Trim the list of "global type pointers" from NetVar.h further

Most of them are deprecated now, with usage sites now doing the lookup
themselves.

NEWS

@@ -171,8 +171,8 @@ Deprecated Functionality
 
 - ``Val::Type()`` is deprecated, use ``Val::GetType``.
 
-- Most global type/value pointers in NetVar.h are deprecated, but there's
+- Most global type/value pointers in NetVar.h are deprecated, but one can
-  analogous ``IntrusivePtr`` in ``zeek::vars``.
+  still always perform the lookup themselves.
 
 Zeek 3.1.0
 ==========

src/Conn.cc

@@ -346,7 +346,7 @@ const IntrusivePtr<RecordVal>& Connection::ConnVal()
 	{
 	if ( ! conn_val )
 		{
-		conn_val = make_intrusive<RecordVal>(zeek::vars::connection_type);
+		conn_val = make_intrusive<RecordVal>(zeek::vars::connection);
 
 		TransportProto prot_type = ConnTransport();
 

src/EventHandler.cc

@@ -5,6 +5,7 @@
 #include "Scope.h"
 #include "NetVar.h"
 #include "ID.h"
+#include "Var.h"
 
 #include "broker/Manager.h"
 #include "broker/Data.h"
@@ -127,7 +128,8 @@ void EventHandler::NewEvent(const zeek::Args& vl)
 		return;
 
 	RecordType* args = FType()->Args();
-	auto vargs = make_intrusive<VectorVal>(zeek::vars::call_argument_vector);
+	static auto call_argument_vector = zeek::lookup_type<VectorType>("call_argument_vector");
+	auto vargs = make_intrusive<VectorVal>(call_argument_vector);
 
 	for ( int i = 0; i < args->NumFields(); i++ )
 		{
@@ -135,7 +137,8 @@ void EventHandler::NewEvent(const zeek::Args& vl)
 		const auto& ftype = args->GetFieldType(i);
 		auto fdefault = args->FieldDefault(i);
 
-		auto rec = make_intrusive<RecordVal>(zeek::vars::call_argument);
+		static auto call_argument = zeek::lookup_type<RecordType>("call_argument");
+		auto rec = make_intrusive<RecordVal>(call_argument);
 		rec->Assign(0, make_intrusive<StringVal>(fname));
 
 		ODesc d;

src/File.cc

@@ -29,6 +29,7 @@
 #include "Event.h"
 #include "Reporter.h"
 #include "Desc.h"
+#include "Var.h"
 
 std::list<std::pair<std::string, BroFile*>> BroFile::open_files;
 
@@ -277,7 +278,8 @@ RecordVal* BroFile::Rotate()
 	if ( f == stdin || f == stdout || f == stderr )
 		return nullptr;
 
-	RecordVal* info = new RecordVal(zeek::vars::rotate_info);
+	static auto rotate_info = zeek::lookup_type<RecordType>("rotate_info");
+	RecordVal* info = new RecordVal(rotate_info);
 	FILE* newf = rotate_file(name, info);
 
 	if ( ! newf )

src/NetVar.cc

@@ -226,7 +226,7 @@ void init_net_var()
 #include "reporter.bif.netvar_init"
 #include "supervisor.bif.netvar_init"
 
-	zeek::vars::detail::Init();
+	zeek::vars::detail::init();
 
 	ignore_checksums = opt_internal_int("ignore_checksums");
 	partial_connection_ok = opt_internal_int("partial_connection_ok");

src/NetVar.h

@@ -12,27 +12,27 @@
 extern RecordType* conn_id;
 [[deprecated("Remove in v4.1.  Use zeek::vars::endpoint.")]]
 extern RecordType* endpoint;
-[[deprecated("Remove in v4.1.  Use zeek::vars::endpoint_stats.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern RecordType* endpoint_stats;
-[[deprecated("Remove in v4.1.  Use zeek::vars::connection_type.")]]
+[[deprecated("Remove in v4.1.  Use zeek::vars::connection.")]]
 extern RecordType* connection_type;
-[[deprecated("Remove in v4.1.  Use zeek::vars::fa_file_type.")]]
+[[deprecated("Remove in v4.1.  Use zeek::vars::fa_file.")]]
 extern RecordType* fa_file_type;
-[[deprecated("Remove in v4.1.  Use zeek::vars::fa_metadata_type.")]]
+[[deprecated("Remove in v4.1.  Use zeek::vars::fa_metadata.")]]
 extern RecordType* fa_metadata_type;
-[[deprecated("Remove in v4.1.  Use zeek::vars::icmp_conn.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern RecordType* icmp_conn;
-[[deprecated("Remove in v4.1.  Use zeek::vars::icmp_context.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern RecordType* icmp_context;
-[[deprecated("Remove in v4.1.  Use zeek::vars::signature_state.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern RecordType* signature_state;
-[[deprecated("Remove in v4.1.  Use zeek::vars::SYN_packet.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern RecordType* SYN_packet;
-[[deprecated("Remove in v4.1.  Use zeek::vars::pcap_packet.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern RecordType* pcap_packet;
-[[deprecated("Remove in v4.1.  Use zeek::vars::raw_pkt_hdr_type.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern RecordType* raw_pkt_hdr_type;
-[[deprecated("Remove in v4.1.  Use zeek::vars::l2_hdr_type.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern RecordType* l2_hdr_type;
 [[deprecated("Remove in v4.1.  Use zeek::vars::transport_proto.")]]
 extern EnumType* transport_proto;
@@ -46,9 +46,9 @@ extern TableType* count_set;
 extern VectorType* string_vec;
 [[deprecated("Remove in v4.1.  Use zeek::vars::index_vec.")]]
 extern VectorType* index_vec;
-[[deprecated("Remove in v4.1.  Use zeek::vars::mime_matches.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern VectorType* mime_matches;
-[[deprecated("Remove in v4.1.  Use zeek::vars::mime_match.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern RecordType* mime_match;
 
 extern int watchdog_interval;
@@ -77,7 +77,7 @@ extern int tcp_max_above_hole_without_any_acks;
 extern int tcp_excessive_data_without_further_acks;
 extern int tcp_max_old_segments;
 
-[[deprecated("Remove in v4.1.  Use zeek::vars::socks_address.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern RecordType* socks_address;
 
 extern double non_analyzed_lifetime;
@@ -88,23 +88,23 @@ extern double icmp_inactivity_timeout;
 extern int tcp_storm_thresh;
 extern double tcp_storm_interarrival_thresh;
 
-[[deprecated("Remove in v4.1.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern TableVal* tcp_reassembler_ports_orig;
-[[deprecated("Remove in v4.1.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern TableVal* tcp_reassembler_ports_resp;
 
-[[deprecated("Remove in v4.1.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern TableVal* tcp_content_delivery_ports_orig;
-[[deprecated("Remove in v4.1.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern TableVal* tcp_content_delivery_ports_resp;
 extern bool tcp_content_deliver_all_orig;
 extern bool tcp_content_deliver_all_resp;
 
-[[deprecated("Remove in v4.1.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern TableVal* udp_content_delivery_ports_orig;
-[[deprecated("Remove in v4.1.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern TableVal* udp_content_delivery_ports_resp;
-[[deprecated("Remove in v4.1.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern TableVal* udp_content_ports;
 extern bool udp_content_deliver_all_orig;
 extern bool udp_content_deliver_all_resp;
@@ -115,54 +115,54 @@ extern double rpc_timeout;
 
 extern int mime_segment_length;
 extern int mime_segment_overlap_length;
-[[deprecated("Remove in v4.1.  Use zeek::vars::mime_header_rec.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern RecordType* mime_header_rec;
-[[deprecated("Remove in v4.1.  Use zeek::vars::mime_header_list.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern TableType* mime_header_list;
 
 extern int http_entity_data_delivery_size;
-[[deprecated("Remove in v4.1.  Use zeek::vars::http_stats_rec.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern RecordType* http_stats_rec;
-[[deprecated("Remove in v4.1.  Use zeek::vars::http_message_stat.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern RecordType* http_message_stat;
 extern int truncate_http_URI;
 
-[[deprecated("Remove in v4.1.  Use zeek::vars::pm_mapping.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern RecordType* pm_mapping;
-[[deprecated("Remove in v4.1.  Use zeek::vars::pm_mappings.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern TableType* pm_mappings;
-[[deprecated("Remove in v4.1.  Use zeek::vars::pm_port_request.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern RecordType* pm_port_request;
-[[deprecated("Remove in v4.1.  Use zeek::vars::pm_callit_request.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern RecordType* pm_callit_request;
 
-[[deprecated("Remove in v4.1.  Use zeek::vars::geo_location.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern RecordType* geo_location;
 
-[[deprecated("Remove in v4.1.  Use zeek::vars::entropy_test_result.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern RecordType* entropy_test_result;
 
