Just some cleanup/documentation of new tunnel-handling code.

scripts/base/frameworks/tunnels/main.bro

@@ -2,7 +2,7 @@
 ##! AYIYA, or IP-in-IP such as 6to4 where "IP" is either IPv4 or IPv6).
 ##!
 ##! For any connection that occurs over a tunnel, information about its
-##! its encapsulating tunnels is also found in the *tunnel* field of
+##! encapsulating tunnels is also found in the *tunnel* field of
 ##! :bro:type:`connection`.
 
 module Tunnel;
@@ -35,7 +35,6 @@ export {
 		action:      Action       &log;
 		## The type of tunnel.
 		tunnel_type: Tunnel::Type &log;
-		user:        string       &log &optional;
 	};
 
 	## Logs all tunnels in an ecapsulation chain with action

src/CMakeLists.txt

@@ -402,7 +402,7 @@ set(bro_SRCS
     Timer.cc
     Traverse.cc
     Trigger.cc
-    Tunnels.cc
+    TunnelEncapsulation.cc
     Type.cc
     UDP.cc
     Val.cc

src/Conn.cc

@@ -13,7 +13,7 @@
 #include "Timer.h"
 #include "PIA.h"
 #include "binpac.h"
-#include "Tunnels.h"
+#include "TunnelEncapsulation.h"
 
 void ConnectionTimer::Init(Connection* arg_conn, timer_func arg_timer,
 				int arg_do_expire)

src/Conn.h

@@ -13,7 +13,7 @@
 #include "RuleMatcher.h"
 #include "AnalyzerTags.h"
 #include "IPAddr.h"
-#include "Tunnels.h"
+#include "TunnelEncapsulation.h"
 
 class Connection;
 class ConnectionTimer;

src/Sessions.cc

@@ -30,7 +30,7 @@
 #include "DPM.h"
 
 #include "PacketSort.h"
-#include "Tunnels.h"
+#include "TunnelEncapsulation.h"
 
 // These represent NetBIOS services on ephemeral ports.  They're numbered
 // so that we can use a single int to hold either an actual TCP/UDP server
@@ -570,8 +570,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 
 		if ( it == ip_tunnels.end() )
 			{
-			EncapsulatingConn ec(ip_hdr->SrcAddr(), ip_hdr->DstAddr(),
+			EncapsulatingConn ec(ip_hdr->SrcAddr(), ip_hdr->DstAddr());
-			                     BifEnum::Tunnel::IP);
 			ip_tunnels[tunnel_idx] = ec;
 			outer->Add(ec);
 			}

src/Sessions.h

@@ -11,7 +11,7 @@
 #include "PacketFilter.h"
 #include "Stats.h"
 #include "NetVar.h"
-#include "Tunnels.h"
+#include "TunnelEncapsulation.h"
 #include <utility>
 
 struct pcap_pkthdr;

src/TunnelEncapsulation.cc

@@ -1,13 +1,13 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "Tunnels.h"
+#include "TunnelEncapsulation.h"
 #include "util.h"
 #include "Conn.h"
 
 EncapsulatingConn::EncapsulatingConn(Connection* c, BifEnum::Tunnel::Type t)
 		: src_addr(c->OrigAddr()), dst_addr(c->RespAddr()),
 		  src_port(c->OrigPort()), dst_port(c->RespPort()),
-		  type(t), uid(c->GetUID())
+		  proto(c->ConnTransport()), type(t), uid(c->GetUID())
 		{
 		if ( ! uid )
 			{
@@ -18,28 +18,13 @@ EncapsulatingConn::EncapsulatingConn(Connection* c, BifEnum::Tunnel::Type t)
 
 RecordVal* EncapsulatingConn::GetRecordVal() const
 	{
-	RecordVal *rv =
+	RecordVal *rv = new RecordVal(BifType::Record::Tunnel::EncapsulatingConn);
-			new RecordVal(BifType::Record::Tunnel::EncapsulatingConn);
-	TransportProto tproto;
-	switch ( type ) {
-	case BifEnum::Tunnel::AYIYA:
-	case BifEnum::Tunnel::TEREDO:
-		tproto = TRANSPORT_UDP;
-		break;
-	case BifEnum::Tunnel::SOCKS:
-		tproto = TRANSPORT_TCP;
-		break;
-	case BifEnum::Tunnel::IP:
-	default:
-		tproto = TRANSPORT_UNKNOWN;
-		break;
-	} // end switch
 
