From a34e632eefe6989165c69f8db6c6ed1e7edf2bb7 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Wed, 19 Aug 2020 13:57:47 -0700
Subject: [PATCH] Move NetVar from zeek to zeek::detail namespace

---
 src/Conn.cc                                   |   8 +-
 src/Net.cc                                    |   8 +-
 src/NetVar.cc                                 | 139 ++++++++---------
 src/NetVar.h                                  | 141 +++++++++---------
 src/Sessions.cc                               |  17 ++-
 src/Sessions.h                                |   2 +-
 src/TunnelEncapsulation.cc                    |   2 +-
 src/TunnelEncapsulation.h                     |   2 +-
 src/Val.cc                                    |   8 +-
 src/analyzer/Manager.cc                       |   8 +-
 src/analyzer/protocol/dns/DNS.cc              |  12 +-
 src/analyzer/protocol/http/HTTP.cc            |  14 +-
 src/analyzer/protocol/icmp/ICMP.cc            |   4 +-
 src/analyzer/protocol/mime/MIME.cc            |   4 +-
 src/analyzer/protocol/pia/PIA.cc              |  12 +-
 src/analyzer/protocol/rpc/RPC.cc              |   2 +-
 .../protocol/stepping-stone/SteppingStone.cc  |   4 +-
 src/analyzer/protocol/tcp/TCP.cc              |  35 ++---
 src/analyzer/protocol/tcp/TCP_Endpoint.cc     |   2 +-
 src/analyzer/protocol/tcp/TCP_Reassembler.cc  |  22 +--
 src/analyzer/protocol/udp/UDP.cc              |  12 +-
 src/file_analysis/Manager.cc                  |   2 +-
 src/iosource/Packet.cc                        |   6 +-
 src/legacy-netvar-init.cc                     |   4 +-
 24 files changed, 236 insertions(+), 234 deletions(-)

diff --git a/src/Conn.cc b/src/Conn.cc
index 4c97420bdb..a135d9e2c5 100644
--- a/src/Conn.cc
+++ b/src/Conn.cc
@@ -326,10 +326,10 @@ void Connection::SetInactivityTimeout(double timeout)
 
 void Connection::EnableStatusUpdateTimer()
 	{
-	if ( connection_status_update && connection_status_update_interval )
+	if ( connection_status_update && zeek::detail::connection_status_update_interval )
 		{
 		ADD_TIMER(&Connection::StatusUpdateTimer,
-		          zeek::net::network_time + connection_status_update_interval, 0,
+		          zeek::net::network_time + zeek::detail::connection_status_update_interval, 0,
 		          zeek::detail::TIMER_CONN_STATUS_UPDATE);
 		installed_status_timer = 1;
 		}
@@ -339,7 +339,7 @@ void Connection::StatusUpdateTimer(double t)
 	{
 	EnqueueEvent(connection_status_update, nullptr, ConnVal());
 	ADD_TIMER(&Connection::StatusUpdateTimer,
-	          zeek::net::network_time + connection_status_update_interval, 0,
+	          zeek::net::network_time + zeek::detail::connection_status_update_interval, 0,
 	          zeek::detail::TIMER_CONN_STATUS_UPDATE);
 	}
 
@@ -389,7 +389,7 @@ const zeek::RecordValPtr& Connection::ConnVal()
 		conn_val->Assign(6, zeek::val_mgr->EmptyString());	// history
 
 		if ( ! uid )
-			uid.Set(bits_per_uid);
+			uid.Set(zeek::detail::bits_per_uid);
 
 		conn_val->Assign(7, zeek::make_intrusive<zeek::StringVal>(uid.Base62("C").c_str()));
 
diff --git a/src/Net.cc b/src/Net.cc
index 186117cd9d..28a7e22ab8 100644
--- a/src/Net.cc
+++ b/src/Net.cc
@@ -122,7 +122,7 @@ RETSIGTYPE watchdog(int /* signo */)
 
 	last_watchdog_proc_time = processing_start_time;
 
-	(void) alarm(watchdog_interval);
+	(void) alarm(zeek::detail::watchdog_interval);
 	return RETSIGVAL;
 	}
 
@@ -193,7 +193,7 @@ void net_init(const std::optional<std::string>& interface,
 		{
 		// Set up the watchdog to make sure we don't wedge.
 		(void) setsignal(SIGALRM, watchdog);
-		(void) alarm(watchdog_interval);
+		(void) alarm(zeek::detail::watchdog_interval);
 		}
 	}
 
@@ -203,7 +203,7 @@ void expire_timers(zeek::iosource::PktSrc* src_ps)
 
 	current_dispatched +=
 		zeek::detail::timer_mgr->Advance(network_time,
-			max_timer_expires - current_dispatched);
+			zeek::detail::max_timer_expires - current_dispatched);
 	}
 
 void net_packet_dispatch(double t, const zeek::Packet* pkt, zeek::iosource::PktSrc* src_ps)
@@ -232,7 +232,7 @@ void net_packet_dispatch(double t, const zeek::Packet* pkt, zeek::iosource::PktS
 		static uint32_t load_freq = 0;
 
 		if ( load_freq == 0 )
-			load_freq = uint32_t(0xffffffff) / uint32_t(load_sample_freq);
+			load_freq = uint32_t(0xffffffff) / uint32_t(zeek::detail::load_sample_freq);
 
 		if ( uint32_t(zeek::util::detail::random_number() & 0xffffffff) < load_freq )
 			{
diff --git a/src/NetVar.cc b/src/NetVar.cc
index 6281fe8b14..62b265b5bd 100644
--- a/src/NetVar.cc
+++ b/src/NetVar.cc
@@ -106,7 +106,7 @@ zeek::StringVal* global_hash_seed;
 // these files need to be included separately before the namespace is opened below.
 
 
-namespace zeek {
+namespace zeek::detail {
 
 int watchdog_interval;
 
@@ -198,7 +198,7 @@ int record_all_packets;
 
 bro_uint_t bits_per_uid;
 
-} // namespace zeek. The namespace has be closed here before we include the netvar_def files.
+} // namespace zeek::detail. The namespace has be closed here before we include the netvar_def files.
 
 static void bif_init_event_handlers()
 	{
@@ -220,7 +220,7 @@ static void bif_init_net_var()
 #include "supervisor.bif.netvar_def"
 
 // Re-open the namespace now that the bif headers are all included.
-namespace zeek {
+namespace zeek::detail {
 
 void init_event_handlers()
 	{
@@ -348,70 +348,71 @@ void init_net_var()
 	timer_mgr_inactivity_timeout = zeek::id::find_val("timer_mgr_inactivity_timeout")->AsInterval();
 	}
 