-[[deprecated("Remove in v4.1.  Use zeek::vars::dns_msg.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern RecordType* dns_msg;
-[[deprecated("Remove in v4.1.  Use zeek::vars::dns_answer.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern RecordType* dns_answer;
-[[deprecated("Remove in v4.1.  Use zeek::vars::dns_soa.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern RecordType* dns_soa;
-[[deprecated("Remove in v4.1.  Use zeek::vars::dns_edns_additional.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern RecordType* dns_edns_additional;
-[[deprecated("Remove in v4.1.  Use zeek::vars::dns_tsig_additional.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern RecordType* dns_tsig_additional;
-[[deprecated("Remove in v4.1.  Use zeek::vars::dns_rrsig_rr.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern RecordType* dns_rrsig_rr;
-[[deprecated("Remove in v4.1.  Use zeek::vars::dns_dnskey_rr.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern RecordType* dns_dnskey_rr;
-[[deprecated("Remove in v4.1.  Use zeek::vars::dns_nsec3_rr.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern RecordType* dns_nsec3_rr;
-[[deprecated("Remove in v4.1.  Use zeek::vars::dns_ds_rr.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern RecordType* dns_ds_rr;
-[[deprecated("Remove in v4.1.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern TableVal* dns_skip_auth;
-[[deprecated("Remove in v4.1.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern TableVal* dns_skip_addl;
 extern int dns_skip_all_auth;
 extern int dns_skip_all_addl;
@@ -170,7 +170,7 @@ extern int dns_max_queries;
 
 extern double stp_delta;
 extern double stp_idle_min;
-[[deprecated("Remove in v4.1.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern TableVal* stp_skip_src;
 
 extern double table_expire_interval;
@@ -179,24 +179,24 @@ extern int table_incremental_step;
 
 extern int orig_addr_anonymization, resp_addr_anonymization;
 extern int other_addr_anonymization;
-[[deprecated("Remove in v4.1.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern TableVal* preserve_orig_addr;
-[[deprecated("Remove in v4.1.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern TableVal* preserve_resp_addr;
-[[deprecated("Remove in v4.1.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern TableVal* preserve_other_addr;
 
 extern double connection_status_update_interval;
 
-[[deprecated("Remove in v4.1.  Use zeek::vars::rotate_info.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern RecordType* rotate_info;
-[[deprecated("Remove in v4.1.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern StringVal* log_rotate_base_time;
 
-[[deprecated("Remove in v4.1.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern StringVal* peer_description;
 
-[[deprecated("Remove in v4.1.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern Val* profiling_file;
 extern double profiling_interval;
 extern int expensive_profiling_multiple;
@@ -204,7 +204,7 @@ extern int expensive_profiling_multiple;
 extern int segment_profiling;
 extern int pkt_profile_mode;
 extern double pkt_profile_freq;
-[[deprecated("Remove in v4.1.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern Val* pkt_profile_file;
 
 extern int load_sample_freq;
@@ -213,9 +213,9 @@ extern int packet_filter_default;
 
 extern int sig_max_group_size;
 
-[[deprecated("Remove in v4.1.  Use zeek::vars::irc_join_list.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern TableType* irc_join_list;
-[[deprecated("Remove in v4.1.  Use zeek::vars::irc_join_info.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern RecordType* irc_join_info;
 
 extern int dpd_reassemble_first_packets;
@@ -224,7 +224,7 @@ extern int dpd_match_only_beginning;
 extern int dpd_late_match_stop;
 extern int dpd_ignore_ports;
 
-[[deprecated("Remove in v4.1.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern TableVal* likely_server_ports;
 
 extern int check_for_unused_event_handlers;
@@ -233,28 +233,28 @@ extern int suppress_local_output;
 
 extern double timer_mgr_inactivity_timeout;
 
-[[deprecated("Remove in v4.1.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern StringVal* trace_output_file;
 
 extern int record_all_packets;
 
-[[deprecated("Remove in v4.1.  Use zeek::vars::script_id.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern RecordType* script_id;
-[[deprecated("Remove in v4.1.  Use zeek::vars::id_table.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern TableType* id_table;
-[[deprecated("Remove in v4.1.  Use zeek::vars::record_field.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern RecordType* record_field;
-[[deprecated("Remove in v4.1.  Use zeek::vars::record_field_table.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern TableType* record_field_table;
-[[deprecated("Remove in v4.1.  Use zeek::vars::call_argument.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern RecordType* call_argument;
-[[deprecated("Remove in v4.1.  Use zeek::vars::call_argument_vector.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern VectorType* call_argument_vector;
 
-[[deprecated("Remove in v4.1.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern StringVal* cmd_line_bpf_filter;
 
-[[deprecated("Remove in v4.1.")]]
+[[deprecated("Remove in v4.1.  Perform your own lookup.")]]
 extern StringVal* global_hash_seed;
 
 extern bro_uint_t bits_per_uid;

src/RuleCondition.cc

@@ -145,8 +145,9 @@ RuleConditionEval::RuleConditionEval(const char* func)
 		if ( f->Yield()->Tag() != TYPE_BOOL )
 			rules_error("eval function type must yield a 'bool'", func);
 
+		static auto signature_state = zeek::lookup_type<RecordType>("signature_state");
 		TypeList tl;
-		tl.Append(zeek::vars::signature_state);
+		tl.Append(signature_state);
 		tl.Append(base_type(TYPE_STRING));
 
 		if ( ! f->CheckArgs(tl.Types()) )

src/RuleMatcher.cc

@@ -20,6 +20,7 @@
 #include "File.h"
 #include "Reporter.h"
 #include "module_util.h"
+#include "Var.h"
 
 using namespace std;
 
@@ -79,7 +80,8 @@ RuleHdrTest::RuleHdrTest(Prot arg_prot, Comp arg_comp, vector<IPPrefix> arg_v)
 Val* RuleMatcher::BuildRuleStateValue(const Rule* rule,
 					const RuleEndpointState* state) const
 	{
-	RecordVal* val = new RecordVal(zeek::vars::signature_state);
+	static auto signature_state = zeek::lookup_type<RecordType>("signature_state");
+	RecordVal* val = new RecordVal(signature_state);
 	val->Assign(0, make_intrusive<StringVal>(rule->ID()));
 	val->Assign(1, state->GetAnalyzer()->ConnVal());
 	val->Assign(2, val_mgr->Bool(state->is_orig));

src/Type.cc

@@ -796,7 +796,9 @@ static string container_type_name(const BroType* ft)
 
 IntrusivePtr<TableVal> RecordType::GetRecordFieldsVal(const RecordVal* rv) const
 	{
-	auto rval = make_intrusive<TableVal>(zeek::lookup_type<TableType>("record_field_table"));
+	static auto record_field = zeek::lookup_type<RecordType>("record_field");
+	static auto record_field_table = zeek::lookup_type<TableType>("record_field_table");
+	auto rval = make_intrusive<TableVal>(record_field_table);
 
 	for ( int i = 0; i < NumFields(); ++i )
 		{
@@ -812,7 +814,7 @@ IntrusivePtr<TableVal> RecordType::GetRecordFieldsVal(const RecordVal* rv) const
 
 		bool logged = (fd->attrs && fd->FindAttr(ATTR_LOG) != nullptr);
 
-		auto nr = make_intrusive<RecordVal>(zeek::lookup_type("record_field")->AsRecordType());
+		auto nr = make_intrusive<RecordVal>(record_field);
 
 		string s = container_type_name(ft.get());
 		nr->Assign(0, make_intrusive<StringVal>(s));

src/Val.cc

@@ -411,12 +411,13 @@ bool Val::WouldOverflow(const BroType* from_type, const BroType* to_type, const
 
 IntrusivePtr<TableVal> Val::GetRecordFields()
 	{
+	static auto record_field_table = zeek::lookup_type<TableType>("record_field_table");
 	auto t = GetType().get();
 
 	if ( t->Tag() != TYPE_RECORD && t->Tag() != TYPE_TYPE )
 		{
 		reporter->Error("non-record value/type passed to record_fields");
-		return make_intrusive<TableVal>(zeek::lookup_type<TableType>("record_field_table"));
+		return make_intrusive<TableVal>(record_field_table);
 		}
 
 	RecordType* rt = nullptr;
@@ -434,7 +435,7 @@ IntrusivePtr<TableVal> Val::GetRecordFields()
 		if ( t->Tag() != TYPE_RECORD )
 			{
 			reporter->Error("non-record value/type passed to record_fields");
-			return make_intrusive<TableVal>(zeek::lookup_type<TableType>("record_field_table"));
+			return make_intrusive<TableVal>(record_field_table);
 			}
 
 		rt = t->AsRecordType();

src/ZeekVars.cc

@@ -3,163 +3,119 @@
 #include "ZeekVars.h"
 #include "Var.h"
 #include "NetVar.h"
+#include "Scope.h"
 
