    resp_flow 0
+connection_flow_label_changed(resp): [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49186/tcp, resp_h=2001:470:4867:99::21, resp_p=57086/tcp]
+    orig_flow 0
+    resp_flow 176012
+    old_label 0
+    new_label 176012
+new_connection: [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49187/tcp, resp_h=2001:470:4867:99::21, resp_p=57087/tcp]
+    orig_flow 0
+    resp_flow 0
+connection_established: [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49187/tcp, resp_h=2001:470:4867:99::21, resp_p=57087/tcp]
+    orig_flow 0
+    resp_flow 0
+connection_flow_label_changed(resp): [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49187/tcp, resp_h=2001:470:4867:99::21, resp_p=57087/tcp]
+    orig_flow 0
+    resp_flow 390927
+    old_label 0
+    new_label 390927
+new_connection: [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49188/tcp, resp_h=2001:470:4867:99::21, resp_p=57088/tcp]
+    orig_flow 0
+    resp_flow 0
+connection_established: [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49188/tcp, resp_h=2001:470:4867:99::21, resp_p=57088/tcp]
+    orig_flow 0
+    resp_flow 0
+connection_flow_label_changed(resp): [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49188/tcp, resp_h=2001:470:4867:99::21, resp_p=57088/tcp]
+    orig_flow 0
+    resp_flow 364705
+    old_label 0
+    new_label 364705
+connection_state_remove: [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49186/tcp, resp_h=2001:470:4867:99::21, resp_p=57086/tcp]
+    orig_flow 0
+    resp_flow 176012
+connection_state_remove: [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49187/tcp, resp_h=2001:470:4867:99::21, resp_p=57087/tcp]
+    orig_flow 0
+    resp_flow 390927
+connection_state_remove: [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49188/tcp, resp_h=2001:470:4867:99::21, resp_p=57088/tcp]
+    orig_flow 0
+    resp_flow 364705
+new_connection: [orig_h=2001:470:4867:99::21, orig_p=55785/tcp, resp_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, resp_p=49189/tcp]
+    orig_flow 267377
+    resp_flow 0
+connection_established: [orig_h=2001:470:4867:99::21, orig_p=55785/tcp, resp_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, resp_p=49189/tcp]
+    orig_flow 267377
+    resp_flow 126027
+new_connection: [orig_h=2001:470:4867:99::21, orig_p=55647/tcp, resp_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, resp_p=49190/tcp]
+    orig_flow 355265
+    resp_flow 0
+connection_established: [orig_h=2001:470:4867:99::21, orig_p=55647/tcp, resp_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, resp_p=49190/tcp]
+    orig_flow 355265
+    resp_flow 126028
+connection_state_remove: [orig_h=2001:470:4867:99::21, orig_p=55785/tcp, resp_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, resp_p=49189/tcp]
+    orig_flow 267377
+    resp_flow 126027
+connection_state_remove: [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49185/tcp, resp_h=2001:470:4867:99::21, resp_p=21/tcp]
+    orig_flow 0
+    resp_flow 7407
+connection_state_remove: [orig_h=2001:470:4867:99::21, orig_p=55647/tcp, resp_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, resp_p=49190/tcp]
+    orig_flow 355265
+    resp_flow 126028

testing/btest/core/ipv6-flow-labels.test

@@ -0,0 +1,32 @@
+# @TEST-EXEC: bro -b -r $TRACES/ipv6-ftp.trace %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+function print_connection(c: connection, event_name: string)
+	{
+	print fmt("%s: %s", event_name, c$id);
+	print fmt("    orig_flow %d", c$orig$flow_label);
+	print fmt("    resp_flow %d", c$resp$flow_label);
+	}
+
+event new_connection(c: connection)
+	{
+	print_connection(c, "new_connection");
+	}
+
+event connection_established(c: connection)
+	{
+	print_connection(c, "connection_established");
+	}
+
+event connection_state_remove(c: connection)
+	{
+	print_connection(c, "connection_state_remove");
+	}
+
+event connection_flow_label_changed(c: connection, is_orig: bool,
+                                    old_label: count, new_label: count)
+	{
+	print_connection(c, fmt("connection_flow_label_changed(%s)",                             is_orig ? "orig" : "resp"));
+	print fmt("    old_label %d", old_label);
+	print fmt("    new_label %d", new_label);
+	}