-} // namespace zeek
+} // namespace zeek::detail
+
 // Remove in v4.1.
-int& watchdog_interval = zeek::watchdog_interval;
-int& max_timer_expires = zeek::max_timer_expires;
-int& ignore_checksums = zeek::ignore_checksums;
-int& partial_connection_ok = zeek::partial_connection_ok;
-int& tcp_SYN_ack_ok = zeek::tcp_SYN_ack_ok;
-int& tcp_match_undelivered = zeek::tcp_match_undelivered;
-int& encap_hdr_size = zeek::encap_hdr_size;
-double& frag_timeout = zeek::frag_timeout;
-double& tcp_SYN_timeout = zeek::tcp_SYN_timeout;
-double& tcp_session_timer = zeek::tcp_session_timer;
-double& tcp_connection_linger = zeek::tcp_connection_linger;
-double& tcp_attempt_delay = zeek::tcp_attempt_delay;
-double& tcp_close_delay = zeek::tcp_close_delay;
-double& tcp_partial_close_delay = zeek::tcp_partial_close_delay;
-double& tcp_reset_delay = zeek::tcp_reset_delay;
-int& tcp_max_initial_window = zeek::tcp_max_initial_window;
-int& tcp_max_above_hole_without_any_acks = zeek::tcp_max_above_hole_without_any_acks;
-int& tcp_excessive_data_without_further_acks = zeek::tcp_excessive_data_without_further_acks;
-int& tcp_max_old_segments = zeek::tcp_max_old_segments;
-double& non_analyzed_lifetime = zeek::non_analyzed_lifetime;
-double& tcp_inactivity_timeout = zeek::tcp_inactivity_timeout;
-double& udp_inactivity_timeout = zeek::udp_inactivity_timeout;
-double& icmp_inactivity_timeout = zeek::icmp_inactivity_timeout;
-int& tcp_storm_thresh = zeek::tcp_storm_thresh;
-double& tcp_storm_interarrival_thresh = zeek::tcp_storm_interarrival_thresh;
-bool& tcp_content_deliver_all_orig = zeek::tcp_content_deliver_all_orig;
-bool& tcp_content_deliver_all_resp = zeek::tcp_content_deliver_all_resp;
-bool& udp_content_deliver_all_orig = zeek::udp_content_deliver_all_orig;
-bool& udp_content_deliver_all_resp = zeek::udp_content_deliver_all_resp;
-bool& udp_content_delivery_ports_use_resp = zeek::udp_content_delivery_ports_use_resp;
-double& dns_session_timeout = zeek::dns_session_timeout;
-double& rpc_timeout = zeek::rpc_timeout;
-int& mime_segment_length = zeek::mime_segment_length;
-int& mime_segment_overlap_length = zeek::mime_segment_overlap_length;
-int& http_entity_data_delivery_size = zeek::http_entity_data_delivery_size;
-int& truncate_http_URI = zeek::truncate_http_URI;
-int& dns_skip_all_auth = zeek::dns_skip_all_auth;
-int& dns_skip_all_addl = zeek::dns_skip_all_addl;
-int& dns_max_queries = zeek::dns_max_queries;
-double& stp_delta = zeek::stp_delta;
-double& stp_idle_min = zeek::stp_idle_min;
-double& table_expire_interval = zeek::table_expire_interval;
-double& table_expire_delay = zeek::table_expire_delay;
-int& table_incremental_step = zeek::table_incremental_step;
-int& orig_addr_anonymization = zeek::orig_addr_anonymization;
-int& resp_addr_anonymization = zeek::resp_addr_anonymization;
-int& other_addr_anonymization = zeek::other_addr_anonymization;
-double& connection_status_update_interval = zeek::connection_status_update_interval;
-double& profiling_interval = zeek::profiling_interval;
-int& expensive_profiling_multiple = zeek::expensive_profiling_multiple;
-int& segment_profiling = zeek::segment_profiling;
-int& pkt_profile_mode = zeek::pkt_profile_mode;
-double& pkt_profile_freq = zeek::pkt_profile_freq;
-int& load_sample_freq = zeek::load_sample_freq;
-int& packet_filter_default = zeek::packet_filter_default;
-int& sig_max_group_size = zeek::sig_max_group_size;
-int& dpd_reassemble_first_packets = zeek::dpd_reassemble_first_packets;
-int& dpd_buffer_size = zeek::dpd_buffer_size;
-int& dpd_match_only_beginning = zeek::dpd_match_only_beginning;
-int& dpd_late_match_stop = zeek::dpd_late_match_stop;
-int& dpd_ignore_ports = zeek::dpd_ignore_ports;
-int& check_for_unused_event_handlers = zeek::check_for_unused_event_handlers;
-double& timer_mgr_inactivity_timeout = zeek::timer_mgr_inactivity_timeout;
-int& record_all_packets = zeek::record_all_packets;
-bro_uint_t& bits_per_uid = zeek::bits_per_uid;
+int& watchdog_interval = zeek::detail::watchdog_interval;
+int& max_timer_expires = zeek::detail::max_timer_expires;
+int& ignore_checksums = zeek::detail::ignore_checksums;
+int& partial_connection_ok = zeek::detail::partial_connection_ok;
+int& tcp_SYN_ack_ok = zeek::detail::tcp_SYN_ack_ok;
+int& tcp_match_undelivered = zeek::detail::tcp_match_undelivered;
+int& encap_hdr_size = zeek::detail::encap_hdr_size;
+double& frag_timeout = zeek::detail::frag_timeout;
+double& tcp_SYN_timeout = zeek::detail::tcp_SYN_timeout;
+double& tcp_session_timer = zeek::detail::tcp_session_timer;
+double& tcp_connection_linger = zeek::detail::tcp_connection_linger;
+double& tcp_attempt_delay = zeek::detail::tcp_attempt_delay;
+double& tcp_close_delay = zeek::detail::tcp_close_delay;
+double& tcp_partial_close_delay = zeek::detail::tcp_partial_close_delay;
+double& tcp_reset_delay = zeek::detail::tcp_reset_delay;
+int& tcp_max_initial_window = zeek::detail::tcp_max_initial_window;
+int& tcp_max_above_hole_without_any_acks = zeek::detail::tcp_max_above_hole_without_any_acks;
+int& tcp_excessive_data_without_further_acks = zeek::detail::tcp_excessive_data_without_further_acks;
+int& tcp_max_old_segments = zeek::detail::tcp_max_old_segments;
+double& non_analyzed_lifetime = zeek::detail::non_analyzed_lifetime;
+double& tcp_inactivity_timeout = zeek::detail::tcp_inactivity_timeout;
+double& udp_inactivity_timeout = zeek::detail::udp_inactivity_timeout;
+double& icmp_inactivity_timeout = zeek::detail::icmp_inactivity_timeout;
+int& tcp_storm_thresh = zeek::detail::tcp_storm_thresh;
+double& tcp_storm_interarrival_thresh = zeek::detail::tcp_storm_interarrival_thresh;
+bool& tcp_content_deliver_all_orig = zeek::detail::tcp_content_deliver_all_orig;
+bool& tcp_content_deliver_all_resp = zeek::detail::tcp_content_deliver_all_resp;
+bool& udp_content_deliver_all_orig = zeek::detail::udp_content_deliver_all_orig;
+bool& udp_content_deliver_all_resp = zeek::detail::udp_content_deliver_all_resp;
+bool& udp_content_delivery_ports_use_resp = zeek::detail::udp_content_delivery_ports_use_resp;
+double& dns_session_timeout = zeek::detail::dns_session_timeout;
+double& rpc_timeout = zeek::detail::rpc_timeout;
+int& mime_segment_length = zeek::detail::mime_segment_length;
+int& mime_segment_overlap_length = zeek::detail::mime_segment_overlap_length;
+int& http_entity_data_delivery_size = zeek::detail::http_entity_data_delivery_size;
+int& truncate_http_URI = zeek::detail::truncate_http_URI;
+int& dns_skip_all_auth = zeek::detail::dns_skip_all_auth;
+int& dns_skip_all_addl = zeek::detail::dns_skip_all_addl;
+int& dns_max_queries = zeek::detail::dns_max_queries;
+double& stp_delta = zeek::detail::stp_delta;
+double& stp_idle_min = zeek::detail::stp_idle_min;
+double& table_expire_interval = zeek::detail::table_expire_interval;
+double& table_expire_delay = zeek::detail::table_expire_delay;
+int& table_incremental_step = zeek::detail::table_incremental_step;
+int& orig_addr_anonymization = zeek::detail::orig_addr_anonymization;
+int& resp_addr_anonymization = zeek::detail::resp_addr_anonymization;
+int& other_addr_anonymization = zeek::detail::other_addr_anonymization;
+double& connection_status_update_interval = zeek::detail::connection_status_update_interval;
+double& profiling_interval = zeek::detail::profiling_interval;
+int& expensive_profiling_multiple = zeek::detail::expensive_profiling_multiple;
+int& segment_profiling = zeek::detail::segment_profiling;
+int& pkt_profile_mode = zeek::detail::pkt_profile_mode;
+double& pkt_profile_freq = zeek::detail::pkt_profile_freq;
+int& load_sample_freq = zeek::detail::load_sample_freq;
+int& packet_filter_default = zeek::detail::packet_filter_default;
+int& sig_max_group_size = zeek::detail::sig_max_group_size;
+int& dpd_reassemble_first_packets = zeek::detail::dpd_reassemble_first_packets;
+int& dpd_buffer_size = zeek::detail::dpd_buffer_size;
+int& dpd_match_only_beginning = zeek::detail::dpd_match_only_beginning;
+int& dpd_late_match_stop = zeek::detail::dpd_late_match_stop;
+int& dpd_ignore_ports = zeek::detail::dpd_ignore_ports;
+int& check_for_unused_event_handlers = zeek::detail::check_for_unused_event_handlers;
+double& timer_mgr_inactivity_timeout = zeek::detail::timer_mgr_inactivity_timeout;
+int& record_all_packets = zeek::detail::record_all_packets;
+bro_uint_t& bits_per_uid = zeek::detail::bits_per_uid;
diff --git a/src/NetVar.h b/src/NetVar.h
index 71564ac3b5..fba7d5494b 100644
--- a/src/NetVar.h
+++ b/src/NetVar.h
@@ -6,7 +6,7 @@
 #include "EventRegistry.h"
 #include "Stats.h"
 
-namespace zeek {
+namespace zeek::detail {
 
 extern int watchdog_interval;
 
@@ -104,78 +104,77 @@ extern void init_general_global_var();
 extern void init_event_handlers();
 extern void init_net_var();
 