 IntrusivePtr<RecordType> zeek::vars::conn_id;
 IntrusivePtr<RecordType> zeek::vars::endpoint;
-IntrusivePtr<RecordType> zeek::vars::endpoint_stats;
+IntrusivePtr<RecordType> zeek::vars::connection;
-IntrusivePtr<RecordType> zeek::vars::connection_type;
+IntrusivePtr<RecordType> zeek::vars::fa_file;
-IntrusivePtr<RecordType> zeek::vars::fa_file_type;
+IntrusivePtr<RecordType> zeek::vars::fa_metadata;
-IntrusivePtr<RecordType> zeek::vars::fa_metadata_type;
-IntrusivePtr<RecordType> zeek::vars::icmp_conn;
-IntrusivePtr<RecordType> zeek::vars::icmp_context;
-IntrusivePtr<RecordType> zeek::vars::signature_state;
-IntrusivePtr<RecordType> zeek::vars::SYN_packet;
-IntrusivePtr<RecordType> zeek::vars::pcap_packet;
-IntrusivePtr<RecordType> zeek::vars::raw_pkt_hdr_type;
-IntrusivePtr<RecordType> zeek::vars::l2_hdr_type;
 IntrusivePtr<EnumType> zeek::vars::transport_proto;
 IntrusivePtr<TableType> zeek::vars::string_set;
 IntrusivePtr<TableType> zeek::vars::string_array;
 IntrusivePtr<TableType> zeek::vars::count_set;
 IntrusivePtr<VectorType> zeek::vars::string_vec;
 IntrusivePtr<VectorType> zeek::vars::index_vec;
-IntrusivePtr<VectorType> zeek::vars::mime_matches;
-IntrusivePtr<RecordType> zeek::vars::mime_match;
-IntrusivePtr<RecordType> zeek::vars::socks_address;
-IntrusivePtr<RecordType> zeek::vars::mime_header_rec;
-IntrusivePtr<TableType> zeek::vars::mime_header_list;
-IntrusivePtr<RecordType> zeek::vars::http_stats_rec;
-IntrusivePtr<RecordType> zeek::vars::http_message_stat;
-IntrusivePtr<RecordType> zeek::vars::pm_mapping;
-IntrusivePtr<TableType> zeek::vars::pm_mappings;
-IntrusivePtr<RecordType> zeek::vars::pm_port_request;
-IntrusivePtr<RecordType> zeek::vars::pm_callit_request;
-IntrusivePtr<RecordType> zeek::vars::geo_location;
-IntrusivePtr<RecordType> zeek::vars::entropy_test_result;
-IntrusivePtr<RecordType> zeek::vars::dns_msg;
-IntrusivePtr<RecordType> zeek::vars::dns_answer;
-IntrusivePtr<RecordType> zeek::vars::dns_soa;
-IntrusivePtr<RecordType> zeek::vars::dns_edns_additional;
-IntrusivePtr<RecordType> zeek::vars::dns_tsig_additional;
-IntrusivePtr<RecordType> zeek::vars::dns_rrsig_rr;
-IntrusivePtr<RecordType> zeek::vars::dns_dnskey_rr;
-IntrusivePtr<RecordType> zeek::vars::dns_nsec3_rr;
-IntrusivePtr<RecordType> zeek::vars::dns_ds_rr;
-IntrusivePtr<RecordType> zeek::vars::rotate_info;
-IntrusivePtr<TableType> zeek::vars::irc_join_list;
-IntrusivePtr<RecordType> zeek::vars::irc_join_info;
-IntrusivePtr<RecordType> zeek::vars::script_id;
-IntrusivePtr<TableType> zeek::vars::id_table;
-IntrusivePtr<RecordType> zeek::vars::record_field;
-IntrusivePtr<TableType> zeek::vars::record_field_table;
-IntrusivePtr<RecordType> zeek::vars::call_argument;
-IntrusivePtr<VectorType> zeek::vars::call_argument_vector;
 
-void zeek::vars::detail::Init()
+void zeek::vars::detail::init()
 	{
 	// Types
 	conn_id = zeek::lookup_type<RecordType>("conn_id");
 	endpoint = zeek::lookup_type<RecordType>("endpoint");
-	endpoint_stats = zeek::lookup_type<RecordType>("endpoint_stats");
+	connection = zeek::lookup_type<RecordType>("connection");
-	connection_type = zeek::lookup_type<RecordType>("connection");
+	fa_file = zeek::lookup_type<RecordType>("fa_file");
-	fa_file_type = zeek::lookup_type<RecordType>("fa_file");
+	fa_metadata = zeek::lookup_type<RecordType>("fa_metadata");
-	fa_metadata_type = zeek::lookup_type<RecordType>("fa_metadata");
-	icmp_conn = zeek::lookup_type<RecordType>("icmp_conn");
-	icmp_context = zeek::lookup_type<RecordType>("icmp_context");
-	signature_state = zeek::lookup_type<RecordType>("signature_state");
-	SYN_packet = zeek::lookup_type<RecordType>("SYN_packet");
-	pcap_packet = zeek::lookup_type<RecordType>("pcap_packet");
-	raw_pkt_hdr_type = zeek::lookup_type<RecordType>("raw_pkt_hdr");
-	l2_hdr_type = zeek::lookup_type<RecordType>("l2_hdr");
 	transport_proto = zeek::lookup_type<EnumType>("transport_proto");
 	string_set = zeek::lookup_type<TableType>("string_set");
 	string_array = zeek::lookup_type<TableType>("string_array");
 	count_set = zeek::lookup_type<TableType>("count_set");
 	string_vec = zeek::lookup_type<VectorType>("string_vec");
 	index_vec = zeek::lookup_type<VectorType>("index_vec");
-	mime_matches = zeek::lookup_type<VectorType>("mime_matches");
-	mime_match = zeek::lookup_type<RecordType>("mime_match");
-	socks_address = zeek::lookup_type<RecordType>("SOCKS::Address");
-	mime_header_rec = zeek::lookup_type<RecordType>("mime_header_rec");
-	mime_header_list = zeek::lookup_type<TableType>("mime_header_list");
-	http_stats_rec = zeek::lookup_type<RecordType>("http_stats_rec");
-	http_message_stat = zeek::lookup_type<RecordType>("http_message_stat");
-	pm_mapping = zeek::lookup_type<RecordType>("pm_mapping");
-	pm_mappings = zeek::lookup_type<TableType>("pm_mappings");
-	pm_port_request = zeek::lookup_type<RecordType>("pm_port_request");
-	pm_callit_request = zeek::lookup_type<RecordType>("pm_callit_request");
-	geo_location = zeek::lookup_type<RecordType>("geo_location");
-	entropy_test_result = zeek::lookup_type<RecordType>("entropy_test_result");
-	dns_msg = zeek::lookup_type<RecordType>("dns_msg");
-	dns_answer = zeek::lookup_type<RecordType>("dns_answer");
-	dns_soa = zeek::lookup_type<RecordType>("dns_soa");
-	dns_edns_additional = zeek::lookup_type<RecordType>("dns_edns_additional");
-	dns_tsig_additional = zeek::lookup_type<RecordType>("dns_tsig_additional");
-	dns_rrsig_rr = zeek::lookup_type<RecordType>("dns_rrsig_rr");
-	dns_dnskey_rr = zeek::lookup_type<RecordType>("dns_dnskey_rr");
-	dns_nsec3_rr = zeek::lookup_type<RecordType>("dns_nsec3_rr");
-	dns_ds_rr = zeek::lookup_type<RecordType>("dns_ds_rr");
-	rotate_info = zeek::lookup_type<RecordType>("rotate_info");
-	irc_join_list = zeek::lookup_type<TableType>("irc_join_list");
-	irc_join_info = zeek::lookup_type<RecordType>("irc_join_info");
-	script_id = zeek::lookup_type<RecordType>("script_id");
-	id_table = zeek::lookup_type<TableType>("id_table");
-	record_field = zeek::lookup_type<RecordType>("record_field");
-	record_field_table = zeek::lookup_type<TableType>("record_field_table");
-	call_argument = zeek::lookup_type<RecordType>("call_argument");
-	call_argument_vector = zeek::lookup_type<VectorType>("call_argument_vector");
 
