Optimize Conn::set_conn to minimize operations

Now that Conn::set_conn is guaranteed to be called at the beginning and at the end of the connection, we can skip re-setting the elements that we know will not have changed. This prevents repeated lookups, e.g. to check that addresses are in the local networks. During `connection_state_remove`, only the duration, number of packets, service, and history fields are updated. local_orig and local_resp are updated when the connection is flipped. A test was added for that purpose. It uses the already existing http.zeek-image-post-1080-8000-x.pcap, which was slightly rewritten for this, so that one side of the connection has IP addresses different from 127.0.0.1. The existing history-flip test also was updated to have one side being in a local-net, to check that the flipping of local_orig and local_resp works correctly at the beginning of a connection.
2025-10-02 06:38:20 +00:00 · 2025-07-23 10:46:31 +01:00 · 2025-07-23 10:46:31 +01:00 · 83d5243cf6
commit 83d5243cf6
parent 3e4f67e67c
10 changed files with 58 additions and 32 deletions
--- a/testing/btest/core/history-flip.zeek
+++ b/testing/btest/core/history-flip.zeek
@ -1,5 +1,8 @@
+# @TEST-DOC: Check that connection flip appears in history. Also check that local-orig is flipped correctly.
 # @TEST-EXEC: zeek -b -C -r $TRACES/tcp/missing-syn.pcap %INPUT
 # @TEST-EXEC: btest-diff conn.log

@load base/protocols/http
@load policy/protocols/conn/mac-logging
+
+redef Site::local_nets = { 125.190.109.0/24 };
--- a/testing/btest/core/local-flip.zeek
+++ b/testing/btest/core/local-flip.zeek
@ -0,0 +1,6 @@
+# @TEST-DOC: This check that local origin/responders are correctly flipped when the flip occurs later in the connection.
+# @TEST-EXEC: zeek -b -C -r $TRACES/http/zeek-image-post-1080-8000-x.pcap %INPUT
+# @TEST-EXEC: btest-diff conn.log
+
+@load base/protocols/http
+@load policy/protocols/conn/mac-logging