-} // namespace zeek
+} // namespace zeek::detail
 
-constexpr auto init_general_global_var [[deprecated("Remove in v4.1. Use zeek::init_general_global_var.")]] = zeek::init_general_global_var;
-constexpr auto init_event_handlers [[deprecated("Remove in v4.1. Use zeek::init_event_handlers.")]] = zeek::init_event_handlers;
-constexpr auto init_net_var [[deprecated("Remove in v4.1. Use zeek::init_net_var.")]] = zeek::init_net_var;
-
-extern int& watchdog_interval [[deprecated("Remove in v4.1. Use zeek::watchdog_interval.")]];
-extern int& max_timer_expires [[deprecated("Remove in v4.1. Use zeek::max_timer_expires.")]];
-extern int& ignore_checksums [[deprecated("Remove in v4.1. Use zeek::ignore_checksums.")]];
-extern int& partial_connection_ok [[deprecated("Remove in v4.1. Use zeek::partial_connection_ok.")]];
-extern int& tcp_SYN_ack_ok [[deprecated("Remove in v4.1. Use zeek::tcp_SYN_ack_ok.")]];
-extern int& tcp_match_undelivered [[deprecated("Remove in v4.1. Use zeek::tcp_match_undelivered.")]];
-extern int& encap_hdr_size [[deprecated("Remove in v4.1. Use zeek::encap_hdr_size.")]];
-extern double& frag_timeout [[deprecated("Remove in v4.1. Use zeek::frag_timeout.")]];
-extern double& tcp_SYN_timeout [[deprecated("Remove in v4.1. Use zeek::tcp_SYN_timeout.")]];
-extern double& tcp_session_timer [[deprecated("Remove in v4.1. Use zeek::tcp_session_timer.")]];
-extern double& tcp_connection_linger [[deprecated("Remove in v4.1. Use zeek::tcp_connection_linger.")]];
-extern double& tcp_attempt_delay [[deprecated("Remove in v4.1. Use zeek::tcp_attempt_delay.")]];
-extern double& tcp_close_delay [[deprecated("Remove in v4.1. Use zeek::tcp_close_delay.")]];
-extern double& tcp_partial_close_delay [[deprecated("Remove in v4.1. Use zeek::tcp_partial_close_delay.")]];
-extern double& tcp_reset_delay [[deprecated("Remove in v4.1. Use zeek::tcp_reset_delay.")]];
-extern int& tcp_max_initial_window [[deprecated("Remove in v4.1. Use zeek::tcp_max_initial_window.")]];
-extern int& tcp_max_above_hole_without_any_acks [[deprecated("Remove in v4.1. Use zeek::tcp_max_above_hole_without_any_acks.")]];
-extern int& tcp_excessive_data_without_further_acks [[deprecated("Remove in v4.1. Use zeek::tcp_excessive_data_without_further_acks.")]];
-extern int& tcp_max_old_segments [[deprecated("Remove in v4.1. Use zeek::tcp_max_old_segments.")]];
-extern double& non_analyzed_lifetime [[deprecated("Remove in v4.1. Use zeek::non_analyzed_lifetime.")]];
-extern double& tcp_inactivity_timeout [[deprecated("Remove in v4.1. Use zeek::tcp_inactivity_timeout.")]];
-extern double& udp_inactivity_timeout [[deprecated("Remove in v4.1. Use zeek::udp_inactivity_timeout.")]];
-extern double& icmp_inactivity_timeout [[deprecated("Remove in v4.1. Use zeek::icmp_inactivity_timeout.")]];
-extern int& tcp_storm_thresh [[deprecated("Remove in v4.1. Use zeek::tcp_storm_thresh.")]];
-extern double& tcp_storm_interarrival_thresh [[deprecated("Remove in v4.1. Use zeek::tcp_storm_interarrival_thresh.")]];
-extern bool& tcp_content_deliver_all_orig [[deprecated("Remove in v4.1. Use zeek::tcp_content_deliver_all_orig.")]];
-extern bool& tcp_content_deliver_all_resp [[deprecated("Remove in v4.1. Use zeek::tcp_content_deliver_all_resp.")]];
-extern bool& udp_content_deliver_all_orig [[deprecated("Remove in v4.1. Use zeek::udp_content_deliver_all_orig.")]];
-extern bool& udp_content_deliver_all_resp [[deprecated("Remove in v4.1. Use zeek::udp_content_deliver_all_resp.")]];
-extern bool& udp_content_delivery_ports_use_resp [[deprecated("Remove in v4.1. Use zeek::udp_content_delivery_ports_use_resp.")]];
-extern double& dns_session_timeout [[deprecated("Remove in v4.1. Use zeek::dns_session_timeout.")]];
-extern double& rpc_timeout [[deprecated("Remove in v4.1. Use zeek::rpc_timeout.")]];
-extern int& mime_segment_length [[deprecated("Remove in v4.1. Use zeek::mime_segment_length.")]];
-extern int& mime_segment_overlap_length [[deprecated("Remove in v4.1. Use zeek::mime_segment_overlap_length.")]];
-extern int& http_entity_data_delivery_size [[deprecated("Remove in v4.1. Use zeek::http_entity_data_delivery_size.")]];
-extern int& truncate_http_URI [[deprecated("Remove in v4.1. Use zeek::truncate_http_URI.")]];
-extern int& dns_skip_all_auth [[deprecated("Remove in v4.1. Use zeek::dns_skip_all_auth.")]];
-extern int& dns_skip_all_addl [[deprecated("Remove in v4.1. Use zeek::dns_skip_all_addl.")]];
-extern int& dns_max_queries [[deprecated("Remove in v4.1. Use zeek::dns_max_queries.")]];
-extern double& stp_delta [[deprecated("Remove in v4.1. Use zeek::stp_delta.")]];
-extern double& stp_idle_min [[deprecated("Remove in v4.1. Use zeek::stp_idle_min.")]];
-extern double& table_expire_interval [[deprecated("Remove in v4.1. Use zeek::table_expire_interval.")]];
-extern double& table_expire_delay [[deprecated("Remove in v4.1. Use zeek::table_expire_delay.")]];
-extern int& table_incremental_step [[deprecated("Remove in v4.1. Use zeek::table_incremental_step.")]];
-extern int& orig_addr_anonymization [[deprecated("Remove in v4.1. Use zeek::orig_addr_anonymization.")]];
-extern int& resp_addr_anonymization [[deprecated("Remove in v4.1. Use zeek::resp_addr_anonymization.")]];
-extern int& other_addr_anonymization [[deprecated("Remove in v4.1. Use zeek::other_addr_anonymization.")]];
-extern double& connection_status_update_interval [[deprecated("Remove in v4.1. Use zeek::connection_status_update_interval.")]];
-extern double& profiling_interval [[deprecated("Remove in v4.1. Use zeek::profiling_interval.")]];
-extern int& expensive_profiling_multiple [[deprecated("Remove in v4.1. Use zeek::expensive_profiling_multiple.")]];
-extern int& segment_profiling [[deprecated("Remove in v4.1. Use zeek::segment_profiling.")]];
-extern int& pkt_profile_mode [[deprecated("Remove in v4.1. Use zeek::pkt_profile_mode.")]];
-extern double& pkt_profile_freq [[deprecated("Remove in v4.1. Use zeek::pkt_profile_freq.")]];
-extern int& load_sample_freq [[deprecated("Remove in v4.1. Use zeek::load_sample_freq.")]];
-extern int& packet_filter_default [[deprecated("Remove in v4.1. Use zeek::packet_filter_default.")]];
-extern int& sig_max_group_size [[deprecated("Remove in v4.1. Use zeek::sig_max_group_size.")]];
-extern int& dpd_reassemble_first_packets [[deprecated("Remove in v4.1. Use zeek::dpd_reassemble_first_packets.")]];
-extern int& dpd_buffer_size [[deprecated("Remove in v4.1. Use zeek::dpd_buffer_size.")]];
-extern int& dpd_match_only_beginning [[deprecated("Remove in v4.1. Use zeek::dpd_match_only_beginning.")]];
-extern int& dpd_late_match_stop [[deprecated("Remove in v4.1. Use zeek::dpd_late_match_stop.")]];
-extern int& dpd_ignore_ports [[deprecated("Remove in v4.1. Use zeek::dpd_ignore_ports.")]];
-extern int& check_for_unused_event_handlers [[deprecated("Remove in v4.1. Use zeek::check_for_unused_event_handlers.")]];
-extern double& timer_mgr_inactivity_timeout [[deprecated("Remove in v4.1. Use zeek::timer_mgr_inactivity_timeout.")]];
-extern int& record_all_packets [[deprecated("Remove in v4.1. Use zeek::record_all_packets.")]];
-extern bro_uint_t& bits_per_uid [[deprecated("Remove in v4.1. Use zeek::bits_per_uid.")]];
+constexpr auto init_general_global_var [[deprecated("Remove in v4.1. Use zeek::detail::init_general_global_var.")]] = zeek::detail::init_general_global_var;
+constexpr auto init_event_handlers [[deprecated("Remove in v4.1. Use zeek::detail::init_event_handlers.")]] = zeek::detail::init_event_handlers;
+constexpr auto init_net_var [[deprecated("Remove in v4.1. Use zeek::detail::init_net_var.")]] = zeek::detail::init_net_var;
 