 	// Note: to bypass deprecation warnings on setting the legacy globals,
 	// CMake was told to compile this file with -Wno-deprecated-declarations.
 	// Once the legacy globals are removed, that compile flag can go also.
 	::conn_id = conn_id.get();
 	::endpoint = endpoint.get();
-	::endpoint_stats = endpoint_stats.get();
+	::connection_type = connection.get();
-	::connection_type = connection_type.get();
+	::fa_file_type = fa_file.get();
-	::fa_file_type = fa_file_type.get();
+	::fa_metadata_type = fa_metadata.get();
-	::fa_metadata_type = fa_metadata_type.get();
+	::icmp_conn = zeek::lookup_type("icmp_conn")->AsRecordType();
-	::icmp_conn = icmp_conn.get();
+	::icmp_context = zeek::lookup_type("icmp_context")->AsRecordType();
-	::icmp_context = icmp_context.get();
+	::signature_state = zeek::lookup_type("signature_state")->AsRecordType();
-	::signature_state = signature_state.get();
+	::SYN_packet = zeek::lookup_type("SYN_packet")->AsRecordType();
-	::SYN_packet = SYN_packet.get();
+	::pcap_packet = zeek::lookup_type("pcap_packet")->AsRecordType();
-	::pcap_packet = pcap_packet.get();
+	::raw_pkt_hdr_type = zeek::lookup_type("raw_pkt_hdr")->AsRecordType();
-	::raw_pkt_hdr_type = raw_pkt_hdr_type.get();
+	::l2_hdr_type = zeek::lookup_type("l2_hdr")->AsRecordType();
-	::l2_hdr_type = l2_hdr_type.get();
 	::transport_proto = transport_proto.get();
 	::string_set = string_set.get();
 	::string_array = string_array.get();
 	::count_set = count_set.get();
 	::string_vec = string_vec.get();
 	::index_vec = index_vec.get();
-	::mime_matches = mime_matches.get();
+	::mime_matches = zeek::lookup_type("mime_matches")->AsVectorType();
-	::mime_match = mime_match.get();
+	::mime_match = zeek::lookup_type("mime_match")->AsRecordType();
-	::socks_address = socks_address.get();
+	::socks_address = zeek::lookup_type("SOCKS::Address")->AsRecordType();
-	::mime_header_rec = mime_header_rec.get();
+	::mime_header_rec = zeek::lookup_type("mime_header_rec")->AsRecordType();
-	::mime_header_list = mime_header_list.get();
+	::mime_header_list = zeek::lookup_type("mime_header_list")->AsTableType();
-	::http_stats_rec = http_stats_rec.get();
+	::http_stats_rec = zeek::lookup_type("http_stats_rec")->AsRecordType();
-	::http_message_stat = http_message_stat.get();
+	::http_message_stat = zeek::lookup_type("http_message_stat")->AsRecordType();
-	::pm_mapping = pm_mapping.get();
+	::pm_mapping = zeek::lookup_type("pm_mapping")->AsRecordType();
-	::pm_mappings = pm_mappings.get();
+	::pm_mappings = zeek::lookup_type("pm_mappings")->AsTableType();
-	::pm_port_request = pm_port_request.get();
+	::pm_port_request = zeek::lookup_type("pm_port_request")->AsRecordType();
-	::pm_callit_request = pm_callit_request.get();
+	::pm_callit_request = zeek::lookup_type("pm_callit_request")->AsRecordType();
-	::geo_location = geo_location.get();
+	::geo_location = zeek::lookup_type("geo_location")->AsRecordType();
-	::entropy_test_result = entropy_test_result.get();
+	::entropy_test_result = zeek::lookup_type("entropy_test_result")->AsRecordType();
-	::dns_msg = dns_msg.get();
+	::dns_msg = zeek::lookup_type("dns_msg")->AsRecordType();
-	::dns_answer = dns_answer.get();
+	::dns_answer = zeek::lookup_type("dns_answer")->AsRecordType();
-	::dns_soa = dns_soa.get();
+	::dns_soa = zeek::lookup_type("dns_soa")->AsRecordType();
-	::dns_edns_additional = dns_edns_additional.get();
+	::dns_edns_additional = zeek::lookup_type("dns_edns_additional")->AsRecordType();
-	::dns_tsig_additional = dns_tsig_additional.get();
+	::dns_tsig_additional = zeek::lookup_type("dns_tsig_additional")->AsRecordType();
-	::dns_rrsig_rr = dns_rrsig_rr.get();
+	::dns_rrsig_rr = zeek::lookup_type("dns_rrsig_rr")->AsRecordType();
-	::dns_dnskey_rr = dns_dnskey_rr.get();
+	::dns_dnskey_rr = zeek::lookup_type("dns_dnskey_rr")->AsRecordType();
-	::dns_nsec3_rr = dns_nsec3_rr.get();
+	::dns_nsec3_rr = zeek::lookup_type("dns_nsec3_rr")->AsRecordType();
-	::dns_ds_rr = dns_ds_rr.get();
+	::dns_ds_rr = zeek::lookup_type("dns_ds_rr")->AsRecordType();
-	::rotate_info = rotate_info.get();
+	::rotate_info = zeek::lookup_type("rotate_info")->AsRecordType();
-	::irc_join_list = irc_join_list.get();
+	::irc_join_list = zeek::lookup_type("irc_join_list")->AsTableType();
-	::irc_join_info = irc_join_info.get();
+	::irc_join_info = zeek::lookup_type("irc_join_info")->AsRecordType();
-	::script_id = script_id.get();
+	::script_id = zeek::lookup_type("script_id")->AsRecordType();
-	::id_table = id_table.get();
+	::id_table = zeek::lookup_type("id_table")->AsTableType();
-	::record_field = record_field.get();
+	::record_field = zeek::lookup_type("record_field")->AsRecordType();
-	::record_field_table = record_field_table.get();
+	::record_field_table = zeek::lookup_type("record_field_table")->AsTableType();
-	::call_argument = call_argument.get();
+	::call_argument = zeek::lookup_type("call_argument")->AsRecordType();
-	::call_argument_vector = call_argument_vector.get();
+	::call_argument_vector = zeek::lookup_type("call_argument_vector")->AsVectorType();
+
+	::log_rotate_base_time = zeek::lookup_val("log_rotate_base_time")->AsStringVal();
+	::pkt_profile_file = zeek::lookup_val("pkt_profile_file").get();
+	::likely_server_ports = zeek::lookup_val("likely_server_ports")->AsTableVal();
+	::tcp_content_delivery_ports_orig = zeek::lookup_val("tcp_content_delivery_ports_orig")->AsTableVal();
+	::tcp_content_delivery_ports_resp = zeek::lookup_val("tcp_content_delivery_ports_resp")->AsTableVal();
+	::stp_skip_src = zeek::lookup_val("stp_skip_src")->AsTableVal();
+	::dns_skip_auth = zeek::lookup_val("dns_skip_auth")->AsTableVal();
+	::dns_skip_addl = zeek::lookup_val("dns_skip_addl")->AsTableVal();
+	::udp_content_ports = zeek::lookup_val("udp_content_ports")->AsTableVal();
+	::udp_content_delivery_ports_orig = zeek::lookup_val("udp_content_delivery_ports_orig")->AsTableVal();
+	::udp_content_delivery_ports_resp = zeek::lookup_val("udp_content_delivery_ports_resp")->AsTableVal();
+	::profiling_file = zeek::lookup_val("profiling_file").get();
+	::global_hash_seed = zeek::lookup_val("global_hash_seed")->AsStringVal();
+	::tcp_reassembler_ports_orig = zeek::lookup_val("tcp_reassembler_ports_orig")->AsTableVal();
+	::tcp_reassembler_ports_resp = zeek::lookup_val("tcp_reassembler_ports_resp")->AsTableVal();
+	::peer_description = zeek::lookup_val("peer_description")->AsStringVal();
+	::trace_output_file = zeek::lookup_val("trace_output_file")->AsStringVal();
+	::cmd_line_bpf_filter = zeek::lookup_val("cmd_line_bpf_filter")->AsStringVal();
+
+	auto anon_id = global_scope()->Lookup("preserve_orig_addr");
+
+	if ( anon_id )
+		preserve_orig_addr = anon_id->GetVal()->AsTableVal();
+
+	anon_id = global_scope()->Lookup("preserve_resp_addr");
+
+	if ( anon_id )
+		preserve_resp_addr = anon_id->GetVal()->AsTableVal();
+
+	anon_id = global_scope()->Lookup("preserve_other_addr");
+
+	if ( anon_id )
+		preserve_other_addr = anon_id->GetVal()->AsTableVal();
 	}

src/ZeekVars.h

@@ -7,61 +7,22 @@
 #include "IntrusivePtr.h"
 
 namespace zeek { namespace vars { namespace detail {
-void Init();
+void init();
 }}}
 
