Merge remote-tracking branch 'origin/topic/johanna/gh-4202'

* origin/topic/johanna/gh-4202:
  Update NEWS for Conn::set_conn changes
  DNS-fuzzer: raise new_connection event
  Optimize Conn::set_conn to minimize operations
  Move Conn::set_conn() from connection_state_remove to new_connection

scripts/base/protocols/conn/main.zeek

@@ -243,26 +243,31 @@ function conn_state(c: connection, trans: transport_proto): string
 ## Fill out the c$conn record for logging
 function set_conn(c: connection, eoc: bool)
 	{
-	if ( ! c?$conn )
-		{
-		local p = get_port_transport_proto(c$id$resp_p);
-		c$conn = Info($ts=c$start_time, $uid=c$uid, $proto=p);
-		}
+	if ( ! eoc ) {
+		if ( ! c?$conn )
+			{
+			local p = get_port_transport_proto(c$id$resp_p);
+			c$conn = Info($ts=c$start_time, $uid=c$uid, $proto=p);
+			}
 
-	c$conn$id=c$id;
-	if ( c?$tunnel && |c$tunnel| > 0 )
-		{
-		if ( ! c$conn?$tunnel_parents )
-			c$conn$tunnel_parents = set();
-		add c$conn$tunnel_parents[c$tunnel[|c$tunnel|-1]$uid];
-		}
-	if( |Site::local_nets| > 0 )
-		{
-		c$conn$local_orig=Site::is_local_addr(c$id$orig_h);
-		c$conn$local_resp=Site::is_local_addr(c$id$resp_h);
-		}
+		c$conn$id=c$id;
+		if ( c?$tunnel && |c$tunnel| > 0 )
+			{
+			if ( ! c$conn?$tunnel_parents )
+				c$conn$tunnel_parents = set();
+			add c$conn$tunnel_parents[c$tunnel[|c$tunnel|-1]$uid];
+			}
 
-	if ( eoc )
+		if ( c$id$proto != 65535 )
+			c$conn$ip_proto = c$id$proto;
+
+		if( |Site::local_nets| > 0 )
+			{
+			c$conn$local_orig = Site::is_local_addr(c$id$orig_h);
+			c$conn$local_resp = Site::is_local_addr(c$id$resp_h);
+			}
+		}
+	else
 		{
 		if ( c$duration > 0secs )
 			{
@@ -288,21 +293,15 @@ function set_conn(c: connection, eoc: bool)
 		if ( c$history != "" )
 			c$conn$history=c$history;
 		}
-
-	if ( c$id$proto != 65535 )
-		c$conn$ip_proto = c$id$proto;
 	}
 
 event content_gap(c: connection, is_orig: bool, seq: count, length: count) &priority=5
 	{
-	set_conn(c, F);
-
 	c$conn$missed_bytes = c$conn$missed_bytes + length;
 	}
 
 event tunnel_changed(c: connection, e: EncapsulatingConnVector) &priority=5
 	{
-	set_conn(c, F);
 	if ( |e| > 0 )
 		{
 		if ( ! c$conn?$tunnel_parents )
@@ -312,6 +311,21 @@ event tunnel_changed(c: connection, e: EncapsulatingConnVector) &priority=5
 	c$tunnel = e;
 	}
 
+event new_connection(c: connection) &priority=100
+	{
+	set_conn(c, F);
+	}
+
+event connection_flipped(c: connection) &priority=5
+	{
+	# otherwise, set-conn has not been called yet. In that case we don't have to do anything
+	if ( c?$conn )
+		{
+		c$conn$local_orig = Site::is_local_addr(c$id$orig_h);
+		c$conn$local_resp = Site::is_local_addr(c$id$resp_h);
+		}
+	}
+
 event connection_state_remove(c: connection) &priority=5
 	{
 	set_conn(c, T);

scripts/policy/protocols/conn/community-id-logging.zeek

@@ -17,10 +17,7 @@ export {
 	};
 }
 
-module Conn;
-
 event new_connection(c: connection) &priority=5
 	{
-	Conn::set_conn(c, F);  # likely first to access :-/
 	c$conn$community_id = community_id_v1(c$id, CommunityID::seed, CommunityID::do_base64);
 	}

scripts/policy/protocols/conn/failed-service-logging.zeek

@@ -30,8 +30,6 @@ event analyzer_failed(ts: time, atype: AllAnalyzers::Tag, info: AnalyzerViolatio
 	if ( analyzer_name !in c$service || analyzer_name in c$failed_analyzers )
 		return;
 
-	set_conn(c, F);
-
 	local aname = to_lower(Analyzer::name(atype));
 	# No duplicate logging
 	if ( c$conn?$failed_service && aname in c$conn$failed_service )

scripts/policy/protocols/conn/ip-proto-name-logging.zeek

@@ -12,8 +12,6 @@ redef record Info += {
 };
 
 event new_connection(c: connection) &priority=5 {
-	# In case we're the first access
-	Conn::set_conn(c, F);
 	if ( c$conn?$ip_proto && c$conn$ip_proto in IP::protocol_names )
 		c$conn$ip_proto_name = IP::protocol_names[c$conn$ip_proto];
 }

scripts/policy/protocols/conn/pppoe-session-id-logging.zeek

@@ -19,9 +19,6 @@ event new_connection(c: connection)
 	if ( session_id == 0xFFFFFFFF )
 		return;
 
-	# FIXME: remove when GH-4688 is merged
-	set_conn(c, F);
-
 	c$conn$pppoe_session_id = session_id;
 	}