+extern int& watchdog_interval [[deprecated("Remove in v4.1. Use zeek::detail::watchdog_interval.")]];
+extern int& max_timer_expires [[deprecated("Remove in v4.1. Use zeek::detail::max_timer_expires.")]];
+extern int& ignore_checksums [[deprecated("Remove in v4.1. Use zeek::detail::ignore_checksums.")]];
+extern int& partial_connection_ok [[deprecated("Remove in v4.1. Use zeek::detail::partial_connection_ok.")]];
+extern int& tcp_SYN_ack_ok [[deprecated("Remove in v4.1. Use zeek::detail::tcp_SYN_ack_ok.")]];
+extern int& tcp_match_undelivered [[deprecated("Remove in v4.1. Use zeek::detail::tcp_match_undelivered.")]];
+extern int& encap_hdr_size [[deprecated("Remove in v4.1. Use zeek::detail::encap_hdr_size.")]];
+extern double& frag_timeout [[deprecated("Remove in v4.1. Use zeek::detail::frag_timeout.")]];
+extern double& tcp_SYN_timeout [[deprecated("Remove in v4.1. Use zeek::detail::tcp_SYN_timeout.")]];
+extern double& tcp_session_timer [[deprecated("Remove in v4.1. Use zeek::detail::tcp_session_timer.")]];
+extern double& tcp_connection_linger [[deprecated("Remove in v4.1. Use zeek::detail::tcp_connection_linger.")]];
+extern double& tcp_attempt_delay [[deprecated("Remove in v4.1. Use zeek::detail::tcp_attempt_delay.")]];
+extern double& tcp_close_delay [[deprecated("Remove in v4.1. Use zeek::detail::tcp_close_delay.")]];
+extern double& tcp_partial_close_delay [[deprecated("Remove in v4.1. Use zeek::detail::tcp_partial_close_delay.")]];
+extern double& tcp_reset_delay [[deprecated("Remove in v4.1. Use zeek::detail::tcp_reset_delay.")]];
+extern int& tcp_max_initial_window [[deprecated("Remove in v4.1. Use zeek::detail::tcp_max_initial_window.")]];
+extern int& tcp_max_above_hole_without_any_acks [[deprecated("Remove in v4.1. Use zeek::detail::tcp_max_above_hole_without_any_acks.")]];
+extern int& tcp_excessive_data_without_further_acks [[deprecated("Remove in v4.1. Use zeek::detail::tcp_excessive_data_without_further_acks.")]];
+extern int& tcp_max_old_segments [[deprecated("Remove in v4.1. Use zeek::detail::tcp_max_old_segments.")]];
+extern double& non_analyzed_lifetime [[deprecated("Remove in v4.1. Use zeek::detail::non_analyzed_lifetime.")]];
+extern double& tcp_inactivity_timeout [[deprecated("Remove in v4.1. Use zeek::detail::tcp_inactivity_timeout.")]];
+extern double& udp_inactivity_timeout [[deprecated("Remove in v4.1. Use zeek::detail::udp_inactivity_timeout.")]];
+extern double& icmp_inactivity_timeout [[deprecated("Remove in v4.1. Use zeek::detail::icmp_inactivity_timeout.")]];
+extern int& tcp_storm_thresh [[deprecated("Remove in v4.1. Use zeek::detail::tcp_storm_thresh.")]];
+extern double& tcp_storm_interarrival_thresh [[deprecated("Remove in v4.1. Use zeek::detail::tcp_storm_interarrival_thresh.")]];
+extern bool& tcp_content_deliver_all_orig [[deprecated("Remove in v4.1. Use zeek::detail::tcp_content_deliver_all_orig.")]];
+extern bool& tcp_content_deliver_all_resp [[deprecated("Remove in v4.1. Use zeek::detail::tcp_content_deliver_all_resp.")]];
+extern bool& udp_content_deliver_all_orig [[deprecated("Remove in v4.1. Use zeek::detail::udp_content_deliver_all_orig.")]];
+extern bool& udp_content_deliver_all_resp [[deprecated("Remove in v4.1. Use zeek::detail::udp_content_deliver_all_resp.")]];
+extern bool& udp_content_delivery_ports_use_resp [[deprecated("Remove in v4.1. Use zeek::detail::udp_content_delivery_ports_use_resp.")]];
+extern double& dns_session_timeout [[deprecated("Remove in v4.1. Use zeek::detail::dns_session_timeout.")]];
+extern double& rpc_timeout [[deprecated("Remove in v4.1. Use zeek::detail::rpc_timeout.")]];
+extern int& mime_segment_length [[deprecated("Remove in v4.1. Use zeek::detail::mime_segment_length.")]];
+extern int& mime_segment_overlap_length [[deprecated("Remove in v4.1. Use zeek::detail::mime_segment_overlap_length.")]];
+extern int& http_entity_data_delivery_size [[deprecated("Remove in v4.1. Use zeek::detail::http_entity_data_delivery_size.")]];
+extern int& truncate_http_URI [[deprecated("Remove in v4.1. Use zeek::detail::truncate_http_URI.")]];
+extern int& dns_skip_all_auth [[deprecated("Remove in v4.1. Use zeek::detail::dns_skip_all_auth.")]];
+extern int& dns_skip_all_addl [[deprecated("Remove in v4.1. Use zeek::detail::dns_skip_all_addl.")]];
+extern int& dns_max_queries [[deprecated("Remove in v4.1. Use zeek::detail::dns_max_queries.")]];
+extern double& stp_delta [[deprecated("Remove in v4.1. Use zeek::detail::stp_delta.")]];
+extern double& stp_idle_min [[deprecated("Remove in v4.1. Use zeek::detail::stp_idle_min.")]];
+extern double& table_expire_interval [[deprecated("Remove in v4.1. Use zeek::detail::table_expire_interval.")]];
+extern double& table_expire_delay [[deprecated("Remove in v4.1. Use zeek::detail::table_expire_delay.")]];
+extern int& table_incremental_step [[deprecated("Remove in v4.1. Use zeek::detail::table_incremental_step.")]];
+extern int& orig_addr_anonymization [[deprecated("Remove in v4.1. Use zeek::detail::orig_addr_anonymization.")]];
+extern int& resp_addr_anonymization [[deprecated("Remove in v4.1. Use zeek::detail::resp_addr_anonymization.")]];
+extern int& other_addr_anonymization [[deprecated("Remove in v4.1. Use zeek::detail::other_addr_anonymization.")]];
+extern double& connection_status_update_interval [[deprecated("Remove in v4.1. Use zeek::detail::connection_status_update_interval.")]];
+extern double& profiling_interval [[deprecated("Remove in v4.1. Use zeek::detail::profiling_interval.")]];
+extern int& expensive_profiling_multiple [[deprecated("Remove in v4.1. Use zeek::detail::expensive_profiling_multiple.")]];
+extern int& segment_profiling [[deprecated("Remove in v4.1. Use zeek::detail::segment_profiling.")]];
+extern int& pkt_profile_mode [[deprecated("Remove in v4.1. Use zeek::detail::pkt_profile_mode.")]];
+extern double& pkt_profile_freq [[deprecated("Remove in v4.1. Use zeek::detail::pkt_profile_freq.")]];
+extern int& load_sample_freq [[deprecated("Remove in v4.1. Use zeek::detail::load_sample_freq.")]];
+extern int& packet_filter_default [[deprecated("Remove in v4.1. Use zeek::detail::packet_filter_default.")]];
+extern int& sig_max_group_size [[deprecated("Remove in v4.1. Use zeek::detail::sig_max_group_size.")]];
+extern int& dpd_reassemble_first_packets [[deprecated("Remove in v4.1. Use zeek::detail::dpd_reassemble_first_packets.")]];
+extern int& dpd_buffer_size [[deprecated("Remove in v4.1. Use zeek::detail::dpd_buffer_size.")]];
+extern int& dpd_match_only_beginning [[deprecated("Remove in v4.1. Use zeek::detail::dpd_match_only_beginning.")]];
+extern int& dpd_late_match_stop [[deprecated("Remove in v4.1. Use zeek::detail::dpd_late_match_stop.")]];
+extern int& dpd_ignore_ports [[deprecated("Remove in v4.1. Use zeek::detail::dpd_ignore_ports.")]];
+extern int& check_for_unused_event_handlers [[deprecated("Remove in v4.1. Use zeek::detail::check_for_unused_event_handlers.")]];
+extern double& timer_mgr_inactivity_timeout [[deprecated("Remove in v4.1. Use zeek::detail::timer_mgr_inactivity_timeout.")]];
+extern int& record_all_packets [[deprecated("Remove in v4.1. Use zeek::detail::record_all_packets.")]];
+extern bro_uint_t& bits_per_uid [[deprecated("Remove in v4.1. Use zeek::detail::bits_per_uid.")]];
 
