Change Packet::ip_hdr to be a shared_ptr so it can be copied into EncapsulatingConn

src/packet_analysis/protocol/icmp/ICMP.cc

@@ -72,7 +72,7 @@ void ICMPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int rema
 		adapter->PacketContents(data + 8, std::min(len, remaining) - 8);
 
 	const struct icmp* icmpp = (const struct icmp*)data;
-	const std::unique_ptr<IP_Hdr>& ip = pkt->ip_hdr;
+	const std::shared_ptr<IP_Hdr>& ip = pkt->ip_hdr;
 
 	if ( ! zeek::detail::ignore_checksums &&
 	     ! GetIgnoreChecksumsNets()->Contains(ip->IPHeaderSrcAddr()) && remaining >= len )

src/packet_analysis/protocol/ip/IP.cc

@@ -51,7 +51,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 	// This is a unique pointer because of the mass of early returns from this method.
 	if ( protocol == 4 )
 		{
-		packet->ip_hdr = std::make_unique<IP_Hdr>(ip, false);
+		packet->ip_hdr = std::make_shared<IP_Hdr>(ip, false);
 		packet->l3_proto = L3_IPV4;
 		}
 	else if ( protocol == 6 )
@@ -62,7 +62,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 			return false;
 			}
 
-		packet->ip_hdr = std::make_unique<IP_Hdr>((const struct ip6_hdr*)data, false, len);
+		packet->ip_hdr = std::make_shared<IP_Hdr>((const struct ip6_hdr*)data, false, len);
 		packet->l3_proto = L3_IPV6;
 		}
 	else
@@ -71,6 +71,15 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		return false;
 		}
 
+	// If there's an encapsulation stack in this packet, meaning this packet is part of a chain
+	// of tunnels, make sure to store the IP header in the last flow in the stack so it can be
+	// used by previous analyzers as we return up the chain.
+	if ( packet->encap )
+		{
+		if ( auto* ec = packet->encap->Last() )
+			ec->ip_hdr = packet->ip_hdr;
+		}
+
 	const struct ip* ip4 = packet->ip_hdr->IP4_Hdr();
 
 	// TotalLen() returns the full length of the IP portion of the packet, including
@@ -164,7 +173,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 			{
 			f = detail::fragment_mgr->NextFragment(run_state::processing_start_time, packet->ip_hdr,
 			                                       packet->data + hdr_size);
-			std::unique_ptr<IP_Hdr> ih = f->ReassembledPkt();
+			std::shared_ptr<IP_Hdr> ih = f->ReassembledPkt();
 
 			if ( ! ih )
 				// It didn't reassemble into anything yet.
@@ -275,7 +284,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 	}
 
 int zeek::packet_analysis::IP::ParsePacket(int caplen, const u_char* const pkt, int proto,
-                                           std::unique_ptr<zeek::IP_Hdr>& inner)
+                                           std::shared_ptr<zeek::IP_Hdr>& inner)
 	{
 	if ( proto == IPPROTO_IPV6 )
 		{
@@ -283,7 +292,7 @@ int zeek::packet_analysis::IP::ParsePacket(int caplen, const u_char* const pkt,
 			return -1;
 
 		const struct ip6_hdr* ip6 = (const struct ip6_hdr*)pkt;
-		inner = std::make_unique<zeek::IP_Hdr>(ip6, false, caplen);
+		inner = std::make_shared<zeek::IP_Hdr>(ip6, false, caplen);
 		if ( (ip6->ip6_ctlun.ip6_un2_vfc & 0xF0) != 0x60 )
 			return -2;
 		}
@@ -294,7 +303,7 @@ int zeek::packet_analysis::IP::ParsePacket(int caplen, const u_char* const pkt,
 			return -1;
 
 		const struct ip* ip4 = (const struct ip*)pkt;
-		inner = std::make_unique<zeek::IP_Hdr>(ip4, false);
+		inner = std::make_shared<zeek::IP_Hdr>(ip4, false);
 		if ( ip4->ip_v != 4 )
 			return -2;
 		}

src/packet_analysis/protocol/ip/IP.h

@@ -57,5 +57,5 @@ private:
  *         long enough to be an IP header, and \a inner is always non-null
  *         for other return values.
  */
-int ParsePacket(int caplen, const u_char* const pkt, int proto, std::unique_ptr<IP_Hdr>& inner);
+int ParsePacket(int caplen, const u_char* const pkt, int proto, std::shared_ptr<IP_Hdr>& inner);
 	}

src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc

@@ -32,7 +32,7 @@ bool IPBasedAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pkt
 	if ( ! BuildConnTuple(len, data, pkt, tuple) )
 		return false;
 
