GH-1991: Add option to limit the number of tunnel_changed events

2025-10-02 06:38:20 +00:00 · 2022-06-15 13:22:29 -07:00 · 2022-06-15 13:22:29 -07:00 · a9fd4a60e0
commit a9fd4a60e0
parent 4deacefa4c
5 changed files with 21 additions and 1 deletions
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@ -403,6 +403,13 @@ export {
 		## cross-references the *uid* field of :zeek:type:`connection`.
 		uid: string &optional;
 	} &log;
+
+	## The number of tunnel_changed events that will be sent for a connection. Once this
+	## limit is hit, no more of those events will be sent to avoid a large number of events
+	## being sent for connections that regularly swap. This can be set to zero to disable
+	## this limiting.
+	const max_changes_per_connection: count = 5 &redef;
+
 } # end export
 module GLOBAL;

--- a/src/Conn.cc
+++ b/src/Conn.cc
@ -96,8 +96,13 @@ void Connection::CheckEncapsulation(const std::shared_ptr<EncapsulationStack>& a
 		{
 		if ( *encapsulation != *arg_encap )
 			{
-			if ( tunnel_changed )
+			if ( tunnel_changed &&
+			     (zeek::detail::tunnel_max_changes_per_connection == 0 ||
+			      tunnel_changes < zeek::detail::tunnel_max_changes_per_connection) )
+				{
+				tunnel_changes++;
 				EnqueueEvent(tunnel_changed, nullptr, GetVal(), arg_encap->ToVal());
+				}

 			encapsulation = std::make_shared<EncapsulationStack>(*arg_encap);
 			}
--- a/src/Conn.h
+++ b/src/Conn.h
@ -268,6 +268,7 @@ private:
 	int suppress_event; // suppress certain events to once per conn.
 	RecordValPtr conn_val;
 	std::shared_ptr<EncapsulationStack> encapsulation; // tunnels
+	uint8_t tunnel_changes = 0;

 	detail::ConnKey key;

--- a/src/NetVar.cc
+++ b/src/NetVar.cc
@ -193,6 +193,8 @@ int record_all_packets;

 bro_uint_t bits_per_uid;

+bro_uint_t tunnel_max_changes_per_connection;
+
 	} // namespace zeek::detail. The namespace has be closed here before we include the netvar_def
 	  // files.

@ -343,6 +345,9 @@ void init_net_var()
 	dpd_match_only_beginning = id::find_val("dpd_match_only_beginning")->AsBool();
 	dpd_late_match_stop = id::find_val("dpd_late_match_stop")->AsBool();
 	dpd_ignore_ports = id::find_val("dpd_ignore_ports")->AsBool();
+
+	tunnel_max_changes_per_connection =
+		id::find_val("Tunnel::max_changes_per_connection")->AsCount();
 	}

 	} // namespace zeek::detail
--- a/src/NetVar.h
+++ b/src/NetVar.h
@ -94,6 +94,8 @@ extern int record_all_packets;

 extern bro_uint_t bits_per_uid;

+extern bro_uint_t tunnel_max_changes_per_connection;
+
 // Initializes globals that don't pertain to network/event analysis.
 extern void init_general_global_var();