 [[deprecated("Remove in v4.1.  Use zeek::id::conn_id.")]]
 extern zeek::RecordType* conn_id;
diff --git a/src/Sessions.cc b/src/Sessions.cc
index 18585ecf42..e606726aca 100644
--- a/src/Sessions.cc
+++ b/src/Sessions.cc
@@ -89,9 +89,10 @@ NetSessions::NetSessions()
 	num_packets_processed = 0;
 	static auto pkt_profile_file = zeek::id::find_val("pkt_profile_file");
 
-	if ( pkt_profile_mode && pkt_profile_freq > 0 && pkt_profile_file )
-		pkt_profiler = new zeek::detail::PacketProfiler(pkt_profile_mode,
-				pkt_profile_freq, pkt_profile_file->AsFile());
+	if ( zeek::detail::pkt_profile_mode && zeek::detail::pkt_profile_freq > 0 && pkt_profile_file )
+		pkt_profiler = new zeek::detail::PacketProfiler(zeek::detail::pkt_profile_mode,
+		                                                zeek::detail::pkt_profile_freq,
+		                                                pkt_profile_file->AsFile());
 	else
 		pkt_profiler = nullptr;
 
@@ -139,7 +140,7 @@ void NetSessions::NextPacket(double t, const zeek::Packet* pkt)
 
 	dump_this_packet = false;
 
-	if ( record_all_packets )
+	if ( zeek::detail::record_all_packets )
 		DumpPacket(pkt);
 
 	if ( pkt->hdr_size > pkt->cap_len )
@@ -188,7 +189,7 @@ void NetSessions::NextPacket(double t, const zeek::Packet* pkt)
 		}
 
 
-	if ( dump_this_packet && ! record_all_packets )
+	if ( dump_this_packet && ! zeek::detail::record_all_packets )
 		DumpPacket(pkt);
 	}
 
@@ -275,7 +276,7 @@ void NetSessions::DoNextPacket(double t, const zeek::Packet* pkt, const zeek::IP
 	if ( packet_filter && packet_filter->Match(ip_hdr, len, caplen) )
 		 return;
 
-	if ( ! pkt->l2_checksummed && ! ignore_checksums && ip4 &&
+	if ( ! pkt->l2_checksummed && ! zeek::detail::ignore_checksums && ip4 &&
 	     ones_complement_checksum((void*) ip4, ip_hdr_len, 0) != 0xffff )
 		{
 		Weird("bad_IP_checksum", pkt, encapsulation);
@@ -1273,10 +1274,10 @@ bool NetSessions::WantConnection(uint16_t src_port, uint16_t dst_port,
 			{
 			// The new connection is starting either without a SYN,
 			// or with a SYN ack. This means it's a partial connection.
-			if ( ! partial_connection_ok )
+			if ( ! zeek::detail::partial_connection_ok )
 				return false;
 
-			if ( tcp_flags & TH_SYN && ! tcp_SYN_ack_ok )
+			if ( tcp_flags & TH_SYN && ! zeek::detail::tcp_SYN_ack_ok )
 				return false;
 
 			// Try to guess true responder by the port numbers.
diff --git a/src/Sessions.h b/src/Sessions.h
index 1831323d44..a8b0c2132e 100644
--- a/src/Sessions.h
+++ b/src/Sessions.h
@@ -90,7 +90,7 @@ public:
 	zeek::detail::PacketFilter* GetPacketFilter()
 		{
 		if ( ! packet_filter )
-			packet_filter = new zeek::detail::PacketFilter(packet_filter_default);
+			packet_filter = new zeek::detail::PacketFilter(detail::packet_filter_default);
 		return packet_filter;
 		}
 
diff --git a/src/TunnelEncapsulation.cc b/src/TunnelEncapsulation.cc
index 72fa04a53f..43e532c7bd 100644
--- a/src/TunnelEncapsulation.cc
+++ b/src/TunnelEncapsulation.cc
@@ -13,7 +13,7 @@ EncapsulatingConn::EncapsulatingConn(Connection* c, BifEnum::Tunnel::Type t)
 	{
 	if ( ! uid )
 		{
-		uid.Set(bits_per_uid);
+		uid.Set(zeek::detail::bits_per_uid);
 		c->SetUID(uid);
 		}
 	}
diff --git a/src/TunnelEncapsulation.h b/src/TunnelEncapsulation.h
index e0698a4ce6..89003017b9 100644
--- a/src/TunnelEncapsulation.h
+++ b/src/TunnelEncapsulation.h
@@ -46,7 +46,7 @@ public:
 	                  BifEnum::Tunnel::Type t = BifEnum::Tunnel::IP)
 		: src_addr(s), dst_addr(d), src_port(0), dst_port(0),
 		  proto(TRANSPORT_UNKNOWN), type(t),
-		  uid(zeek::UID(bits_per_uid))
+		  uid(zeek::UID(detail::bits_per_uid))
 		{
 		}
 
diff --git a/src/Val.cc b/src/Val.cc
index 4925f84b32..1d96d9c7bf 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -2557,8 +2557,8 @@ void TableVal::DoExpire(double t)
 	TableEntryVal* v_saved = nullptr;
 	bool modified = false;
 
-	for ( int i = 0; i < table_incremental_step &&
-			 (v = tbl->NextEntry(k, expire_cookie)); ++i )
+	for ( int i = 0; i < zeek::detail::table_incremental_step &&
+		      (v = tbl->NextEntry(k, expire_cookie)); ++i )
 		{
 		if ( v->ExpireAccessTime() == 0 )
 			{
@@ -2632,10 +2632,10 @@ void TableVal::DoExpire(double t)
 	if ( ! v )
 		{
 		expire_cookie = nullptr;
-		InitTimer(table_expire_interval);
+		InitTimer(zeek::detail::table_expire_interval);
 		}
 	else
-		InitTimer(table_expire_delay);
+		InitTimer(zeek::detail::table_expire_delay);
 	}
 
 double TableVal::GetExpireTime()
diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc
index 4d58a1c9d8..eca36857cb 100644
--- a/src/analyzer/Manager.cc
+++ b/src/analyzer/Manager.cc
@@ -399,7 +399,7 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn)
 	// the scheduled ones.
 	if ( ! scheduled )
 		{ // Let's see if it's a port we know.
-		if ( check_port && ! dpd_ignore_ports )
+		if ( check_port && ! zeek::detail::dpd_ignore_ports )
 			{
 			int resp_port = ntohs(conn->RespPort());
 			tag_set* ports = LookupPort(conn->ConnTransport(), resp_port, false);
@@ -430,9 +430,9 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn)
 		// be turned on later by the TCP PIA.
 
 		bool reass = root->GetChildren().size() ||
-				dpd_reassemble_first_packets ||
-				tcp_content_deliver_all_orig ||
-				tcp_content_deliver_all_resp;
+				zeek::detail::dpd_reassemble_first_packets ||
+				zeek::detail::tcp_content_deliver_all_orig ||
+				zeek::detail::tcp_content_deliver_all_resp;
 
 		if ( tcp_contents && ! reass )
 			{
diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc
index 7fa206d27c..2f5f3c7f3e 100644
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@@ -59,7 +59,7 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
 
 	// There is a great deal of non-DNS traffic that runs on port 53.
 	// This should weed out most of it.
-	if ( dns_max_queries > 0 && msg.qdcount > dns_max_queries )
+	if ( zeek::detail::dns_max_queries > 0 && msg.qdcount > zeek::detail::dns_max_queries )
 		{
 		analyzer->ProtocolViolation("DNS_Conn_count_too_large");
 		analyzer->Weird("DNS_Conn_count_too_large");
@@ -87,8 +87,8 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
 
 	analyzer->ProtocolConfirmation();
 
