From 1e66fe905a948fcded4b0ba13c11e907831c835e Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@ncsa.illinois.edu>
Date: Wed, 9 May 2012 15:08:36 -0500
Subject: [PATCH 1/5] Add support to Bro for connecting with peers over IPv6.

- Communication::listen_ipv6 needs to be redef'd to true in order
  for IPv6 listening sockets to be opened.

- Added Communication::listen_retry option as an interval at which
  to retry binding to socket addresses that were already in use.

- Added some explicit baselines to check in the istate.events
  and istate.events-ssl tests -- the SSL test was incorrectly
  passing because it compared two empty files.  (The files being
  empty because "http/base" was given as an argument to Bro which
  it couldn't handle because that script doesn't exist anymore).
---
 .../base/frameworks/communication/main.bro    |  13 +-
 scripts/base/utils/addrs.bro                  |  15 +
 .../frameworks/communication/listen.bro       |   3 +-
 src/IPAddr.h                                  |  22 +-
 src/RemoteSerializer.cc                       | 362 +++++++++++-------
 src/RemoteSerializer.h                        |  27 +-
 src/bro.bif                                   |   9 +-
 .../Baseline/istate.bro-ipv6/recv..stdout     |   1 +
 .../Baseline/istate.bro-ipv6/send..stdout     |   2 +
 .../Baseline/istate.events-ssl/events.rec.log |  33 ++
 .../Baseline/istate.events-ssl/events.snd.log |  33 ++
 .../istate.events-ssl/receiver.http.log       |   2 +-
 .../istate.events-ssl/sender.http.log         |   2 +-
 .../Baseline/istate.events/events.rec.log     |  33 ++
 .../Baseline/istate.events/events.snd.log     |  33 ++
 .../Baseline/istate.events/receiver.http.log  |   2 +-
 .../Baseline/istate.events/sender.http.log    |   2 +-
 testing/btest/istate/bro-ipv6.bro             |  52 +++
 testing/btest/istate/events-ssl.bro           |   6 +-
 testing/btest/istate/events.bro               |   2 +
 20 files changed, 480 insertions(+), 174 deletions(-)
 create mode 100644 testing/btest/Baseline/istate.bro-ipv6/recv..stdout
 create mode 100644 testing/btest/Baseline/istate.bro-ipv6/send..stdout
 create mode 100644 testing/btest/Baseline/istate.events-ssl/events.rec.log
 create mode 100644 testing/btest/Baseline/istate.events-ssl/events.snd.log
 create mode 100644 testing/btest/Baseline/istate.events/events.rec.log
 create mode 100644 testing/btest/Baseline/istate.events/events.snd.log
 create mode 100644 testing/btest/istate/bro-ipv6.bro

diff --git a/scripts/base/frameworks/communication/main.bro b/scripts/base/frameworks/communication/main.bro
index 04772f57aa..26ec9f41b8 100644
--- a/scripts/base/frameworks/communication/main.bro
+++ b/scripts/base/frameworks/communication/main.bro
@@ -2,6 +2,7 @@
 ##! and/or transfer events.
 
 @load base/frameworks/packet-filter
+@load base/utils/addrs
 
 module Communication;
 
@@ -10,7 +11,7 @@ export {
 	## The communication logging stream identifier.
 	redef enum Log::ID += { LOG };
 	
-	## Which interface to listen on (0.0.0.0 for any interface).
+	## Which interface to listen on (``0.0.0.0`` or ``[::]`` are wildcards).
 	const listen_interface = 0.0.0.0 &redef;
 	
 	## Which port to listen on.
@@ -19,6 +20,14 @@ export {
 	## This defines if a listening socket should use SSL.
 	const listen_ssl = F &redef;
 
+	## Defines if a listening socket can bind to IPv6 addresses.
+	const listen_ipv6 = F &redef;
+
+	## Defines the interval at which to retry binding to
+	## :bro:id:`listen_interface` on :bro:id:`listen_port` if it's already in
+	## use.
+	const listen_retry = 30 secs &redef;
+
 	## Default compression level.  Compression level is 0-9, with 0 = no 
 	## compression.
 	global compression_level = 0 &redef;
@@ -160,7 +169,7 @@ event remote_log(level: count, src: count, msg: string)
 # This is a core generated event.
 event remote_log_peer(p: event_peer, level: count, src: count, msg: string)
 	{
-	local rmsg = fmt("[#%d/%s:%d] %s", p$id, p$host, p$p, msg);
+	local rmsg = fmt("[#%d/%s:%d] %s", p$id, addr_to_uri(p$host), p$p, msg);
 	do_script_log_common(level, src, rmsg);
 	}
 