-	const std::unique_ptr<IP_Hdr>& ip_hdr = pkt->ip_hdr;
+	const std::shared_ptr<IP_Hdr>& ip_hdr = pkt->ip_hdr;
 	detail::ConnKey key(tuple);
 
 	Connection* conn = session_mgr->FindConnection(key);

src/packet_analysis/protocol/iptunnel/IPTunnel.cc

@@ -44,7 +44,7 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
 	BifEnum::Tunnel::Type tunnel_type = packet->tunnel_type;
 	int gre_link_type = packet->gre_link_type;
 
-	std::unique_ptr<IP_Hdr> inner = nullptr;
+	std::shared_ptr<IP_Hdr> inner = nullptr;
 
 	if ( gre_version != 0 )
 		{
@@ -96,7 +96,7 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
  * Handles a packet that contains an IP header directly after the tunnel header.
  */
 bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, const Packet* pkt,
-                                                 const std::unique_ptr<IP_Hdr>& inner,
+                                                 const std::shared_ptr<IP_Hdr>& inner,
                                                  std::shared_ptr<EncapsulationStack> prev,
                                                  const EncapsulatingConn& ec)
 	{

src/packet_analysis/protocol/iptunnel/IPTunnel.h

@@ -44,7 +44,7 @@ public:
 	 * @param ec The most-recently found depth of encapsulation.
 	 */
 	bool ProcessEncapsulatedPacket(double t, const Packet* pkt,
-	                               const std::unique_ptr<IP_Hdr>& inner,
+	                               const std::shared_ptr<IP_Hdr>& inner,
 	                               std::shared_ptr<EncapsulationStack> prev,
 	                               const EncapsulatingConn& ec);
 

src/packet_analysis/protocol/tcp/TCP.cc

@@ -113,7 +113,7 @@ void TCPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
 
 	analyzer::tcp::TCP_Endpoint* endpoint = is_orig ? adapter->orig : adapter->resp;
 	analyzer::tcp::TCP_Endpoint* peer = endpoint->peer;
-	const std::unique_ptr<IP_Hdr>& ip = pkt->ip_hdr;
+	const std::shared_ptr<IP_Hdr>& ip = pkt->ip_hdr;
 
 	if ( ! ValidateChecksum(ip.get(), tp, endpoint, len, remaining, adapter) )
 		return;

src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc

@@ -542,7 +542,7 @@ static int32_t update_last_seq(analyzer::tcp::TCP_Endpoint* endpoint, uint32_t l
 	}
 
 void TCPSessionAdapter::Process(bool is_orig, const struct tcphdr* tp, int len,
-                                const std::unique_ptr<IP_Hdr>& ip, const u_char* data,
+                                const std::shared_ptr<IP_Hdr>& ip, const u_char* data,
                                 int remaining)
 	{
 	analyzer::tcp::TCP_Flags flags(tp);

src/packet_analysis/protocol/tcp/TCPSessionAdapter.h

@@ -33,7 +33,7 @@ public:
 	explicit TCPSessionAdapter(Connection* conn);
 	~TCPSessionAdapter() override;
 
-	void Process(bool is_orig, const struct tcphdr* tp, int len, const std::unique_ptr<IP_Hdr>& ip,
+	void Process(bool is_orig, const struct tcphdr* tp, int len, const std::shared_ptr<IP_Hdr>& ip,
 	             const u_char* data, int remaining);
 
 	void EnableReassembly();

src/packet_analysis/protocol/udp/UDP.cc

@@ -86,7 +86,7 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
 	int len = pkt->ip_hdr->PayloadLen();
 
 	const struct udphdr* up = (const struct udphdr*)data;
-	const std::unique_ptr<IP_Hdr>& ip = pkt->ip_hdr;
+	const std::shared_ptr<IP_Hdr>& ip = pkt->ip_hdr;
 
 	adapter->DeliverPacket(len, data, is_orig, -1, ip.get(), remaining);