-	int skip_auth = dns_skip_all_auth;
-	int skip_addl = dns_skip_all_addl;
+	int skip_auth = zeek::detail::dns_skip_all_auth;
+	int skip_addl = zeek::detail::dns_skip_all_addl;
 	if ( msg.ancount > 0 )
 		{ // We did an answer, so can potentially skip auth/addl.
 		static auto dns_skip_auth = zeek::id::find_val<zeek::TableVal>("dns_skip_auth");
@@ -1908,7 +1908,7 @@ DNS_Analyzer::DNS_Analyzer(zeek::Connection* conn)
 	else
 		{
 		ADD_ANALYZER_TIMER(&DNS_Analyzer::ExpireTimer,
-		                   zeek::net::network_time + dns_session_timeout, true,
+		                   zeek::net::network_time + zeek::detail::dns_session_timeout, true,
 		                   zeek::detail::TIMER_DNS_EXPIRE);
 		}
 	}
@@ -1956,14 +1956,14 @@ void DNS_Analyzer::ExpireTimer(double t)
 	// The - 1.0 in the following is to allow 1 second for the
 	// common case of a single request followed by a single reply,
 	// so we don't needlessly set the timer twice in that case.
-	if ( t - Conn()->LastTime() >= dns_session_timeout - 1.0 || zeek::net::terminating )
+	if ( t - Conn()->LastTime() >= zeek::detail::dns_session_timeout - 1.0 || zeek::net::terminating )
 		{
 		Event(connection_timeout);
 		zeek::sessions->Remove(Conn());
 		}
 	else
 		ADD_ANALYZER_TIMER(&DNS_Analyzer::ExpireTimer,
-		                   t + dns_session_timeout, true,
+		                   t + zeek::detail::dns_session_timeout, true,
 		                   zeek::detail::TIMER_DNS_EXPIRE);
 	}
 
diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc
index 4056285a07..aa63fe2c18 100644
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@@ -779,9 +779,9 @@ void HTTP_Message::SubmitData(int len, const char* buf)
 bool HTTP_Message::RequestBuffer(int* plen, char** pbuf)
 	{
 	if ( ! entity_data_buffer )
-		entity_data_buffer = new char[http_entity_data_delivery_size];
+		entity_data_buffer = new char[zeek::detail::http_entity_data_delivery_size];
 
-	*plen = http_entity_data_delivery_size;
+	*plen = zeek::detail::http_entity_data_delivery_size;
 	*pbuf = entity_data_buffer;
 	return true;
 	}
@@ -1381,12 +1381,12 @@ HTTP_Analyzer::TruncateURI(const zeek::StringValPtr& uri)
 	{
 	const zeek::String* str = uri->AsString();
 
-	if ( truncate_http_URI >= 0 && str->Len() > truncate_http_URI )
+	if ( zeek::detail::truncate_http_URI >= 0 && str->Len() > zeek::detail::truncate_http_URI )
 		{
-		u_char* s = new u_char[truncate_http_URI + 4];
-		memcpy(s, str->Bytes(), truncate_http_URI);
-		memcpy(s + truncate_http_URI, "...", 4);
-		return zeek::make_intrusive<zeek::StringVal>(new zeek::String(true, s, truncate_http_URI+3));
+		u_char* s = new u_char[zeek::detail::truncate_http_URI + 4];
+		memcpy(s, str->Bytes(), zeek::detail::truncate_http_URI);
+		memcpy(s + zeek::detail::truncate_http_URI, "...", 4);
+		return zeek::make_intrusive<zeek::StringVal>(new zeek::String(true, s, zeek::detail::truncate_http_URI+3));
 		}
 	else
 		return uri;
diff --git a/src/analyzer/protocol/icmp/ICMP.cc b/src/analyzer/protocol/icmp/ICMP.cc
index a77b0e8052..0f06bc9e00 100644
--- a/src/analyzer/protocol/icmp/ICMP.cc
+++ b/src/analyzer/protocol/icmp/ICMP.cc
@@ -24,7 +24,7 @@ ICMP_Analyzer::ICMP_Analyzer(zeek::Connection* c)
 	: TransportLayerAnalyzer("ICMP", c),
 	icmp_conn_val(), type(), code(), request_len(-1), reply_len(-1)
 	{
-	c->SetInactivityTimeout(icmp_inactivity_timeout);
+	c->SetInactivityTimeout(zeek::detail::icmp_inactivity_timeout);
 	}
 
 void ICMP_Analyzer::Done()
@@ -49,7 +49,7 @@ void ICMP_Analyzer::DeliverPacket(int len, const u_char* data,
 
 	const struct icmp* icmpp = (const struct icmp*) data;
 
-	if ( ! ignore_checksums && caplen >= len )
+	if ( ! zeek::detail::ignore_checksums && caplen >= len )
 		{
 		int chksum = 0;
 
diff --git a/src/analyzer/protocol/mime/MIME.cc b/src/analyzer/protocol/mime/MIME.cc
index 07efdcdaeb..e415b061b9 100644
--- a/src/analyzer/protocol/mime/MIME.cc
+++ b/src/analyzer/protocol/mime/MIME.cc
@@ -1329,8 +1329,8 @@ MIME_Mail::MIME_Mail(zeek::analyzer::Analyzer* mail_analyzer, bool orig, int buf
 	{
 	analyzer = mail_analyzer;
 
-	min_overlap_length = mime_segment_overlap_length;
-	max_chunk_length = mime_segment_length;
+	min_overlap_length = zeek::detail::mime_segment_overlap_length;
+	max_chunk_length = zeek::detail::mime_segment_length;
 	is_orig = orig;
 
 	int length = buf_size;
diff --git a/src/analyzer/protocol/pia/PIA.cc b/src/analyzer/protocol/pia/PIA.cc
index 4f00437231..ffdf1e9cb6 100644
--- a/src/analyzer/protocol/pia/PIA.cc
+++ b/src/analyzer/protocol/pia/PIA.cc
@@ -104,8 +104,8 @@ void PIA::PIA_DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t
 	     len > 0 )
 		{
 		AddToBuffer(&pkt_buffer, seq, len, data, is_orig, ip);
-		if ( pkt_buffer.size > dpd_buffer_size )
-			new_state = dpd_match_only_beginning ?
+		if ( pkt_buffer.size > zeek::detail::dpd_buffer_size )
+			new_state = zeek::detail::dpd_match_only_beginning ?
 						SKIPPING : MATCHING_ONLY;
 		}
 
@@ -163,7 +163,7 @@ void PIA_UDP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule
 			zeek::event_mgr.Enqueue(protocol_late_match, ConnVal(), tval);
 			}
 
-		pkt_buffer.state = dpd_late_match_stop ? SKIPPING : MATCHING_ONLY;
+		pkt_buffer.state = zeek::detail::dpd_late_match_stop ? SKIPPING : MATCHING_ONLY;
 		return;
 		}
 
@@ -271,8 +271,8 @@ void PIA_TCP::DeliverStream(int len, const u_char* data, bool is_orig)
 	if ( stream_buffer.state == BUFFERING || new_state == BUFFERING )
 		{
 		AddToBuffer(&stream_buffer, len, data, is_orig);
-		if ( stream_buffer.size > dpd_buffer_size )
-			new_state = dpd_match_only_beginning ?
+		if ( stream_buffer.size > zeek::detail::dpd_buffer_size )
+			new_state = zeek::detail::dpd_match_only_beginning ?
 						SKIPPING : MATCHING_ONLY;
 		}
 
@@ -310,7 +310,7 @@ void PIA_TCP::ActivateAnalyzer(zeek::analyzer::Tag tag, const zeek::detail::Rule
 			zeek::event_mgr.Enqueue(protocol_late_match, ConnVal(), tval);
 			}
 
-		stream_buffer.state = dpd_late_match_stop ? SKIPPING : MATCHING_ONLY;
+		stream_buffer.state = zeek::detail::dpd_late_match_stop ? SKIPPING : MATCHING_ONLY;
 		return;
 		}
 
diff --git a/src/analyzer/protocol/rpc/RPC.cc b/src/analyzer/protocol/rpc/RPC.cc
index d950a67228..69b6e170d4 100644
--- a/src/analyzer/protocol/rpc/RPC.cc
+++ b/src/analyzer/protocol/rpc/RPC.cc
@@ -729,7 +729,7 @@ RPC_Analyzer::RPC_Analyzer(const char* name, zeek::Connection* conn,
 	{
 	if ( Conn()->ConnTransport() == TRANSPORT_UDP )
 		ADD_ANALYZER_TIMER(&RPC_Analyzer::ExpireTimer,
-		                   zeek::net::network_time + rpc_timeout, true,
+		                   zeek::net::network_time + zeek::detail::rpc_timeout, true,
 		                   zeek::detail::TIMER_RPC_EXPIRE);
 	}
 
diff --git a/src/analyzer/protocol/stepping-stone/SteppingStone.cc b/src/analyzer/protocol/stepping-stone/SteppingStone.cc
index a0816ccc87..69d9004f83 100644
--- a/src/analyzer/protocol/stepping-stone/SteppingStone.cc
+++ b/src/analyzer/protocol/stepping-stone/SteppingStone.cc
@@ -70,7 +70,7 @@ bool SteppingStoneEndpoint::DataSent(double t, uint64_t seq, int len, int caplen
 	if ( len <= 0 )
 		return false;
 
-	double tmin = t - stp_delta;
+	double tmin = t - zeek::detail::stp_delta;
 
 	while ( stp_manager->OrderedEndpoints().length() > 0 )
 		{
@@ -95,7 +95,7 @@ bool SteppingStoneEndpoint::DataSent(double t, uint64_t seq, int len, int caplen
 
 	stp_max_top_seq = top_seq;
 
