Move IP protocol names table out of policy script to init-bare

2025-10-02 06:38:20 +00:00 · 2024-11-12 22:27:04 -07:00 · 2024-11-12 22:27:04 -07:00 · e33aee8ca2
commit e33aee8ca2
parent fd67206865
2 changed files with 159 additions and 152 deletions
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@ -5962,6 +5962,163 @@ export {
 	const civetweb_threads: count = 2 &redef;
 }

+module IP;
+
+export {
+	## Mapping from IP protocol identifier values to string names.
+	const protocol_names: table[count] of string = {
+		[0] = "hopopt",
+		[1] = "icmp",
+		[2] = "igmp",
+		[3] = "ggp",
+		[4] = "ip-in-ip",
+		[5] = "st",
+		[6] = "tcp",
+		[7] = "cbt",
+		[8] = "egp",
+		[9] = "igp",
+		[10] = "bbc-rcc-mon",
+		[11] = "nvp-ii",
+		[12] = "pup",
+		[13] = "argus",
+		[14] = "emcon",
+		[15] = "xnet",
+		[16] = "chaos",
+		[17] = "udp",
+		[18] = "mux",
+		[19] = "dcn-meas",
+		[20] = "hmp",
+		[21] = "prm",
+		[22] = "xns-idp",
+		[23] = "trunk-1",
+		[24] = "trunk-2",
+		[25] = "leaf-1",
+		[26] = "leaf-2",
+		[27] = "rdp",
+		[28] = "irtp",
+		[29] = "iso-tp4",
+		[30] = "netblt",
+		[31] = "mfe-nsp",
+		[32] = "merit-inp",
+		[33] = "dccp",
+		[34] = "3pc",
+		[35] = "idpr",
+		[36] = "xtp",
+		[37] = "ddp",
+		[38] = "idpr-cmtp",
+		[39] = "tp++",
+		[40] = "il",
+		[41] = "ipv6",
+		[42] = "sdrp",
+		[43] = "ipv6-route",
+		[44] = "ipv6-frag",
+		[45] = "idrp",
+		[46] = "rsvp",
+		[47] = "gre",
+		[48] = "dsr",
+		[49] = "bna",
+		[50] = "esp",
+		[51] = "ah",
+		[52] = "i-nlsp",
+		[53] = "swipe",
+		[54] = "narp",
+		[55] = "mobile",
+		[56] = "tlsp",
+		[57] = "skip",
+		[58] = "ipv6-icmp",
+		[59] = "ipv6-nonxt",
+		[60] = "ipv6-opts",
+		[61] = "host-protocol",  # Any host internal protocol
+		[62] = "cftp",
+		[63] = "local-network",  # Any local network
+		[64] = "sat-expak",
+		[65] = "kryptolan",
+		[66] = "rvd",
+		[67] = "ippc",
+		[68] = "distributed-files",  # Any distributed file system
+		[69] = "sat-on",
+		[70] = "visa",
+		[71] = "ipcu",
+		[72] = "cpnx",
+		[73] = "cphb",
+		[74] = "wsn",
+		[75] = "pvp",
+		[76] = "br-sat-mon",
+		[77] = "sun-and",
+		[78] = "wb-mon",
+		[79] = "wb-expak",
+		[80] = "iso-ip",
+		[81] = "vmtp",
+		[82] = "secure-vmtp",
+		[83] = "vines",
+		[84] = "ttp or iptm",  # TTP was obsoleted in 3/2023, replaced with IGTM
+		[85] = "nsfnet-igp",
+		[86] = "dgp",
+		[87] = "tcf",
+		[88] = "eigrp",
+		[89] = "ospf",
+		[90] = "sprite-rpc",
+		[91] = "larp",
+		[92] = "mtp",
+		[93] = "ax.25",
+		[94] = "os",
+		[95] = "micp",
+		[96] = "scc-sp",
+		[97] = "etherip",
+		[98] = "encap",
+		[99] = "private-encryption",  # Any private encryption scheme
+		[100] = "gtmp",
+		[101] = "ifmp",
+		[102] = "pnni",
+		[103] = "pim",
+		[104] = "aris",
+		[105] = "scps",
+		[106] = "qnx",
+		[107] = "a/n",
+		[108] = "ipcomp",
+		[109] = "snp",
+		[110] = "compaq-peer",
+		[111] = "ipx-in-ip",
+		[112] = "vrrp",
+		[113] = "pgm",
+		[114] = "zero-hop", # Any 0-hop protocol
+		[115] = "l2tp",
+		[116] = "ddx",
+		[117] = "iatp",
+		[118] = "stp",
+		[119] = "srp",
+		[120] = "uti",
+		[121] = "smp",
+		[122] = "sm",
+		[123] = "ptp",
+		[124] = "is-is-over-ipv4",
+		[125] = "fire",
+		[126] = "crtp",
+		[127] = "crudp",
+		[128] = "sccopmce",
+		[129] = "iplt",
+		[130] = "sps",
+		[131] = "pipe",
+		[132] = "sctp",
+		[133] = "fc",
+		[134] = "rsvp-e2e-ignore",
+		[135] = "mobility-header",
+		[136] = "udplite",
+		[137] = "mpls-in-ip",
+		[138] = "manet",
+		[139] = "hip",
+		[140] = "shim6",
+		[141] = "wesp",
+		[142] = "rohc",
+		[143] = "ethernet",
+		[144] = "aggfrag",
+		[145] = "nsh",
+		[146] = "homa"
+	} &redef &default=function(c: count): string {
+		return fmt("unknown-ip-proto-%d", c);
+	};
+}
+
 module GLOBAL;