 namespace zeek { namespace vars {
 
-// Types
+// Common Types
 extern IntrusivePtr<RecordType> conn_id;
 extern IntrusivePtr<RecordType> endpoint;
-extern IntrusivePtr<RecordType> endpoint_stats;
+extern IntrusivePtr<RecordType> connection;
-extern IntrusivePtr<RecordType> connection_type;
+extern IntrusivePtr<RecordType> fa_file;
-extern IntrusivePtr<RecordType> fa_file_type;
+extern IntrusivePtr<RecordType> fa_metadata;
-extern IntrusivePtr<RecordType> fa_metadata_type;
-extern IntrusivePtr<RecordType> icmp_conn;
-extern IntrusivePtr<RecordType> icmp_context;
-extern IntrusivePtr<RecordType> signature_state;
-extern IntrusivePtr<RecordType> SYN_packet;
-extern IntrusivePtr<RecordType> pcap_packet;
-extern IntrusivePtr<RecordType> raw_pkt_hdr_type;
-extern IntrusivePtr<RecordType> l2_hdr_type;
 extern IntrusivePtr<EnumType> transport_proto;
 extern IntrusivePtr<TableType> string_set;
 extern IntrusivePtr<TableType> string_array;
 extern IntrusivePtr<TableType> count_set;
 extern IntrusivePtr<VectorType> string_vec;
 extern IntrusivePtr<VectorType> index_vec;
-extern IntrusivePtr<VectorType> mime_matches;
-extern IntrusivePtr<RecordType> mime_match;
-extern IntrusivePtr<RecordType> socks_address;
-extern IntrusivePtr<RecordType> mime_header_rec;
-extern IntrusivePtr<TableType> mime_header_list;
-extern IntrusivePtr<RecordType> http_stats_rec;
-extern IntrusivePtr<RecordType> http_message_stat;
-extern IntrusivePtr<RecordType> pm_mapping;
-extern IntrusivePtr<TableType> pm_mappings;
-extern IntrusivePtr<RecordType> pm_port_request;
-extern IntrusivePtr<RecordType> pm_callit_request;
-extern IntrusivePtr<RecordType> geo_location;
-extern IntrusivePtr<RecordType> entropy_test_result;
-extern IntrusivePtr<RecordType> dns_msg;
-extern IntrusivePtr<RecordType> dns_answer;
-extern IntrusivePtr<RecordType> dns_soa;
-extern IntrusivePtr<RecordType> dns_edns_additional;
-extern IntrusivePtr<RecordType> dns_tsig_additional;
-extern IntrusivePtr<RecordType> dns_rrsig_rr;
-extern IntrusivePtr<RecordType> dns_dnskey_rr;
-extern IntrusivePtr<RecordType> dns_nsec3_rr;
-extern IntrusivePtr<RecordType> dns_ds_rr;
-extern IntrusivePtr<RecordType> rotate_info;
-extern IntrusivePtr<TableType> irc_join_list;
-extern IntrusivePtr<RecordType> irc_join_info;
-extern IntrusivePtr<RecordType> script_id;
-extern IntrusivePtr<TableType> id_table;
-extern IntrusivePtr<RecordType> record_field;
-extern IntrusivePtr<TableType> record_field_table;
-extern IntrusivePtr<RecordType> call_argument;
-extern IntrusivePtr<VectorType> call_argument_vector;
 
 }} // namespace zeek::vars

src/analyzer/protocol/dns/DNS.cc

@@ -595,7 +595,8 @@ bool DNS_Interpreter::ParseRR_SOA(DNS_MsgInfo* msg,
 
 	if ( dns_SOA_reply && ! msg->skip_event )
 		{
-		auto r = make_intrusive<RecordVal>(zeek::vars::dns_soa);
+		static auto dns_soa = zeek::lookup_type<RecordType>("dns_soa");
+		auto r = make_intrusive<RecordVal>(dns_soa);
 		r->Assign(0, make_intrusive<StringVal>(new BroString(mname, mname_end - mname, true)));
 		r->Assign(1, make_intrusive<StringVal>(new BroString(rname, rname_end - rname, true)));
 		r->Assign(2, val_mgr->Count(serial));
@@ -1438,7 +1439,8 @@ DNS_MsgInfo::DNS_MsgInfo(DNS_RawMsgHdr* hdr, int arg_is_query)
 
 IntrusivePtr<RecordVal> DNS_MsgInfo::BuildHdrVal()
 	{
-	auto r = make_intrusive<RecordVal>(zeek::vars::dns_msg);
+	static auto dns_msg = zeek::lookup_type<RecordType>("dns_msg");
+	auto r = make_intrusive<RecordVal>(dns_msg);
 
 	r->Assign(0, val_mgr->Count(id));
 	r->Assign(1, val_mgr->Count(opcode));
@@ -1459,7 +1461,8 @@ IntrusivePtr<RecordVal> DNS_MsgInfo::BuildHdrVal()
 
 IntrusivePtr<RecordVal> DNS_MsgInfo::BuildAnswerVal()
 	{
-	auto r = make_intrusive<RecordVal>(zeek::vars::dns_answer);
+	static auto dns_answer = zeek::lookup_type<RecordType>("dns_answer");
+	auto r = make_intrusive<RecordVal>(dns_answer);
 
 	r->Assign(0, val_mgr->Count(int(answer_type)));
 	r->Assign(1, query_name);
@@ -1474,7 +1477,8 @@ IntrusivePtr<RecordVal> DNS_MsgInfo::BuildEDNS_Val()
 	{
 	// We have to treat the additional record type in EDNS differently
 	// than a regular resource record.
-	auto r = make_intrusive<RecordVal>(zeek::vars::dns_edns_additional);
+	static auto dns_edns_additional = zeek::lookup_type<RecordType>("dns_edns_additional");
+	auto r = make_intrusive<RecordVal>(dns_edns_additional);
 
 	r->Assign(0, val_mgr->Count(int(answer_type)));
 	r->Assign(1, query_name);
@@ -1507,7 +1511,8 @@ IntrusivePtr<RecordVal> DNS_MsgInfo::BuildEDNS_Val()
 
 IntrusivePtr<RecordVal> DNS_MsgInfo::BuildTSIG_Val(struct TSIG_DATA* tsig)
 	{
-	auto r = make_intrusive<RecordVal>(zeek::vars::dns_tsig_additional);
+	static auto dns_tsig_additional = zeek::lookup_type<RecordType>("dns_tsig_additional");
+	auto r = make_intrusive<RecordVal>(dns_tsig_additional);
 	double rtime = tsig->time_s + tsig->time_ms / 1000.0;
 
 	// r->Assign(0, val_mgr->Count(int(answer_type)));
@@ -1526,7 +1531,8 @@ IntrusivePtr<RecordVal> DNS_MsgInfo::BuildTSIG_Val(struct TSIG_DATA* tsig)
 
 IntrusivePtr<RecordVal> DNS_MsgInfo::BuildRRSIG_Val(RRSIG_DATA* rrsig)
 	{
-	auto r = make_intrusive<RecordVal>(zeek::vars::dns_rrsig_rr);
+	static auto dns_rrsig_rr = zeek::lookup_type<RecordType>("dns_rrsig_rr");
+	auto r = make_intrusive<RecordVal>(dns_rrsig_rr);
 
 	r->Assign(0, query_name);
 	r->Assign(1, val_mgr->Count(int(answer_type)));
@@ -1546,7 +1552,8 @@ IntrusivePtr<RecordVal> DNS_MsgInfo::BuildRRSIG_Val(RRSIG_DATA* rrsig)
 
 IntrusivePtr<RecordVal> DNS_MsgInfo::BuildDNSKEY_Val(DNSKEY_DATA* dnskey)
 	{
-	auto r = make_intrusive<RecordVal>(zeek::vars::dns_dnskey_rr);
+	static auto dns_dnskey_rr = zeek::lookup_type<RecordType>("dns_dnskey_rr");
+	auto r = make_intrusive<RecordVal>(dns_dnskey_rr);
 
 	r->Assign(0, query_name);
 	r->Assign(1, val_mgr->Count(int(answer_type)));
@@ -1561,7 +1568,8 @@ IntrusivePtr<RecordVal> DNS_MsgInfo::BuildDNSKEY_Val(DNSKEY_DATA* dnskey)
 
 IntrusivePtr<RecordVal> DNS_MsgInfo::BuildNSEC3_Val(NSEC3_DATA* nsec3)
 	{
-	auto r = make_intrusive<RecordVal>(zeek::vars::dns_nsec3_rr);
+	static auto dns_nsec3_rr = zeek::lookup_type<RecordType>("dns_nsec3_rr");
+	auto r = make_intrusive<RecordVal>(dns_nsec3_rr);
 
 	r->Assign(0, query_name);
 	r->Assign(1, val_mgr->Count(int(answer_type)));
@@ -1580,7 +1588,8 @@ IntrusivePtr<RecordVal> DNS_MsgInfo::BuildNSEC3_Val(NSEC3_DATA* nsec3)
 
 IntrusivePtr<RecordVal> DNS_MsgInfo::BuildDS_Val(DS_DATA* ds)
 	{
-	auto r = make_intrusive<RecordVal>(zeek::vars::dns_ds_rr);
+	static auto dns_ds_rr = zeek::lookup_type<RecordType>("dns_ds_rr");
+	auto r = make_intrusive<RecordVal>(dns_ds_rr);
 
 	r->Assign(0, query_name);
 	r->Assign(1, val_mgr->Count(int(answer_type)));

src/analyzer/protocol/http/HTTP.cc

@@ -615,7 +615,8 @@ HTTP_Message::~HTTP_Message()
 