-	if ( stp_last_time && t <= stp_last_time + stp_idle_min )
+	if ( stp_last_time && t <= stp_last_time + zeek::detail::stp_idle_min )
 		{
 		stp_last_time = t;
 		return true;
diff --git a/src/analyzer/protocol/tcp/TCP.cc b/src/analyzer/protocol/tcp/TCP.cc
index a6273076ac..457e8a3008 100644
--- a/src/analyzer/protocol/tcp/TCP.cc
+++ b/src/analyzer/protocol/tcp/TCP.cc
@@ -127,7 +127,7 @@ TCP_Analyzer::TCP_Analyzer(zeek::Connection* conn)
 	{
 	// Set a timer to eventually time out this connection.
 	ADD_ANALYZER_TIMER(&TCP_Analyzer::ExpireTimer,
-	                   zeek::net::network_time + tcp_SYN_timeout, false,
+	                   zeek::net::network_time + zeek::detail::tcp_SYN_timeout, false,
 	                   zeek::detail::TIMER_TCP_EXPIRE);
 
 	deferred_gen_event = close_deferred = 0;
@@ -275,7 +275,7 @@ const struct tcphdr* TCP_Analyzer::ExtractTCP_Header(const u_char*& data,
 bool TCP_Analyzer::ValidateChecksum(const struct tcphdr* tp,
 				TCP_Endpoint* endpoint, int len, int caplen)
 	{
-	if ( ! zeek::net::current_pkt->l3_checksummed && ! ignore_checksums && caplen >= len &&
+	if ( ! zeek::net::current_pkt->l3_checksummed && ! zeek::detail::ignore_checksums && caplen >= len &&
 	     ! endpoint->ValidChecksum(tp, len) )
 		{
 		Weird("bad_TCP_checksum");
@@ -493,9 +493,9 @@ void TCP_Analyzer::UpdateInactiveState(double t,
 			else
 				endpoint->SetState(TCP_ENDPOINT_SYN_SENT);
 
-			if ( tcp_attempt_delay )
+			if ( zeek::detail::tcp_attempt_delay )
 				ADD_ANALYZER_TIMER(&TCP_Analyzer::AttemptTimer,
-				                   t + tcp_attempt_delay, true,
+				                   t + zeek::detail::tcp_attempt_delay, true,
 				                   zeek::detail::TIMER_TCP_ATTEMPT);
 			}
 		else
@@ -725,7 +725,7 @@ void TCP_Analyzer::UpdateClosedState(double t, TCP_Endpoint* endpoint,
 
 		if ( connection_reset )
 			ADD_ANALYZER_TIMER(&TCP_Analyzer::ResetTimer,
-			                   t + tcp_reset_delay, true,
+			                   t + zeek::detail::tcp_reset_delay, true,
 			                   zeek::detail::TIMER_TCP_RESET);
 		}
 	}
@@ -1113,8 +1113,8 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 		{
 		++endpoint->FIN_cnt;
 
-		if ( endpoint->FIN_cnt >= tcp_storm_thresh && zeek::net::current_timestamp <
-		     endpoint->last_time + tcp_storm_interarrival_thresh )
+		if ( endpoint->FIN_cnt >= zeek::detail::tcp_storm_thresh && zeek::net::current_timestamp <
+		     endpoint->last_time + zeek::detail::tcp_storm_interarrival_thresh )
 			Weird("FIN_storm");
 
 		endpoint->FIN_seq = rel_seq + seg_len;
@@ -1124,8 +1124,8 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 		{
 		++endpoint->RST_cnt;
 
-		if ( endpoint->RST_cnt >= tcp_storm_thresh && zeek::net::current_timestamp <
-		     endpoint->last_time + tcp_storm_interarrival_thresh )
+		if ( endpoint->RST_cnt >= zeek::detail::tcp_storm_thresh && zeek::net::current_timestamp <
+		     endpoint->last_time + zeek::detail::tcp_storm_interarrival_thresh )
 			Weird("RST_storm");
 
 		// This now happens often enough that it's
@@ -1513,7 +1513,7 @@ void TCP_Analyzer::ExpireTimer(double t)
 	if ( ! is_active )
 		return;
 
-	if ( Conn()->LastTime() + tcp_connection_linger < t )
+	if ( Conn()->LastTime() + zeek::detail::tcp_connection_linger < t )
 		{
 		if ( orig->did_close || resp->did_close )
 			{
@@ -1558,7 +1558,7 @@ void TCP_Analyzer::ExpireTimer(double t)
 	// Connection still active, so reschedule timer.
 	// ### if PQ_Element's were Obj's, could just Ref the timer
 	// and adjust its value here, instead of creating a new timer.
-	ADD_ANALYZER_TIMER(&TCP_Analyzer::ExpireTimer, t + tcp_session_timer,
+	ADD_ANALYZER_TIMER(&TCP_Analyzer::ExpireTimer, t + zeek::detail::tcp_session_timer,
 	                   false, zeek::detail::TIMER_TCP_EXPIRE);
 	}
 
@@ -1664,7 +1664,8 @@ void TCP_Analyzer::ConnectionClosed(TCP_Endpoint* endpoint, TCP_Endpoint* peer,
 	if ( DEBUG_tcp_connection_close )
 		{
 		DEBUG_MSG("%.6f close_complete=%d tcp_close_delay=%f\n",
-		          zeek::net::network_time, close_complete, tcp_close_delay);
+		          zeek::net::network_time, close_complete,
+		          zeek::detail::tcp_close_delay);
 		}
 
 	if ( close_complete )
@@ -1697,9 +1698,9 @@ void TCP_Analyzer::ConnectionClosed(TCP_Endpoint* endpoint, TCP_Endpoint* peer,
 		//
 		// here, because that would cause the object to be
 		// deleted out from under us.
-		if ( tcp_close_delay != 0.0 )
+		if ( zeek::detail::tcp_close_delay != 0.0 )
 			ADD_ANALYZER_TIMER(&TCP_Analyzer::ConnDeleteTimer,
-			                   Conn()->LastTime() + tcp_close_delay, false,
+			                   Conn()->LastTime() + zeek::detail::tcp_close_delay, false,
 			                   zeek::detail::TIMER_CONN_DELETE);
 		else
 			ADD_ANALYZER_TIMER(&TCP_Analyzer::DeleteTimer, Conn()->LastTime(), false,
@@ -1712,7 +1713,7 @@ void TCP_Analyzer::ConnectionClosed(TCP_Endpoint* endpoint, TCP_Endpoint* peer,
 			{ // First time we've seen anything from this side.
 			if ( connection_partial_close )
 				ADD_ANALYZER_TIMER(&TCP_Analyzer::PartialCloseTimer,
-				                   Conn()->LastTime() + tcp_partial_close_delay, false,
+				                   Conn()->LastTime() + zeek::detail::tcp_partial_close_delay, false,
 				                   zeek::detail::TIMER_TCP_PARTIAL_CLOSE );
 			}
 
@@ -1721,7 +1722,7 @@ void TCP_Analyzer::ConnectionClosed(TCP_Endpoint* endpoint, TCP_Endpoint* peer,
 			// Create a timer to look for the other side closing,
 			// too.
 			ADD_ANALYZER_TIMER(&TCP_Analyzer::ExpireTimer,
-			                   Conn()->LastTime() + tcp_session_timer, false,
+			                   Conn()->LastTime() + zeek::detail::tcp_session_timer, false,
 			                   zeek::detail::TIMER_TCP_EXPIRE);
 			}
 		}
@@ -1869,7 +1870,7 @@ bool TCP_Analyzer::IsReuse(double t, const u_char* pkt)
 		  resp->state != TCP_ENDPOINT_RESET )
 		Weird("active_connection_reuse");
 
-	else if ( t - Conn()->LastTime() < tcp_connection_linger &&
+	else if ( t - Conn()->LastTime() < zeek::detail::tcp_connection_linger &&
 		  orig->state != TCP_ENDPOINT_RESET &&
 		  resp->state != TCP_ENDPOINT_RESET )
 		Weird("premature_connection_reuse");
diff --git a/src/analyzer/protocol/tcp/TCP_Endpoint.cc b/src/analyzer/protocol/tcp/TCP_Endpoint.cc
index ddc36e3df7..3c9266c598 100644
--- a/src/analyzer/protocol/tcp/TCP_Endpoint.cc
+++ b/src/analyzer/protocol/tcp/TCP_Endpoint.cc
@@ -151,7 +151,7 @@ void TCP_Endpoint::SetState(EndpointState new_state)
 		// handshake.
 		if ( ! is_handshake(new_state) )
 			if ( is_handshake(state) && is_handshake(peer->state) )
-				Conn()->SetInactivityTimeout(tcp_inactivity_timeout);
+				Conn()->SetInactivityTimeout(zeek::detail::tcp_inactivity_timeout);
 
 		prev_state = state;
 		state = new_state;
diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.cc b/src/analyzer/protocol/tcp/TCP_Reassembler.cc
index 3926bf8d4f..e5e2eb860e 100644
--- a/src/analyzer/protocol/tcp/TCP_Reassembler.cc
+++ b/src/analyzer/protocol/tcp/TCP_Reassembler.cc
@@ -36,8 +36,8 @@ TCP_Reassembler::TCP_Reassembler(zeek::analyzer::Analyzer* arg_dst_analyzer,
 	seq_to_skip = 0;
 	in_delivery = false;
 
