Refactor IP-in-IP tunnel support.

UDP tunnel support removed for now, to be re-added in specific analyzers later, but IP-in-IP is now decapsulated recursively so nested tunnels can be seen and the inner packets get sent through the IP fragment reassembler if necessary.
2025-10-04 07:38:19 +00:00 · 2012-04-23 13:15:29 -05:00 · 2012-04-23 13:15:29 -05:00 · b51dd191d7
commit b51dd191d7
parent 4062fc1776
21 changed files with 300 additions and 323 deletions
--- a/testing/btest/Baseline/core.tunnels.ip-in-ip/output
+++ b/testing/btest/Baseline/core.tunnels.ip-in-ip/output
@ -0,0 +1,22 @@
+new_connection: tunnel
+    conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp]
+    encap: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown], tunnel_type=Tunnel::IP6_IN_IP6]]
+new_connection: tunnel
+    conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp]
+    encap: [[cid=[orig_h=feed::beef, orig_p=0/unknown, resp_h=feed::cafe, resp_p=0/unknown], tunnel_type=Tunnel::IP6_IN_IP6], [cid=[orig_h=babe::beef, orig_p=0/unknown, resp_h=dead::babe, resp_p=0/unknown], tunnel_type=Tunnel::IP6_IN_IP6]]
+new_connection: tunnel
+    conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp]
+    encap: [[cid=[orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown], tunnel_type=Tunnel::IP6_IN_IP4]]
+new_connection: tunnel
+    conn_id: [orig_h=70.55.213.211, orig_p=31337/tcp, resp_h=192.88.99.1, resp_p=80/tcp]
+    encap: [[cid=[orig_h=2002:4637:d5d3::4637:d5d3, orig_p=0/unknown, resp_h=2001:4860:0:2001::68, resp_p=0/unknown], tunnel_type=Tunnel::IP4_IN_IP6]]
+new_connection: tunnel
+    conn_id: [orig_h=10.0.0.1, orig_p=30000/udp, resp_h=10.0.0.2, resp_p=13000/udp]
+    encap: [[cid=[orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown], tunnel_type=Tunnel::IP4_IN_IP4]]
+new_connection: tunnel
+    conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp]
+    encap: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown], tunnel_type=Tunnel::IP6_IN_IP6]]
+tunnel_changed:
+    conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp]
+    old: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown], tunnel_type=Tunnel::IP6_IN_IP6]]
+    new: [[cid=[orig_h=feed::beef, orig_p=0/unknown, resp_h=feed::cafe, resp_p=0/unknown], tunnel_type=Tunnel::IP6_IN_IP6]]
--- a/testing/btest/Traces/tunnels/4in4.pcap
+++ b/testing/btest/Traces/tunnels/4in4.pcap
--- a/testing/btest/Traces/tunnels/4in6.pcap
+++ b/testing/btest/Traces/tunnels/4in6.pcap
--- a/testing/btest/Traces/tunnels/6in4.pcap
+++ b/testing/btest/Traces/tunnels/6in4.pcap
--- a/testing/btest/Traces/tunnels/6in6-tunnel-change.pcap
+++ b/testing/btest/Traces/tunnels/6in6-tunnel-change.pcap
--- a/testing/btest/Traces/tunnels/6in6.pcap
+++ b/testing/btest/Traces/tunnels/6in6.pcap
--- a/testing/btest/Traces/tunnels/6in6in6.pcap
+++ b/testing/btest/Traces/tunnels/6in6in6.pcap
--- a/testing/btest/core/tunnels/ip-in-ip.test
+++ b/testing/btest/core/tunnels/ip-in-ip.test
@ -0,0 +1,30 @@
+# @TEST-EXEC: bro -b -r $TRACES/tunnels/6in6.pcap %INPUT >>output 2>&1
+# @TEST-EXEC: bro -b -r $TRACES/tunnels/6in6in6.pcap %INPUT >>output 2>&1
+# @TEST-EXEC: bro -b -r $TRACES/tunnels/6in4.pcap %INPUT >>output 2>&1
+# @TEST-EXEC: bro -b -r $TRACES/tunnels/4in6.pcap %INPUT >>output 2>&1
+# @TEST-EXEC: bro -b -r $TRACES/tunnels/4in4.pcap %INPUT >>output 2>&1
+# @TEST-EXEC: bro -b -r $TRACES/tunnels/6in6-tunnel-change.pcap %INPUT >>output 2>&1
+# @TEST-EXEC: btest-diff output
+
+event new_connection(c: connection)
+	{
+	if ( c?$tunnel )
+		{
+		print "new_connection: tunnel";
+		print fmt("    conn_id: %s", c$id);
+		print fmt("    encap: %s", c$tunnel);
+		}
+	else
+		{
+		print "new_connection: no tunnel";
+		}
+	}
+
+event tunnel_changed(c: connection, e: encapsulating_conns)
+	{
+	print "tunnel_changed:";
+	print fmt("    conn_id: %s", c$id);
+	if ( c?$tunnel )
+		print fmt("    old: %s", c$tunnel);
+	print fmt("    new: %s", e);
+	}