 	RecordVal* id_val = new RecordVal(conn_id);
 	id_val->Assign(0, new AddrVal(src_addr));
-	id_val->Assign(1, new PortVal(ntohs(src_port), tproto));
+	id_val->Assign(1, new PortVal(ntohs(src_port), proto));
 	id_val->Assign(2, new AddrVal(dst_addr));
-	id_val->Assign(3, new PortVal(ntohs(dst_port), tproto));
+	id_val->Assign(3, new PortVal(ntohs(dst_port), proto));
 	rv->Assign(0, id_val);
 	rv->Assign(1, new EnumVal(type, BifType::Enum::Tunnel::Type));
 	char tmp[20];

src/TunnelEncapsulation.h

@@ -11,30 +11,71 @@
 
 class Connection;
 
+/**
+ * Represents various types of tunnel "connections", that is, a pair of
+ * endpoints whose communication encapsulates inner IP packets.  This could
+ * mean IP packets nested inside IP packets or IP packets nested inside a
+ * transport layer protocol.  EncapsulatingConn's are assigned a UID, which can
+ * be shared with Connection's in the case the tunnel uses a transport-layer.
+ */
 class EncapsulatingConn {
 public:
+	/**
+	 * Default tunnel connection constructor.
+	 */
 	EncapsulatingConn()
-		: src_port(0), dst_port(0), type(BifEnum::Tunnel::NONE), uid(0)
+		: src_port(0), dst_port(0), proto(TRANSPORT_UNKNOWN),
+		  type(BifEnum::Tunnel::NONE), uid(0)
 		{}
 
-	EncapsulatingConn(const IPAddr& s, const IPAddr& d,
+	/**
-	                  BifEnum::Tunnel::Type t)
+	 * Construct an IP tunnel "connection" with its own UID.
-		: src_addr(s), dst_addr(d), src_port(0), dst_port(0), type(t)
+	 * The assignment of "source" and "destination" addresses here can be
+	 * arbitrary, comparison between EncapsulatingConn objects will treat IP
+	 * tunnels as equivalent as long as the same two endpoints are involved.
+	 *
+	 * @param s The tunnel source address, likely taken from an IP header.
+	 * @param d The tunnel destination address, likely taken from an IP header.
+	 */
+	EncapsulatingConn(const IPAddr& s, const IPAddr& d)
+		: src_addr(s), dst_addr(d), src_port(0), dst_port(0),
+		  proto(TRANSPORT_UNKNOWN), type(BifEnum::Tunnel::IP)
 		{
 		uid = calculate_unique_id();
 		}
 
+	/**
+	 * Construct a tunnel connection using information from an already existing
+	 * transport-layer-aware connection object.
+	 *
+	 * @param c The connection from which endpoint information can be extracted.
+	 *        If it already has a UID associated with it, that gets inherited,
+	 *        otherwise a new UID is created for this tunnel and \a c.
+	 * @param t The type of tunneling that is occurring over the connection.
+	 */
 	EncapsulatingConn(Connection* c, BifEnum::Tunnel::Type t);
 
+	/**
+	 * Copy constructor.
+	 */
 	EncapsulatingConn(const EncapsulatingConn& other)
 		: src_addr(other.src_addr), dst_addr(other.dst_addr),
 		  src_port(other.src_port), dst_port(other.dst_port),
-		  type(other.type), uid(other.uid)
+		  proto(other.proto), type(other.type), uid(other.uid)
 		{}
 
+	/**
+	 * Destructor.
+	 */
 	~EncapsulatingConn()
 		{}
 
+	BifEnum::Tunnel::Type Type() const
+		{ return type; }
+
+	/**
+	 * Returns record value of type "EncapsulatingConn" representing the tunnel.
+	 */
 	RecordVal* GetRecordVal() const;
 
 	friend bool operator==(const EncapsulatingConn& ec1,
@@ -43,12 +84,13 @@ public:
 		if ( ec1.type != ec2.type )
 			return false;
 		if ( ec1.type == BifEnum::Tunnel::IP )
-			return ec1.uid == ec2.uid &&
+			// Reversing endpoints is still same tunnel.
+			return ec1.uid == ec2.uid && ec1.proto == ec2.proto &&
 			  ((ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr) ||
 			   (ec1.src_addr == ec2.dst_addr && ec1.dst_addr == ec2.src_addr));
 		return ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr &&
 		       ec1.src_port == ec2.src_port && ec1.dst_port == ec2.dst_port &&
-		       ec1.uid == ec2.uid;
+		       ec1.uid == ec2.uid && ec1.proto == ec2.proto;
 		}
 
 	friend bool operator!=(const EncapsulatingConn& ec1,
@@ -57,14 +99,19 @@ public:
 		return ! ( ec1 == ec2 );
 		}
 
+protected:
 	IPAddr src_addr;
 	IPAddr dst_addr;
 	uint16 src_port;
 	uint16 dst_port;
+	TransportProto proto;
 	BifEnum::Tunnel::Type type;
 	uint64 uid;
 };
 
+/**
+ * Abstracts an arbitrary amount of nested tunneling.
+ */
 class Encapsulation {
 public:
 	Encapsulation() : conns(0)
@@ -99,6 +146,11 @@ public:
 