-	if ( tcp_max_old_segments )
-		SetMaxOldBlocks(tcp_max_old_segments);
+	if ( zeek::detail::tcp_max_old_segments )
+		SetMaxOldBlocks(zeek::detail::tcp_max_old_segments);
 
 	if ( ::tcp_contents )
 		{
@@ -50,8 +50,8 @@ TCP_Reassembler::TCP_Reassembler(zeek::analyzer::Analyzer* arg_dst_analyzer,
 			tcp_content_delivery_ports_resp;
 		auto result = ports->FindOrDefault(dst_port_val);
 
-		if ( (IsOrig() && tcp_content_deliver_all_orig) ||
-		     (! IsOrig() && tcp_content_deliver_all_resp) ||
+		if ( (IsOrig() && zeek::detail::tcp_content_deliver_all_orig) ||
+		     (! IsOrig() && zeek::detail::tcp_content_deliver_all_resp) ||
 		     (result && result->AsBool()) )
 			deliver_tcp_contents = true;
 		}
@@ -272,7 +272,7 @@ void TCP_Reassembler::Undelivered(uint64_t up_to_seq)
 	if ( record_contents_file )
 		RecordToSeq(last_reassem_seq, up_to_seq, record_contents_file);
 
-	if ( tcp_match_undelivered )
+	if ( zeek::detail::tcp_match_undelivered )
 		MatchUndelivered(up_to_seq, false);
 
 	// But we need to re-adjust last_reassem_seq in either case.
@@ -422,8 +422,8 @@ void TCP_Reassembler::BlockInserted(zeek::DataBlockMap::const_iterator it)
 		// the now-delivered data.
 		TrimToSeq(last_reassem_seq);
 
-	else if ( e->NoDataAcked() && tcp_max_initial_window &&
-		  e->Size() > static_cast<uint64_t>(tcp_max_initial_window) )
+	else if ( e->NoDataAcked() && zeek::detail::tcp_max_initial_window &&
+		  e->Size() > static_cast<uint64_t>(zeek::detail::tcp_max_initial_window) )
 		// We've sent quite a bit of data, yet none of it has
 		// been acked.  Presume that we're not seeing the peer's
 		// acks (perhaps due to filtering or split routing) and
@@ -504,16 +504,16 @@ bool TCP_Reassembler::DataSent(double t, uint64_t seq, int len,
 	NewBlock(t, seq, len, data);
 	flags = TCP_Flags();
 
-	if ( Endpoint()->NoDataAcked() && tcp_max_above_hole_without_any_acks &&
-	     NumUndeliveredBytes() > static_cast<uint64_t>(tcp_max_above_hole_without_any_acks) )
+	if ( Endpoint()->NoDataAcked() && zeek::detail::tcp_max_above_hole_without_any_acks &&
+	     NumUndeliveredBytes() > static_cast<uint64_t>(zeek::detail::tcp_max_above_hole_without_any_acks) )
 		{
 		tcp_analyzer->Weird("above_hole_data_without_any_acks");
 		ClearBlocks();
 		skip_deliveries = true;
 		}
 
-	if ( tcp_excessive_data_without_further_acks &&
-	     block_list.DataSize() > static_cast<uint64_t>(tcp_excessive_data_without_further_acks) )
+	if ( zeek::detail::tcp_excessive_data_without_further_acks &&
+	     block_list.DataSize() > static_cast<uint64_t>(zeek::detail::tcp_excessive_data_without_further_acks) )
 		{
 		tcp_analyzer->Weird("excessive_data_without_further_acks");
 		ClearBlocks();
diff --git a/src/analyzer/protocol/udp/UDP.cc b/src/analyzer/protocol/udp/UDP.cc
index 0f5262493f..e355bc6d74 100644
--- a/src/analyzer/protocol/udp/UDP.cc
+++ b/src/analyzer/protocol/udp/UDP.cc
@@ -19,7 +19,7 @@ UDP_Analyzer::UDP_Analyzer(zeek::Connection* conn)
 	: zeek::analyzer::TransportLayerAnalyzer("UDP", conn)
 	{
 	conn->EnableStatusUpdateTimer();
-	conn->SetInactivityTimeout(udp_inactivity_timeout);
+	conn->SetInactivityTimeout(zeek::detail::udp_inactivity_timeout);
 	request_len = reply_len = -1;	// -1 means "haven't seen any activity"
 
 	req_chk_cnt = rep_chk_cnt = 0;
@@ -62,7 +62,7 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 
 	int chksum = up->uh_sum;
 
-	auto validate_checksum = ! zeek::net::current_pkt->l3_checksummed && ! ignore_checksums && caplen >=len;
+	auto validate_checksum = ! zeek::net::current_pkt->l3_checksummed && ! zeek::detail::ignore_checksums && caplen >=len;
 	constexpr auto vxlan_len = 8;
 	constexpr auto eth_len = 14;
 
@@ -146,22 +146,22 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 			do_udp_contents = true;
 		else
 			{
-			uint16_t p = udp_content_delivery_ports_use_resp ? Conn()->RespPort()
-			                                                 : up->uh_dport;
+			uint16_t p = zeek::detail::udp_content_delivery_ports_use_resp ? Conn()->RespPort()
+			                                                               : up->uh_dport;
 			const auto& port_val = zeek::val_mgr->Port(ntohs(p), TRANSPORT_UDP);
 
 			if ( is_orig )
 				{
 				auto result = udp_content_delivery_ports_orig->FindOrDefault(port_val);
 
-				if ( udp_content_deliver_all_orig || (result && result->AsBool()) )
+				if ( zeek::detail::udp_content_deliver_all_orig || (result && result->AsBool()) )
 					do_udp_contents = true;
 				}
 			else
 				{
 				auto result = udp_content_delivery_ports_resp->FindOrDefault(port_val);
 
-				if ( udp_content_deliver_all_resp || (result && result->AsBool()) )
+				if ( zeek::detail::udp_content_deliver_all_resp || (result && result->AsBool()) )
 					do_udp_contents = true;
 				}
 			}
diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc
index 2af24f522d..4034e93539 100644
--- a/src/file_analysis/Manager.cc
+++ b/src/file_analysis/Manager.cc
@@ -70,7 +70,7 @@ string Manager::HashHandle(const string& handle) const
 	zeek::detail::hash128_t hash;
 	zeek::detail::KeyedHash::StaticHash128(handle.data(), handle.size(), &hash);
 
-	return zeek::UID(bits_per_uid, hash, 2).Base62("F");
+	return zeek::UID(zeek::detail::bits_per_uid, hash, 2).Base62("F");
 	}
 
 void Manager::SetHandle(const string& handle)
diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc
index d517ba440c..6d0d1349f9 100644
--- a/src/iosource/Packet.cc
+++ b/src/iosource/Packet.cc
@@ -560,16 +560,16 @@ void Packet::ProcessLayer2()
 			}
 		}
 
-	else if ( encap_hdr_size )
+	else if ( zeek::detail::encap_hdr_size )
 		{
 		// Blanket encapsulation. We assume that what remains is IP.
-		if ( pdata + encap_hdr_size + sizeof(struct ip) >= end_of_data )
+		if ( pdata + zeek::detail::encap_hdr_size + sizeof(struct ip) >= end_of_data )
 			{
 			Weird("no_ip_left_after_encap");
 			return;
 			}
 
-		pdata += encap_hdr_size;
+		pdata += zeek::detail::encap_hdr_size;
 
 		const struct ip* ip = (const struct ip *)pdata;
 
diff --git a/src/legacy-netvar-init.cc b/src/legacy-netvar-init.cc
index 163d68a630..fed53a1f1e 100644
--- a/src/legacy-netvar-init.cc
+++ b/src/legacy-netvar-init.cc
@@ -4,7 +4,7 @@
 #include "ID.h"
 #include "Scope.h"
 
-namespace zeek {
+namespace zeek::detail {
 
 // Compiled separately to avoid deprecation warnings at the assignment sites.
 void zeek_legacy_netvar_init()
@@ -95,4 +95,4 @@ void zeek_legacy_netvar_init()
 		preserve_other_addr = anon_id->GetVal()->AsTableVal();
 	}
 
-} // namespace zeek
+} // namespace zeek::detail