 IntrusivePtr<RecordVal> HTTP_Message::BuildMessageStat(bool interrupted, const char* msg)
 	{
-	auto stat = make_intrusive<RecordVal>(zeek::vars::http_message_stat);
+	static auto http_message_stat = zeek::lookup_type<RecordType>("http_message_stat");
+	auto stat = make_intrusive<RecordVal>(http_message_stat);
 	int field = 0;
 	stat->Assign(field++, make_intrusive<Val>(start_time, TYPE_TIME));
 	stat->Assign(field++, val_mgr->Bool(interrupted));
@@ -1151,7 +1152,8 @@ void HTTP_Analyzer::GenStats()
 	{
 	if ( http_stats )
 		{
-		auto r = make_intrusive<RecordVal>(zeek::vars::http_stats_rec);
+		static auto http_stats_rec = zeek::lookup_type<RecordType>("http_stats_rec");
+		auto r = make_intrusive<RecordVal>(http_stats_rec);
 		r->Assign(0, val_mgr->Count(num_requests));
 		r->Assign(1, val_mgr->Count(num_replies));
 		r->Assign(2, make_intrusive<Val>(request_version.ToDouble(), TYPE_DOUBLE));

src/analyzer/protocol/icmp/ICMP.cc

@@ -225,7 +225,8 @@ ICMP_Analyzer::BuildICMPVal(const struct icmp* icmpp, int len,
 	{
 	if ( ! icmp_conn_val )
 		{
-		icmp_conn_val = make_intrusive<RecordVal>(zeek::vars::icmp_conn);
+		static auto icmp_conn = zeek::lookup_type<RecordType>("icmp_conn");
+		icmp_conn_val = make_intrusive<RecordVal>(icmp_conn);
 
 		icmp_conn_val->Assign(0, make_intrusive<AddrVal>(Conn()->OrigAddr()));
 		icmp_conn_val->Assign(1, make_intrusive<AddrVal>(Conn()->RespAddr()));
@@ -350,7 +351,8 @@ IntrusivePtr<RecordVal> ICMP_Analyzer::ExtractICMP4Context(int len, const u_char
 			}
 		}
 
-	auto iprec = make_intrusive<RecordVal>(zeek::vars::icmp_context);
+	static auto icmp_context = zeek::lookup_type<RecordType>("icmp_context");
+	auto iprec = make_intrusive<RecordVal>(icmp_context);
 	auto id_val = make_intrusive<RecordVal>(zeek::vars::conn_id);
 
 	id_val->Assign(0, make_intrusive<AddrVal>(src_addr));
@@ -409,7 +411,8 @@ IntrusivePtr<RecordVal> ICMP_Analyzer::ExtractICMP6Context(int len, const u_char
 			}
 		}
 
-	auto iprec = make_intrusive<RecordVal>(zeek::vars::icmp_context);
+	static auto icmp_context = zeek::lookup_type<RecordType>("icmp_context");
+	auto iprec = make_intrusive<RecordVal>(icmp_context);
 	auto id_val = make_intrusive<RecordVal>(zeek::vars::conn_id);
 
 	id_val->Assign(0, make_intrusive<AddrVal>(src_addr));

src/analyzer/protocol/irc/IRC.cc

@@ -44,6 +44,8 @@ inline void IRC_Analyzer::SkipLeadingWhitespace(string& str)
 
 void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 	{
+	static auto irc_join_list = zeek::lookup_type<TableType>("irc_join_list");
+	static auto irc_join_info = zeek::lookup_type<RecordType>("irc_join_info");
 	tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig);
 
 	if ( starttls )
@@ -836,7 +838,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				nickname = prefix.substr(0, pos);
 			}
 
-		auto list = make_intrusive<TableVal>(zeek::vars::irc_join_list);
+		auto list = make_intrusive<TableVal>(irc_join_list);
 
 		vector<string> channels = SplitWords(parts[0], ',');
 		vector<string> passwords;
@@ -847,7 +849,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		string empty_string = "";
 		for ( unsigned int i = 0; i < channels.size(); ++i )
 			{
-			RecordVal* info = new RecordVal(zeek::vars::irc_join_info);
+			RecordVal* info = new RecordVal(irc_join_info);
 			info->Assign(0, make_intrusive<StringVal>(nickname.c_str()));
 			info->Assign(1, make_intrusive<StringVal>(channels[i].c_str()));
 			if ( i < passwords.size() )
@@ -881,13 +883,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			parts[1] = parts[1].substr(1);
 
 		vector<string> users = SplitWords(parts[1], ',');
-		auto list = make_intrusive<TableVal>(zeek::vars::irc_join_list);
+		auto list = make_intrusive<TableVal>(irc_join_list);
 
 		string empty_string = "";
 
 		for ( unsigned int i = 0; i < users.size(); ++i )
 			{
-			auto info = make_intrusive<RecordVal>(zeek::vars::irc_join_info);
+			auto info = make_intrusive<RecordVal>(irc_join_info);
 			string nick = users[i];
 			string mode = "none";
 

src/analyzer/protocol/mime/MIME.cc

@@ -1289,7 +1289,8 @@ void MIME_Entity::DebugPrintHeaders()
 
 IntrusivePtr<RecordVal> MIME_Message::BuildHeaderVal(MIME_Header* h)
 	{
-	auto header_record = make_intrusive<RecordVal>(zeek::vars::mime_header_rec);
+	static auto mime_header_rec = zeek::lookup_type<RecordType>("mime_header_rec");
+	auto header_record = make_intrusive<RecordVal>(mime_header_rec);
 	header_record->Assign(0, new_string_val(h->get_name()));
 	auto upper_hn = new_string_val(h->get_name());
 	upper_hn->ToUpper();
@@ -1300,7 +1301,8 @@ IntrusivePtr<RecordVal> MIME_Message::BuildHeaderVal(MIME_Header* h)
 
 IntrusivePtr<TableVal> MIME_Message::BuildHeaderTable(MIME_HeaderList& hlist)
 	{
-	auto t = make_intrusive<TableVal>(zeek::vars::mime_header_list);
+	static auto mime_header_list = zeek::lookup_type<TableType>("mime_header_list");
+	auto t = make_intrusive<TableVal>(mime_header_list);
 
 	for ( unsigned int i = 0; i < hlist.size(); ++i )
 		{

src/analyzer/protocol/rpc/Portmap.cc

@@ -138,7 +138,8 @@ bool PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status statu
 		event = success ? pm_request_dump : pm_attempt_dump;
 		if ( success )
 			{
-			TableVal* mappings = new TableVal(zeek::vars::pm_mappings);
+			static auto pm_mappings = zeek::lookup_type<TableType>("pm_mappings");
+			TableVal* mappings = new TableVal(pm_mappings);
 			uint32_t nmap = 0;
 
 			// Each call in the loop test pulls the next "opted"
@@ -193,7 +194,8 @@ bool PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status statu
 
 Val* PortmapperInterp::ExtractMapping(const u_char*& buf, int& len)
 	{
-	RecordVal* mapping = new RecordVal(zeek::vars::pm_mapping);
+	static auto pm_mapping = zeek::lookup_type<RecordType>("pm_mapping");
+	RecordVal* mapping = new RecordVal(pm_mapping);
 
 	mapping->Assign(0, val_mgr->Count(extract_XDR_uint32(buf, len)));
 	mapping->Assign(1, val_mgr->Count(extract_XDR_uint32(buf, len)));
@@ -213,7 +215,8 @@ Val* PortmapperInterp::ExtractMapping(const u_char*& buf, int& len)
 
 Val* PortmapperInterp::ExtractPortRequest(const u_char*& buf, int& len)
 	{
-	RecordVal* pr = new RecordVal(zeek::vars::pm_port_request);
+	static auto pm_port_request = zeek::lookup_type<RecordType>("pm_port_request");
+	RecordVal* pr = new RecordVal(pm_port_request);
 
 	pr->Assign(0, val_mgr->Count(extract_XDR_uint32(buf, len)));
 	pr->Assign(1, val_mgr->Count(extract_XDR_uint32(buf, len)));
@@ -233,7 +236,8 @@ Val* PortmapperInterp::ExtractPortRequest(const u_char*& buf, int& len)
 
 Val* PortmapperInterp::ExtractCallItRequest(const u_char*& buf, int& len)
 	{
-	RecordVal* c = new RecordVal(zeek::vars::pm_callit_request);
+	static auto pm_callit_request = zeek::lookup_type<RecordType>("pm_callit_request");
+	RecordVal* c = new RecordVal(pm_callit_request);
 
 	c->Assign(0, val_mgr->Count(extract_XDR_uint32(buf, len)));
 	c->Assign(1, val_mgr->Count(extract_XDR_uint32(buf, len)));

src/analyzer/protocol/sip/sip-analyzer.pac

@@ -67,7 +67,8 @@ refine flow SIP_Flow += {
 
 	function build_sip_headers_val(): BroVal
 		%{
-		TableVal* t = new TableVal(zeek::vars::mime_header_list);
+		static auto mime_header_list = zeek::lookup_type<TableType>("mime_header_list");
+		TableVal* t = new TableVal(mime_header_list);
 
 		for ( unsigned int i = 0; i < headers.size(); ++i )
 			{ // index starting from 1
@@ -101,7 +102,8 @@ refine flow SIP_Flow += {
 
 	function build_sip_header_val(name: const_bytestring, value: const_bytestring): BroVal
 		%{
-		RecordVal* header_record = new RecordVal(zeek::vars::mime_header_rec);
+		static auto mime_header_rec = zeek::lookup_type<RecordType>("mime_header_rec");
+		RecordVal* header_record = new RecordVal(mime_header_rec);
 		IntrusivePtr<StringVal> name_val;
 
 		if ( name.length() > 0 )

src/analyzer/protocol/socks/socks-analyzer.pac

@@ -24,7 +24,8 @@ refine connection SOCKS_Conn += {
 		%{
 		if ( socks_request )
 			{
-			auto sa = make_intrusive<RecordVal>(zeek::vars::socks_address);
+			static auto socks_address = zeek::lookup_type<RecordType>("SOCKS::Address");
+			auto sa = make_intrusive<RecordVal>(socks_address);
 			sa->Assign(0, make_intrusive<AddrVal>(htonl(${request.addr})));
 
 			if ( ${request.v4a} )
@@ -48,7 +49,8 @@ refine connection SOCKS_Conn += {
 		%{
 		if ( socks_reply )
 			{
-			auto sa = make_intrusive<RecordVal>(zeek::vars::socks_address);
+			static auto socks_address = zeek::lookup_type<RecordType>("SOCKS::Address");
+			auto sa = make_intrusive<RecordVal>(socks_address);
 			sa->Assign(0, make_intrusive<AddrVal>(htonl(${reply.addr})));
 