 	~Encapsulation() { delete conns; }
 
+	/**
+	 * Add a new inner-most tunnel to the Encapsulation.
+	 *
+	 * @param c The new inner-most tunnel to append to the tunnel chain.
+	 */
 	void Add(const EncapsulatingConn& c)
 		{
 		if ( ! conns )
@@ -106,16 +158,27 @@ public:
 		conns->push_back(c);
 		}
 
+	/**
+	 * Return how many nested tunnels are involved in a encapsulation, zero
+	 * meaning no tunnels are present.
+	 */
 	size_t Depth() const
 		{
 		return conns ? conns->size() : 0;
 		}
 
+	/**
+	 * Return the tunnel type of the inner-most tunnel.
+	 */
 	BifEnum::Tunnel::Type LastType() const
 		{
-		return conns ? (*conns)[conns->size()-1].type : BifEnum::Tunnel::NONE;
+		return conns ? (*conns)[conns->size()-1].Type() : BifEnum::Tunnel::NONE;
 		}
 
+	/**
+	 * Get the value of type "EncapsulatingConnVector" represented by the
+	 * entire encapsulation chain.
+	 */
 	VectorVal* GetVectorVal() const
 		{
 		VectorVal* vv = new VectorVal(
@@ -133,6 +196,7 @@ public:
 		return ! ( e1 == e2 );
 		}
 
+protected:
 	vector<EncapsulatingConn>* conns;
 };
 

testing/btest/Baseline/core.leaks.ayiya/tunnel.log

@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	tunnel
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	action	tunnel_type	user
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	action	tunnel_type
-#types	time	string	addr	port	addr	port	enum	enum	string
+#types	time	string	addr	port	addr	port	enum	enum
-1257655293.629048	UWkUyAuUGXf	192.168.3.101	53796	216.14.98.22	5072	Tunnel::DISCOVER	Tunnel::AYIYA	-
+1257655293.629048	UWkUyAuUGXf	192.168.3.101	53796	216.14.98.22	5072	Tunnel::DISCOVER	Tunnel::AYIYA
-1257655296.585034	k6kgXLOoSKl	192.168.3.101	53859	216.14.98.22	5072	Tunnel::DISCOVER	Tunnel::AYIYA	-
+1257655296.585034	k6kgXLOoSKl	192.168.3.101	53859	216.14.98.22	5072	Tunnel::DISCOVER	Tunnel::AYIYA
-1257655317.464035	k6kgXLOoSKl	192.168.3.101	53859	216.14.98.22	5072	Tunnel::CLOSE	Tunnel::AYIYA	-
+1257655317.464035	k6kgXLOoSKl	192.168.3.101	53859	216.14.98.22	5072	Tunnel::CLOSE	Tunnel::AYIYA
-1257655317.464035	UWkUyAuUGXf	192.168.3.101	53796	216.14.98.22	5072	Tunnel::CLOSE	Tunnel::AYIYA	-
+1257655317.464035	UWkUyAuUGXf	192.168.3.101	53796	216.14.98.22	5072	Tunnel::CLOSE	Tunnel::AYIYA

testing/btest/Baseline/core.leaks.teredo/tunnel.log

@@ -3,11 +3,11 @@
 #empty_field	(empty)
 #unset_field	-
 #path	tunnel
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	action	tunnel_type	user
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	action	tunnel_type
-#types	time	string	addr	port	addr	port	enum	enum	string
+#types	time	string	addr	port	addr	port	enum	enum
-1210953052.202579	nQcgTWjvg4c	192.168.2.16	3797	65.55.158.80	3544	Tunnel::DISCOVER	Tunnel::TEREDO	-
+1210953052.202579	nQcgTWjvg4c	192.168.2.16	3797	65.55.158.80	3544	Tunnel::DISCOVER	Tunnel::TEREDO
-1210953052.324629	TEfuqmmG4bh	192.168.2.16	3797	65.55.158.81	3544	Tunnel::DISCOVER	Tunnel::TEREDO	-
+1210953052.324629	TEfuqmmG4bh	192.168.2.16	3797	65.55.158.81	3544	Tunnel::DISCOVER	Tunnel::TEREDO
-1210953061.292918	GSxOnSLghOa	192.168.2.16	3797	83.170.1.38	32900	Tunnel::DISCOVER	Tunnel::TEREDO	-
+1210953061.292918	GSxOnSLghOa	192.168.2.16	3797	83.170.1.38	32900	Tunnel::DISCOVER	Tunnel::TEREDO
-1210953076.058333	nQcgTWjvg4c	192.168.2.16	3797	65.55.158.80	3544	Tunnel::CLOSE	Tunnel::TEREDO	-
+1210953076.058333	nQcgTWjvg4c	192.168.2.16	3797	65.55.158.80	3544	Tunnel::CLOSE	Tunnel::TEREDO
-1210953076.058333	GSxOnSLghOa	192.168.2.16	3797	83.170.1.38	32900	Tunnel::CLOSE	Tunnel::TEREDO	-
+1210953076.058333	GSxOnSLghOa	192.168.2.16	3797	83.170.1.38	32900	Tunnel::CLOSE	Tunnel::TEREDO
-1210953076.058333	TEfuqmmG4bh	192.168.2.16	3797	65.55.158.81	3544	Tunnel::CLOSE	Tunnel::TEREDO	-
+1210953076.058333	TEfuqmmG4bh	192.168.2.16	3797	65.55.158.81	3544	Tunnel::CLOSE	Tunnel::TEREDO