diff --git a/scripts/base/utils/addrs.bro b/scripts/base/utils/addrs.bro
index 415b9adfa9..08efd5281a 100644
--- a/scripts/base/utils/addrs.bro
+++ b/scripts/base/utils/addrs.bro
@@ -98,3 +98,18 @@ function find_ip_addresses(input: string): string_array
 		}
 	return output;
 	}
+
+## Returns the string representation of an IP address suitable for inclusion
+## in a URI.  For IPv4, this does no special formatting, but for IPv6, the
+## address is included in square brackets.
+##
+## a: the address to make suitable for URI inclusion.
+##
+## Returns: the string representation of *a* suitable for URI inclusion.
+function addr_to_uri(a: addr): string
+	{
+	if ( is_v4_addr(a) )
+		return fmt("%s", a);
+	else
+		return fmt("[%s]", a);
+	}
diff --git a/scripts/policy/frameworks/communication/listen.bro b/scripts/policy/frameworks/communication/listen.bro
index e366e5b4ff..609e8c91d6 100644
--- a/scripts/policy/frameworks/communication/listen.bro
+++ b/scripts/policy/frameworks/communication/listen.bro
@@ -8,5 +8,6 @@ module Communication;
 event bro_init() &priority=-10
 	{
 	enable_communication();
-	listen(listen_interface, listen_port, listen_ssl);
+	listen(listen_interface, listen_port, listen_ssl, listen_ipv6,
+	       listen_retry);
 	}
diff --git a/src/IPAddr.h b/src/IPAddr.h
index 8e1921e07b..447669d422 100644
--- a/src/IPAddr.h
+++ b/src/IPAddr.h
@@ -188,11 +188,16 @@ public:
 	 * IPv4 to IPv6 address mapping to return a full 16 bytes.
 	 *
 	 * @param bytes The pointer to a memory location in which the
-	 * raw bytes of the address are to be copied in network byte-order.
+	 * raw bytes of the address are to be copied.
+	 *
+	 * @param order The byte-order in which the returned raw bytes are copied.
+	 * The default is network order.
 	 */
-	void CopyIPv6(uint32_t* bytes) const
+	void CopyIPv6(uint32_t* bytes, ByteOrder order = Network) const
 		{
 		memcpy(bytes, in6.s6_addr, sizeof(in6.s6_addr));
+		if ( order == Host )
+			for ( unsigned int i = 0; i < 4; ++i ) bytes[i] = ntohl(bytes[i]);
 		}
 
 	/**
@@ -280,6 +285,19 @@ public:
 	 */
 	string AsString() const;
 
+	/**
+	 * Returns a string representation of the address suitable for inclusion
+	 * in an URI.  For IPv4 addresses, this is the same as AsString(), but
+	 * IPv6 addresses are encased in square brackets.
+	 */
+	string AsURIString() const
+		{
+		if ( GetFamily() == IPv4 )
+			return AsString();
+		else
+			return string("[") + AsString() + "]";
+		}
+
 	/**
 	 * Returns a host-order, plain hex string representation of the address.
 	 */
diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc
index 61be8a9e8f..3abec00f59 100644
--- a/src/RemoteSerializer.cc
+++ b/src/RemoteSerializer.cc
@@ -147,6 +147,7 @@
 
 #include <sys/types.h>
 #include <sys/socket.h>
+#include <netdb.h>
 #include <sys/wait.h>
 #include <netinet/in.h>
 #include <unistd.h>
@@ -195,7 +196,7 @@ extern "C" {
 
 // Gets incremented each time there's an incompatible change
 // to the communication internals.
-static const unsigned short PROTOCOL_VERSION = 0x07;
+static const unsigned short PROTOCOL_VERSION = 0x08;
 
 static const char MSG_NONE = 0x00;
 static const char MSG_VERSION = 0x01;
@@ -458,17 +459,6 @@ static inline char* fmt_uint32s(int nargs, va_list ap)
 	}
 #endif
 
-
-static inline const char* ip2a(uint32 ip)
-	{
-	static char buffer[32];
-	struct in_addr addr;
-
-	addr.s_addr = htonl(ip);
-
-	return bro_inet_ntop(AF_INET, &addr, buffer, 32);
-	}
-
 static pid_t child_pid = 0;
 
 // Return true if message type is sent by a peer (rather than the child
@@ -683,24 +673,20 @@ RemoteSerializer::PeerID RemoteSerializer::Connect(const IPAddr& ip,
 	if ( ! initialized )
 		reporter->InternalError("remote serializer not initialized");
 
-	if ( ip.GetFamily() == IPv6 )
-		Error("inter-Bro communication not supported over IPv6");
-
-	const uint32* bytes;
-	ip.GetBytes(&bytes);
-	uint32 ip4 = ntohl(*bytes);
-
 	if ( ! child_pid )
 		Fork();
 