 			BifEvent::enqueue_socks_reply(bro_analyzer(),
@@ -80,7 +82,8 @@ refine connection SOCKS_Conn += {
 			return false;
 			}
 
-		auto sa = make_intrusive<RecordVal>(zeek::vars::socks_address);
+		static auto socks_address = zeek::lookup_type<RecordType>("SOCKS::Address");
+		auto sa = make_intrusive<RecordVal>(socks_address);
 
 		// This is dumb and there must be a better way (checking for presence of a field)...
 		switch ( ${request.remote_name.addr_type} )
@@ -119,7 +122,8 @@ refine connection SOCKS_Conn += {
 
 	function socks5_reply(reply: SOCKS5_Reply): bool
 		%{
-		auto sa = make_intrusive<RecordVal>(zeek::vars::socks_address);
+		static auto socks_address = zeek::lookup_type<RecordType>("SOCKS::Address");
+		auto sa = make_intrusive<RecordVal>(socks_address);
 
 		// This is dumb and there must be a better way (checking for presence of a field)...
 		switch ( ${reply.bound.addr_type} )

src/analyzer/protocol/tcp/TCP.cc

@@ -107,7 +107,8 @@ static RecordVal* build_syn_packet_val(bool is_orig, const IP_Hdr* ip,
 		options += opt_len;
 		}
 
-	RecordVal* v = new RecordVal(zeek::vars::SYN_packet);
+	static auto SYN_packet = zeek::lookup_type<RecordType>("SYN_packet");
+	RecordVal* v = new RecordVal(SYN_packet);
 
 	v->Assign(0, val_mgr->Bool(is_orig));
 	v->Assign(1, val_mgr->Bool(int(ip->DF())));
@@ -2077,7 +2078,8 @@ bool TCPStats_Endpoint::DataSent(double /* t */, uint64_t seq, int len, int capl
 
 RecordVal* TCPStats_Endpoint::BuildStats()
 	{
-	RecordVal* stats = new RecordVal(zeek::vars::endpoint_stats);
+	static auto endpoint_stats = zeek::lookup_type<RecordType>("endpoint_stats");
+	RecordVal* stats = new RecordVal(endpoint_stats);
 
 	stats->Assign(0, val_mgr->Count(num_pkts));
 	stats->Assign(1, val_mgr->Count(num_rxmit));

src/file_analysis/File.cc

@@ -26,7 +26,7 @@ static Val* empty_connection_table()
 	auto tbl_index = make_intrusive<TypeList>(zeek::vars::conn_id);
 	tbl_index->Append(zeek::vars::conn_id);
 	auto tbl_type = make_intrusive<TableType>(std::move(tbl_index),
-	                                          zeek::vars::connection_type);
+	                                          zeek::vars::connection);
 	return new TableVal(std::move(tbl_type));
 	}
 
@@ -62,22 +62,22 @@ void File::StaticInit()
 	if ( id_idx != -1 )
 		return;
 
-	id_idx = Idx("id", zeek::vars::fa_file_type);
+	id_idx = Idx("id", zeek::vars::fa_file);
-	parent_id_idx = Idx("parent_id", zeek::vars::fa_file_type);
+	parent_id_idx = Idx("parent_id", zeek::vars::fa_file);
-	source_idx = Idx("source", zeek::vars::fa_file_type);
+	source_idx = Idx("source", zeek::vars::fa_file);
-	is_orig_idx = Idx("is_orig", zeek::vars::fa_file_type);
+	is_orig_idx = Idx("is_orig", zeek::vars::fa_file);
-	conns_idx = Idx("conns", zeek::vars::fa_file_type);
+	conns_idx = Idx("conns", zeek::vars::fa_file);
-	last_active_idx = Idx("last_active", zeek::vars::fa_file_type);
+	last_active_idx = Idx("last_active", zeek::vars::fa_file);
-	seen_bytes_idx = Idx("seen_bytes", zeek::vars::fa_file_type);
+	seen_bytes_idx = Idx("seen_bytes", zeek::vars::fa_file);
-	total_bytes_idx = Idx("total_bytes", zeek::vars::fa_file_type);
+	total_bytes_idx = Idx("total_bytes", zeek::vars::fa_file);
-	missing_bytes_idx = Idx("missing_bytes", zeek::vars::fa_file_type);
+	missing_bytes_idx = Idx("missing_bytes", zeek::vars::fa_file);
-	overflow_bytes_idx = Idx("overflow_bytes", zeek::vars::fa_file_type);
+	overflow_bytes_idx = Idx("overflow_bytes", zeek::vars::fa_file);
-	timeout_interval_idx = Idx("timeout_interval", zeek::vars::fa_file_type);
+	timeout_interval_idx = Idx("timeout_interval", zeek::vars::fa_file);
-	bof_buffer_size_idx = Idx("bof_buffer_size", zeek::vars::fa_file_type);
+	bof_buffer_size_idx = Idx("bof_buffer_size", zeek::vars::fa_file);
-	bof_buffer_idx = Idx("bof_buffer", zeek::vars::fa_file_type);
+	bof_buffer_idx = Idx("bof_buffer", zeek::vars::fa_file);
-	meta_mime_type_idx = Idx("mime_type", zeek::vars::fa_metadata_type);
+	meta_mime_type_idx = Idx("mime_type", zeek::vars::fa_metadata);
-	meta_mime_types_idx = Idx("mime_types", zeek::vars::fa_metadata_type);
+	meta_mime_types_idx = Idx("mime_types", zeek::vars::fa_metadata);
-	meta_inferred_idx = Idx("inferred", zeek::vars::fa_metadata_type);
+	meta_inferred_idx = Idx("inferred", zeek::vars::fa_metadata);
 	}
 
 File::File(const std::string& file_id, const std::string& source_name, Connection* conn,
@@ -91,7 +91,7 @@ File::File(const std::string& file_id, const std::string& source_name, Connectio
 
 	DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Creating new File object", file_id.c_str());
 
-	val = new RecordVal(zeek::vars::fa_file_type);
+	val = new RecordVal(zeek::vars::fa_file);
 	val->Assign(id_idx, make_intrusive<StringVal>(file_id.c_str()));
 	SetSource(source_name);
 
@@ -295,7 +295,7 @@ bool File::SetMime(const std::string& mime_type)
 	if ( ! FileEventAvailable(file_sniff) )
 		return false;
 
-	auto meta = make_intrusive<RecordVal>(zeek::vars::fa_metadata_type);
+	auto meta = make_intrusive<RecordVal>(zeek::vars::fa_metadata);
 	meta->Assign(meta_mime_type_idx, make_intrusive<StringVal>(mime_type));
 	meta->Assign(meta_inferred_idx, val_mgr->False());
 
@@ -328,7 +328,7 @@ void File::InferMetadata()
 	len = std::min(len, LookupFieldDefaultCount(bof_buffer_size_idx));
 	file_mgr->DetectMIME(data, len, &matches);
 
-	auto meta = make_intrusive<RecordVal>(zeek::vars::fa_metadata_type);
+	auto meta = make_intrusive<RecordVal>(zeek::vars::fa_metadata);
 
 	if ( ! matches.empty() )
 		{

src/file_analysis/Manager.cc

@@ -499,12 +499,14 @@ string Manager::DetectMIME(const u_char* data, uint64_t len) const
 
 IntrusivePtr<VectorVal> file_analysis::GenMIMEMatchesVal(const RuleMatcher::MIME_Matches& m)
 	{
-	auto rval = make_intrusive<VectorVal>(zeek::vars::mime_matches);
+	static auto mime_matches = zeek::lookup_type<VectorType>("mime_matches");
+	static auto mime_match = zeek::lookup_type<RecordType>("mime_match");
+	auto rval = make_intrusive<VectorVal>(mime_matches);
 
 	for ( RuleMatcher::MIME_Matches::const_iterator it = m.begin();
 	      it != m.end(); ++it )
 		{
-		auto element = make_intrusive<RecordVal>(zeek::vars::mime_match);
+		auto element = make_intrusive<RecordVal>(mime_match);
 
 		for ( set<string>::const_iterator it2 = it->second.begin();
 		      it2 != it->second.end(); ++it2 )

src/file_analysis/analyzer/entropy/Entropy.cc

@@ -60,7 +60,8 @@ void Entropy::Finalize()
 	montepi = scc = ent = mean = chisq = 0.0;
 	entropy->Get(&ent, &chisq, &mean, &montepi, &scc);
 