testing/btest/Baseline/core.tunnels.ayiya/tunnel.log

@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	tunnel
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	action	tunnel_type	user
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	action	tunnel_type
-#types	time	string	addr	port	addr	port	enum	enum	string
+#types	time	string	addr	port	addr	port	enum	enum
-1257655293.629048	UWkUyAuUGXf	192.168.3.101	53796	216.14.98.22	5072	Tunnel::DISCOVER	Tunnel::AYIYA	-
+1257655293.629048	UWkUyAuUGXf	192.168.3.101	53796	216.14.98.22	5072	Tunnel::DISCOVER	Tunnel::AYIYA
-1257655296.585034	k6kgXLOoSKl	192.168.3.101	53859	216.14.98.22	5072	Tunnel::DISCOVER	Tunnel::AYIYA	-
+1257655296.585034	k6kgXLOoSKl	192.168.3.101	53859	216.14.98.22	5072	Tunnel::DISCOVER	Tunnel::AYIYA
-1257655317.464035	k6kgXLOoSKl	192.168.3.101	53859	216.14.98.22	5072	Tunnel::CLOSE	Tunnel::AYIYA	-
+1257655317.464035	k6kgXLOoSKl	192.168.3.101	53859	216.14.98.22	5072	Tunnel::CLOSE	Tunnel::AYIYA
-1257655317.464035	UWkUyAuUGXf	192.168.3.101	53796	216.14.98.22	5072	Tunnel::CLOSE	Tunnel::AYIYA	-
+1257655317.464035	UWkUyAuUGXf	192.168.3.101	53796	216.14.98.22	5072	Tunnel::CLOSE	Tunnel::AYIYA

testing/btest/Baseline/core.tunnels.teredo/tunnel.log

@@ -3,11 +3,11 @@
 #empty_field	(empty)
 #unset_field	-
 #path	tunnel
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	action	tunnel_type	user
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	action	tunnel_type
-#types	time	string	addr	port	addr	port	enum	enum	string
+#types	time	string	addr	port	addr	port	enum	enum
-1210953052.202579	nQcgTWjvg4c	192.168.2.16	3797	65.55.158.80	3544	Tunnel::DISCOVER	Tunnel::TEREDO	-
+1210953052.202579	nQcgTWjvg4c	192.168.2.16	3797	65.55.158.80	3544	Tunnel::DISCOVER	Tunnel::TEREDO
-1210953052.324629	TEfuqmmG4bh	192.168.2.16	3797	65.55.158.81	3544	Tunnel::DISCOVER	Tunnel::TEREDO	-
+1210953052.324629	TEfuqmmG4bh	192.168.2.16	3797	65.55.158.81	3544	Tunnel::DISCOVER	Tunnel::TEREDO
-1210953061.292918	GSxOnSLghOa	192.168.2.16	3797	83.170.1.38	32900	Tunnel::DISCOVER	Tunnel::TEREDO	-
+1210953061.292918	GSxOnSLghOa	192.168.2.16	3797	83.170.1.38	32900	Tunnel::DISCOVER	Tunnel::TEREDO
-1210953076.058333	nQcgTWjvg4c	192.168.2.16	3797	65.55.158.80	3544	Tunnel::CLOSE	Tunnel::TEREDO	-
+1210953076.058333	nQcgTWjvg4c	192.168.2.16	3797	65.55.158.80	3544	Tunnel::CLOSE	Tunnel::TEREDO
-1210953076.058333	GSxOnSLghOa	192.168.2.16	3797	83.170.1.38	32900	Tunnel::CLOSE	Tunnel::TEREDO	-
+1210953076.058333	GSxOnSLghOa	192.168.2.16	3797	83.170.1.38	32900	Tunnel::CLOSE	Tunnel::TEREDO
-1210953076.058333	TEfuqmmG4bh	192.168.2.16	3797	65.55.158.81	3544	Tunnel::CLOSE	Tunnel::TEREDO	-
+1210953076.058333	TEfuqmmG4bh	192.168.2.16	3797	65.55.158.81	3544	Tunnel::CLOSE	Tunnel::TEREDO