 ## Seed for hashes computed internally for probabilistic data structures. Using
--- a/scripts/policy/protocols/conn/ip-proto-name-logging.zeek
+++ b/scripts/policy/protocols/conn/ip-proto-name-logging.zeek
@ -11,159 +11,9 @@ redef record Info += {
 	ip_proto_name: string &log &optional;
 };

-global protocol_names: table[count] of string = {
-	[0] = "hopopt",
-	[1] = "icmp",
-	[2] = "igmp",
-	[3] = "ggp",
-	[4] = "ip-in-ip",
-	[5] = "st",
-	[6] = "tcp",
-	[7] = "cbt",
-	[8] = "egp",
-	[9] = "igp",
-	[10] = "bbc-rcc-mon",
-	[11] = "nvp-ii",
-	[12] = "pup",
-	[13] = "argus",
-	[14] = "emcon",
-	[15] = "xnet",
-	[16] = "chaos",
-	[17] = "udp",
-	[18] = "mux",
-	[19] = "dcn-meas",
-	[20] = "hmp",
-	[21] = "prm",
-	[22] = "xns-idp",
-	[23] = "trunk-1",
-	[24] = "trunk-2",
-	[25] = "leaf-1",
-	[26] = "leaf-2",
-	[27] = "rdp",
-	[28] = "irtp",
-	[29] = "iso-tp4",
-	[30] = "netblt",
-	[31] = "mfe-nsp",
-	[32] = "merit-inp",
-	[33] = "dccp",
-	[34] = "3pc",
-	[35] = "idpr",
-	[36] = "xtp",
-	[37] = "ddp",
-	[38] = "idpr-cmtp",
-	[39] = "tp++",
-	[40] = "il",
-	[41] = "ipv6",
-	[42] = "sdrp",
-	[43] = "ipv6-route",
-	[44] = "ipv6-frag",
-	[45] = "idrp",
-	[46] = "rsvp",
-	[47] = "gre",
-	[48] = "dsr",
-	[49] = "bna",
-	[50] = "esp",
-	[51] = "ah",
-	[52] = "i-nlsp",
-	[53] = "swipe",
-	[54] = "narp",
-	[55] = "mobile",
-	[56] = "tlsp",
-	[57] = "skip",
-	[58] = "ipv6-icmp",
-	[59] = "ipv6-nonxt",
-	[60] = "ipv6-opts",
-	[61] = "host-protocol",  # Any host internal protocol
-	[62] = "cftp",
-	[63] = "local-network",  # Any local network
-	[64] = "sat-expak",
-	[65] = "kryptolan",
-	[66] = "rvd",
-	[67] = "ippc",
-	[68] = "distributed-files",  # Any distributed file system
-	[69] = "sat-on",
-	[70] = "visa",
-	[71] = "ipcu",
-	[72] = "cpnx",
-	[73] = "cphb",
-	[74] = "wsn",
-	[75] = "pvp",
-	[76] = "br-sat-mon",
-	[77] = "sun-and",
-	[78] = "wb-mon",
-	[79] = "wb-expak",
-	[80] = "iso-ip",
-	[81] = "vmtp",
-	[82] = "secure-vmtp",
-	[83] = "vines",
-	[84] = "ttp or iptm",  # TTP was obsoleted in 3/2023, replaced with IGTM
-	[85] = "nsfnet-igp",
-	[86] = "dgp",
-	[87] = "tcf",
-	[88] = "eigrp",
-	[89] = "ospf",
-	[90] = "sprite-rpc",
-	[91] = "larp",
-	[92] = "mtp",
-	[93] = "ax.25",
-	[94] = "os",
-	[95] = "micp",
-	[96] = "scc-sp",
-	[97] = "etherip",
-	[98] = "encap",
-	[99] = "private-encryption",  # Any private encryption scheme
-	[100] = "gtmp",
-	[101] = "ifmp",
-	[102] = "pnni",
-	[103] = "pim",
-	[104] = "aris",
-	[105] = "scps",
-	[106] = "qnx",
-	[107] = "a/n",
-	[108] = "ipcomp",
-	[109] = "snp",
-	[110] = "compaq-peer",
-	[111] = "ipx-in-ip",
-	[112] = "vrrp",
-	[113] = "pgm",
-	[114] = "zero-hop", # Any 0-hop protocol
-	[115] = "l2tp",
-	[116] = "ddx",
-	[117] = "iatp",
-	[118] = "stp",
-	[119] = "srp",
-	[120] = "uti",
-	[121] = "smp",
-	[122] = "sm",
-	[123] = "ptp",
-	[124] = "is-is-over-ipv4",
-	[125] = "fire",
-	[126] = "crtp",
-	[127] = "crudp",
-	[128] = "sccopmce",
-	[129] = "iplt",
-	[130] = "sps",
-	[131] = "pipe",
-	[132] = "sctp",
-	[133] = "fc",
-	[134] = "rsvp-e2e-ignore",
-	[135] = "mobility-header",
-	[136] = "udplite",
-	[137] = "mpls-in-ip",
-	[138] = "manet",
-	[139] = "hip",
-	[140] = "shim6",
-	[141] = "wesp",
-	[142] = "rohc",
-	[143] = "ethernet",
-	[144] = "aggfrag",
-	[145] = "nsh",
-	[146] = "homa"
-};
-
 event new_connection(c: connection) &priority=5 {
 	# In case we're the first access
 	Conn::set_conn(c, F);
-	if ( c$conn?$ip_proto && c$conn$ip_proto in protocol_names )
-		c$conn$ip_proto_name = protocol_names[c$conn$ip_proto];
+	if ( c$conn?$ip_proto && c$conn$ip_proto in IP::protocol_names )
+		c$conn$ip_proto_name = IP::protocol_names[c$conn$ip_proto];
 }