-	auto ent_result = make_intrusive<RecordVal>(zeek::vars::entropy_test_result);
+	static auto entropy_test_result = zeek::lookup_type<RecordType>("entropy_test_result");
+	auto ent_result = make_intrusive<RecordVal>(entropy_test_result);
 	ent_result->Assign(0, make_intrusive<Val>(ent,     TYPE_DOUBLE));
 	ent_result->Assign(1, make_intrusive<Val>(chisq,   TYPE_DOUBLE));
 	ent_result->Assign(2, make_intrusive<Val>(mean,    TYPE_DOUBLE));

src/iosource/Packet.cc

@@ -4,6 +4,7 @@
 #include "IP.h"
 #include "IntrusivePtr.h"
 #include "iosource/Manager.h"
+#include "Var.h"
 
 extern "C" {
 #include <pcap.h>
@@ -593,8 +594,10 @@ void Packet::ProcessLayer2()
 
 IntrusivePtr<RecordVal> Packet::ToRawPktHdrVal() const
 	{
-	auto pkt_hdr = make_intrusive<RecordVal>(zeek::vars::raw_pkt_hdr_type);
+	static auto raw_pkt_hdr_type = zeek::lookup_type<RecordType>("raw_pkt_hdr");
-	RecordVal* l2_hdr = new RecordVal(zeek::vars::l2_hdr_type);
+	static auto l2_hdr_type = zeek::lookup_type<RecordType>("l2_hdr");
+	auto pkt_hdr = make_intrusive<RecordVal>(raw_pkt_hdr_type);
+	RecordVal* l2_hdr = new RecordVal(l2_hdr_type);
 
 	bool is_ethernet = link_type == DLT_EN10MB;
 

src/zeek.bif

@@ -1051,7 +1051,8 @@ function find_entropy%(data: string%): entropy_test_result
 	e.Feed(data->Bytes(), data->Len());
 	e.Get(&ent, &chisq, &mean, &montepi, &scc);
 
-	auto ent_result = make_intrusive<RecordVal>(zeek::vars::entropy_test_result);
+	static auto entropy_test_result = zeek::lookup_type<RecordType>("entropy_test_result");
+	auto ent_result = make_intrusive<RecordVal>(entropy_test_result);
 	ent_result->Assign(0, make_intrusive<Val>(ent,     TYPE_DOUBLE));
 	ent_result->Assign(1, make_intrusive<Val>(chisq,   TYPE_DOUBLE));
 	ent_result->Assign(2, make_intrusive<Val>(mean,    TYPE_DOUBLE));
@@ -1102,7 +1103,8 @@ function entropy_test_finish%(handle: opaque of entropy%): entropy_test_result
 	montepi = scc = ent = mean = chisq = 0.0;
 	static_cast<EntropyVal*>(handle)->Get(&ent, &chisq, &mean, &montepi, &scc);
 
-	auto ent_result = make_intrusive<RecordVal>(zeek::vars::entropy_test_result);
+	static auto entropy_test_result = zeek::lookup_type<RecordType>("entropy_test_result");
+	auto ent_result = make_intrusive<RecordVal>(entropy_test_result);
 	ent_result->Assign(0, make_intrusive<Val>(ent,     TYPE_DOUBLE));
 	ent_result->Assign(1, make_intrusive<Val>(chisq,   TYPE_DOUBLE));
 	ent_result->Assign(2, make_intrusive<Val>(mean,    TYPE_DOUBLE));
@@ -1939,13 +1941,15 @@ function global_sizes%(%): var_sizes
 ## .. zeek:see:: global_sizes
 function global_ids%(%): id_table
 	%{
-	auto ids = make_intrusive<TableVal>(zeek::vars::id_table);
+	static auto id_table = zeek::lookup_type<TableType>("id_table");
+	auto ids = make_intrusive<TableVal>(id_table);
 	const auto& globals = global_scope()->Vars();
 
 	for ( const auto& global : globals )
 		{
 		ID* id = global.second.get();
-		auto rec = make_intrusive<RecordVal>(zeek::vars::script_id);
+		static auto script_id = zeek::lookup_type<RecordType>("script_id");
+		auto rec = make_intrusive<RecordVal>(script_id);
 		rec->Assign(0, make_intrusive<StringVal>(type_name(id->GetType()->Tag())));
 		rec->Assign(1, val_mgr->Bool(id->IsExport()));
 		rec->Assign(2, val_mgr->Bool(id->IsConst()));
@@ -1990,6 +1994,8 @@ function lookup_ID%(id: string%) : any
 ## Returns: A table that describes the fields of a record.
 function record_fields%(rec: any%): record_field_table
 	%{
+	static auto record_field_table = zeek::lookup_type<TableType>("record_field_table");
+
 	if ( rec->GetType()->Tag() == TYPE_STRING )
 		{
 		auto id = global_scope()->Lookup(rec->AsStringVal()->ToStdString());
@@ -1997,7 +2003,7 @@ function record_fields%(rec: any%): record_field_table
 		if ( ! id || ! id->IsType() || id->GetType()->Tag() != TYPE_RECORD )
 			{
 			reporter->Error("record_fields string argument does not name a record type");
-			return make_intrusive<TableVal>(zeek::vars::record_field_table);
+			return make_intrusive<TableVal>(record_field_table);
 			}
 
 		return id->GetType()->AsRecordType()->GetRecordFieldsVal();
@@ -3295,7 +3301,7 @@ function lookup_connection%(cid: conn_id%): connection
 	builtin_error("connection ID not a known connection", cid);
 
 	// Return a dummy connection record.
-	auto c = make_intrusive<RecordVal>(zeek::vars::connection_type);
+	auto c = make_intrusive<RecordVal>(zeek::vars::connection);
 
 	auto id_val = make_intrusive<RecordVal>(zeek::vars::conn_id);
 	id_val->Assign(0, make_intrusive<AddrVal>((unsigned int) 0));
@@ -3379,8 +3385,9 @@ function dump_current_packet%(file_name: string%) : bool
 ## .. zeek:see:: dump_current_packet dump_packet
 function get_current_packet%(%) : pcap_packet
 	%{
+	static auto pcap_packet = zeek::lookup_type<RecordType>("pcap_packet");
 	const Packet* p;
-	auto pkt = make_intrusive<RecordVal>(zeek::vars::pcap_packet);
+	auto pkt = make_intrusive<RecordVal>(pcap_packet);
 
 	if ( ! current_pktsrc ||
 	     ! current_pktsrc->GetCurrentPacket(&p) )
@@ -3420,7 +3427,8 @@ function get_current_packet_header%(%) : raw_pkt_hdr
 		return p->ToRawPktHdrVal();
 		}
 
-	auto hdr = make_intrusive<RecordVal>(zeek::vars::raw_pkt_hdr_type);
+	static auto raw_pkt_hdr_type = zeek::lookup_type<RecordType>("raw_pkt_hdr");
+	auto hdr = make_intrusive<RecordVal>(raw_pkt_hdr_type);
 	return hdr;
 	%}
 
@@ -3990,7 +3998,8 @@ function mmdb_open_asn_db%(f: string%) : bool
 ## .. zeek:see:: lookup_asn
 function lookup_location%(a: addr%) : geo_location
 	%{
-	auto location = make_intrusive<RecordVal>(zeek::vars::geo_location);
+	static auto geo_location = zeek::lookup_type<RecordType>("geo_location");
+	auto location = make_intrusive<RecordVal>(geo_location);
 
 #ifdef USE_GEOIP
 	mmdb_check_loc();
@@ -4621,7 +4630,8 @@ function rotate_file%(f: file%): rotate_info
 		return info;
 
 	// Record indicating error.
-	info = make_intrusive<RecordVal>(zeek::vars::rotate_info);
+	static auto rotate_info = zeek::lookup_type<RecordType>("rotate_info");
+	info = make_intrusive<RecordVal>(rotate_info);
 	info->Assign(0, val_mgr->EmptyString());
 	info->Assign(1, val_mgr->EmptyString());
 	info->Assign(2, make_intrusive<Val>(0.0, TYPE_TIME));
@@ -4640,7 +4650,8 @@ function rotate_file%(f: file%): rotate_info
 ## .. zeek:see:: rotate_file calc_next_rotate
 function rotate_file_by_name%(f: string%): rotate_info
 	%{
-	auto info = make_intrusive<RecordVal>(zeek::vars::rotate_info);
+	static auto rotate_info = zeek::lookup_type<RecordType>("rotate_info");
+	auto info = make_intrusive<RecordVal>(rotate_info);
 
 	bool is_pkt_dumper = false;
 	bool is_addl_pkt_dumper = false;