-	Peer* p = AddPeer(ip4, port);
+	Peer* p = AddPeer(ip, port);
 	p->orig = true;
 
 	if ( our_class )
 		p->our_class = our_class;
 
-	if ( ! SendToChild(MSG_CONNECT_TO, p, 5, p->id,
-				ip4, port, uint32(retry), use_ssl) )
+	uint32 bytes[4];
+	ip.CopyIPv6(bytes, IPAddr::Host);
+
+	if ( ! SendToChild(MSG_CONNECT_TO, p, 8, p->id, bytes[0], bytes[1],
+	                   bytes[2], bytes[3], port, uint32(retry), use_ssl) )
 		{
 		RemovePeer(p);
 		return false;
@@ -1232,7 +1218,8 @@ bool RemoteSerializer::SendCapabilities(Peer* peer)
 	return caps ? SendToChild(MSG_CAPS, peer, 3, caps, 0, 0) : true;
 	}
 
-bool RemoteSerializer::Listen(const IPAddr& ip, uint16 port, bool expect_ssl)
+bool RemoteSerializer::Listen(const IPAddr& ip, uint16 port, bool expect_ssl,
+                              bool ipv6, double retry)
 	{
 	if ( ! using_communication )
 		return true;
@@ -1240,14 +1227,15 @@ bool RemoteSerializer::Listen(const IPAddr& ip, uint16 port, bool expect_ssl)
 	if ( ! initialized )
 		reporter->InternalError("remote serializer not initialized");
 
-	if ( ip.GetFamily() == IPv6 )
-		Error("inter-Bro communication not supported over IPv6");
+	if ( ! ipv6 && ip.GetFamily() == IPv6 &&
+	     ip != IPAddr("0.0.0.0") && ip != IPAddr("::") )
+		reporter->FatalError("Attempt to listen on address %s, but IPv6 communication disabled", ip.AsString().c_str());
 
-	const uint32* bytes;
-	ip.GetBytes(&bytes);
-	uint32 ip4 = ntohl(*bytes);
+	uint32 bytes[4];
+	ip.CopyIPv6(bytes, IPAddr::Host);
 
-	if ( ! SendToChild(MSG_LISTEN, 0, 3, ip4, port, expect_ssl) )
+	if ( ! SendToChild(MSG_LISTEN, 0, 8, bytes[0], bytes[1], bytes[2], bytes[3],
+	                   port, expect_ssl, ipv6, (uint32) retry) )
 		return false;
 
 	listening = true;
@@ -1784,7 +1772,7 @@ RecordVal* RemoteSerializer::MakePeerVal(Peer* peer)
 	RecordVal* v = new RecordVal(::peer);
 	v->Assign(0, new Val(uint32(peer->id), TYPE_COUNT));
 	// Sic! Network order for AddrVal, host order for PortVal.
-	v->Assign(1, new AddrVal(htonl(peer->ip)));
+	v->Assign(1, new AddrVal(peer->ip));
 	v->Assign(2, new PortVal(peer->port, TRANSPORT_TCP));
 	v->Assign(3, new Val(false, TYPE_BOOL));
 	v->Assign(4, new StringVal(""));	// set when received
@@ -1793,8 +1781,8 @@ RecordVal* RemoteSerializer::MakePeerVal(Peer* peer)
 	return v;
 	}
 
-RemoteSerializer::Peer* RemoteSerializer::AddPeer(uint32 ip, uint16 port,
-							PeerID id)
+RemoteSerializer::Peer* RemoteSerializer::AddPeer(const IPAddr& ip, uint16 port,
+                                                  PeerID id)
 	{
 	Peer* peer = new Peer;
 	peer->id = id != PEER_NONE ? id : id_counter++;
@@ -1960,8 +1948,8 @@ bool RemoteSerializer::ProcessConnected()
 	{
 	// IP and port follow.
 	uint32* args = (uint32*) current_args->data;
-	uint32 host = ntohl(args[0]);	// ### Fix: only works for IPv4
-	uint16 port = (uint16) ntohl(args[1]);
+	IPAddr host = IPAddr(IPv6, args, IPAddr::Network);
+	uint16 port = (uint16) ntohl(args[4]);
 
 	if ( ! current_peer )
 		{
@@ -2980,7 +2968,8 @@ void RemoteSerializer::Log(LogLevel level, const char* msg, Peer* peer,
 
 	if ( peer )
 		len += snprintf(buffer + len, sizeof(buffer) - len, "[#%d/%s:%d] ",
-		                int(peer->id), ip2a(peer->ip), peer->port);
+		                int(peer->id), peer->ip.AsURIString().c_str(),
+		                peer->port);
 
 	len += safe_snprintf(buffer + len, sizeof(buffer) - len, "%s", msg);
 
