Tweaking tunnel decapsulation.

Changing names to comply with "Bro Scripting Conventions"
Tweaking documentation.

doc/scripts/DocSourcesList.cmake

@@ -95,6 +95,7 @@ rest_target(${psd} policy/frameworks/dpd/detect-protocols.bro)
 rest_target(${psd} policy/frameworks/dpd/packet-segment-logging.bro)
 rest_target(${psd} policy/frameworks/software/version-changes.bro)
 rest_target(${psd} policy/frameworks/software/vulnerable.bro)
+rest_target(${psd} policy/frameworks/tunnel.bro)
 rest_target(${psd} policy/integration/barnyard2/base.bro)
 rest_target(${psd} policy/integration/barnyard2/event.bro)
 rest_target(${psd} policy/integration/barnyard2/types.bro)

scripts/base/init-bare.bro

@@ -84,14 +84,14 @@ type AnalyzerID: count;
 module Tunnel;
 export {
 	## Records the identity of a the parent of a tunneled connection. 
-	type parent_t: record {
+	type Parent: record {
 		## The 4-tuple of the tunnel "connection". In case of an IP-in-IP
 		## tunnel the ports will be set to 0. The direction (i.e., orig and
 		## resp) of the parent are set according to the tunneled connection
 		## and not according to the side that established the tunnel. 
 		cid: conn_id;
 		## The type of tunnel.
-		tunnel_type: tunneltype_t;
+		tunnel_type: Tunneltype;
 	} &log;
 } # end export
 module GLOBAL;
@@ -107,7 +107,7 @@ type connection: record {
 	hot: count;		# how hot; 0 = don't know or not hot
 	history: string;
 	uid: string;
-	tunnel_parent: Tunnel::parent_t &optional;
+	tunnel_parent: Tunnel::Parent &optional;
 };
 
 type SYN_packet: record {

scripts/policy/frameworks/tunnel.bro

@@ -22,7 +22,7 @@
 ##! defragmentation but before there is a connection context. The tunnel
 ##! headers are stripped from packet and the identity of the parent is 
 ##! is stored as the ``tunnel_parent`` member of :bro:type:`connection`, 
-##! which is of type :bro:type:`parent_t`. 
+##! which is of type :bro:type:`Tunnel::Parent`. 
 ##! 
 ##! *Limitation:* The decapsulated packets are not fed through the 
 ##! defragmenter again and decapsulation happens only on the primary
@@ -30,9 +30,12 @@
 ##! 
 ##! 
 
+@load base/protocols/conn
+
 module Tunnel; 
 
 #redef use_connection_compressor = F;
+## enab
 redef Tunnel::decapsulate_ip = T;
 redef Tunnel::decapsulate_udp = T;
 redef Tunnel::udp_tunnel_allports = T;
@@ -51,14 +54,19 @@ export {
 		## The child's transport protocol
 		proto:    transport_proto &log;
 		## The parent connection of IP-pair
-		parent:   parent_t        &log;
+		parent:   Parent          &log;
+	};
+	global log_tunnel: event(rec: Info);
+
+	redef record Conn::Info += {
+		## If the connection is tunneled the type of tunnel 
+		tunnel_type: Tunneltype   &log &optional;
 	};
-	global log_conn: event(rec: Info);
 }
 
 event bro_init()
 	{
-	Log::create_stream(TUNNEL, [$columns=Info, $ev=log_conn]);
+	Log::create_stream(TUNNEL, [$columns=Info, $ev=log_tunnel]);
 	}
 
 event new_connection(c: connection)

src/TunnelHandler.cc

@@ -54,7 +54,7 @@ TunnelInfo* TunnelHandler::DecapsulateTunnel(const IP_Hdr *ip_hdr, int len, int
 			// TODO: check if IP6 header makes sense
 			tunnel_info = new TunnelInfo();
 			tunnel_info->child = new IP_Hdr((const struct ip6_hdr*)ip_hdr->Payload());
-			tunnel_info->tunneltype = BifEnum::Tunnel::IP6inIP;
+			tunnel_info->tunneltype = BifEnum::Tunnel::IP6_IN_IP;
 			tunnel_info->hdr_len = tunnel_info->child->HdrLen();
 			tunnel_info->SetParentIPs(ip_hdr);
 			return tunnel_info;
@@ -86,7 +86,7 @@ TunnelInfo* TunnelHandler::HandleUDP(const IP_Hdr *ip_hdr, int len, int caplen)
 	const u_char *data = ip_hdr->Payload();
 	const struct udphdr* uh = (const struct udphdr*)data;
 	IP_Hdr *cand_ip_hdr = 0;
-	BifEnum::Tunnel::tunneltype_t tunneltype = BifEnum::Tunnel::NONE;
+	BifEnum::Tunnel::Tunneltype tunneltype = BifEnum::Tunnel::NONE;
 
 	int hdr_len = sizeof(struct udphdr);
 	data += hdr_len;
@@ -103,7 +103,7 @@ TunnelInfo* TunnelHandler::HandleUDP(const IP_Hdr *ip_hdr, int len, int caplen)
 		if (cand_ip_hdr)
 			{
 			tunneltype =  (cand_ip_hdr->IP4_Hdr()) ? 
-					BifEnum::Tunnel::IP4inUDP : BifEnum::Tunnel::IP6inUDP;
+					BifEnum::Tunnel::IP4_IN_UDP : BifEnum::Tunnel::IP6_IN_UDP;
 			}
 		else if (datalen >= 8)
 			{
@@ -129,7 +129,7 @@ TunnelInfo* TunnelHandler::HandleUDP(const IP_Hdr *ip_hdr, int len, int caplen)
 				{
 				hdr_len += 8 + id_len + sig_len;
 				tunneltype =  (cand_ip_hdr->IP4_Hdr()) ? 
-						BifEnum::Tunnel::IP4inAYIAY : BifEnum::Tunnel::IP6inAYIAY;
+						BifEnum::Tunnel::IP4_IN_AYIAY : BifEnum::Tunnel::IP6_IN_AYIAY;
 				}
 			}
 		if (cand_ip_hdr)

src/TunnelHandler.h

@@ -39,11 +39,11 @@ public:
 
 	RecordVal* GetRecordVal() const 
 		{
-		RecordVal *rv = new RecordVal(BifType::Record::Tunnel::parent_t);
+		RecordVal *rv = new RecordVal(BifType::Record::Tunnel::Parent);
 		TransportProto tproto;
 		switch(tunneltype) {
-		case BifEnum::Tunnel::IP6inIP:
+		case BifEnum::Tunnel::IP6_IN_IP:
-		case BifEnum::Tunnel::IP4inIP:
+		case BifEnum::Tunnel::IP4_IN_IP:
 			tproto = TRANSPORT_UNKNOWN;
 			break;
 		default:
@@ -56,14 +56,14 @@ public:
 		id_val->Assign(2, new AddrVal(parent.dst_addr));
 		id_val->Assign(3, new PortVal(ntohs(parent.dst_port), tproto));
 		rv->Assign(0, id_val);
-		rv->Assign(1, new EnumVal(tunneltype, BifType::Enum::Tunnel::tunneltype_t));
+		rv->Assign(1, new EnumVal(tunneltype, BifType::Enum::Tunnel::Tunneltype));
 		return rv;
 		}
 
 	IP_Hdr *child;
 	ConnID parent;
 	int hdr_len;
-	BifEnum::Tunnel::tunneltype_t tunneltype;
+	BifEnum::Tunnel::Tunneltype tunneltype;
 };
 
 class TunnelHandler {

src/types.bif

@@ -168,16 +168,16 @@ enum ID %{
 
 
 module Tunnel;
-enum tunneltype_t %{
+enum Tunneltype %{
 	NONE,
-	IP6inIP,     
+	IP6_IN_IP,     
-	IP4inIP,  
+	IP4_IN_IP,  
-	IP6inUDP,
+	IP6_IN_UDP,
-	IP4inUDP,
+	IP4_IN_UDP,
-	IP6inAYIAY,
+	IP6_IN_AYIAY,
-	IP4inAYIAY,
+	IP4_IN_AYIAY,
 %}
 
-type parent_t: record;
+type Parent: record;
 
 module GLOBAL;