@@ -3266,8 +3255,10 @@ SocketComm::SocketComm()
 	terminating = false;
 	killing = false;
 
-	listen_fd_clear = -1;
-	listen_fd_ssl = -1;
+	listen_port = 0;
+	listen_ssl = false;
+	enable_ipv6 = false;
+	bind_retry_interval = 0;
 	listen_next_try = 0;
 
 	// We don't want to use the signal handlers of our parent.
@@ -3290,8 +3281,7 @@ SocketComm::~SocketComm()
 		delete peers[i]->io;
 
 	delete io;
-	close(listen_fd_clear);
-	close(listen_fd_ssl);
+	CloseListenFDs();
 	}
 
 static unsigned int first_rtime = 0;
@@ -3340,20 +3330,13 @@ void SocketComm::Run()
 			}
 
 		if ( listen_next_try && time(0) > listen_next_try  )
-			Listen(listen_if, listen_port, listen_ssl);
+			Listen();
 
-		if ( listen_fd_clear >= 0 )
+		for ( size_t i = 0; i < listen_fds.size(); ++i )
 			{
-			FD_SET(listen_fd_clear, &fd_read);
-			if ( listen_fd_clear > max_fd )
-				max_fd = listen_fd_clear;
-			}
-
-		if ( listen_fd_ssl >= 0 )
-			{
-			FD_SET(listen_fd_ssl, &fd_read);
-			if ( listen_fd_ssl > max_fd )
-				max_fd = listen_fd_ssl;
+			FD_SET(listen_fds[i], &fd_read);
+			if ( listen_fds[i] > max_fd )
+				max_fd = listen_fds[i];
 			}
 
 		if ( io->IsFillingUp() && ! shutting_conns_down )
@@ -3442,12 +3425,9 @@ void SocketComm::Run()
 				}
 			}
 
-		if ( listen_fd_clear >= 0 &&
-		     FD_ISSET(listen_fd_clear, &fd_read) )
-			AcceptConnection(listen_fd_clear);
-
-		if ( listen_fd_ssl >= 0 && FD_ISSET(listen_fd_ssl, &fd_read) )
-			AcceptConnection(listen_fd_ssl);
+		for ( size_t i = 0; i < listen_fds.size(); ++i )
+			if ( FD_ISSET(listen_fds[i], &fd_read) )
+				AcceptConnection(listen_fds[i]);
 
 		// Hack to display CPU usage of the child, triggered via
 		// SIGPROF.
@@ -3571,13 +3551,8 @@ bool SocketComm::DoParentMessage()
 
 	case MSG_LISTEN_STOP:
 		{
-		if ( listen_fd_ssl >= 0 )
-			close(listen_fd_ssl);
+		CloseListenFDs();
 
-		if ( listen_fd_clear >= 0 )
-			close(listen_fd_clear);
-
-		listen_fd_clear = listen_fd_ssl = -1;
 		Log("stopped listening");
 
 		return true;
@@ -3721,10 +3696,10 @@ bool SocketComm::ProcessConnectTo()
 
 	Peer* peer = new Peer;
 	peer->id = ntohl(args[0]);
-	peer->ip = ntohl(args[1]);
-	peer->port = ntohl(args[2]);
-	peer->retry = ntohl(args[3]);
-	peer->ssl = ntohl(args[4]);
+	peer->ip = IPAddr(IPv6, &args[1], IPAddr::Network);
+	peer->port = ntohl(args[5]);
+	peer->retry = ntohl(args[6]);
+	peer->ssl = ntohl(args[7]);
 
 	return Connect(peer);
 	}
@@ -3734,11 +3709,13 @@ bool SocketComm::ProcessListen()
 	assert(parent_args);
 	uint32* args = (uint32*) parent_args->data;
 
-	uint32 addr = ntohl(args[0]);
-	uint16 port = uint16(ntohl(args[1]));
-	uint32 ssl = ntohl(args[2]);
+	listen_if = IPAddr(IPv6, args, IPAddr::Network);
+	listen_port = uint16(ntohl(args[4]));
+	listen_ssl = ntohl(args[5]) != 0;
+	enable_ipv6 = ntohl(args[6]) != 0;
+	bind_retry_interval = ntohl(args[7]);
 
-	return Listen(addr, port, ssl);
+	return Listen();
 	}
 
 bool SocketComm::ProcessParentCompress()
@@ -3900,29 +3877,53 @@ bool SocketComm::ProcessPeerCompress(Peer* peer)
 
 bool SocketComm::Connect(Peer* peer)
 	{
-	struct sockaddr_in server;
+	int status;
+	addrinfo hints, *res, *res0;
+	bzero(&hints, sizeof(hints));
 
-	int sockfd = socket(PF_INET, SOCK_STREAM, 0);
-	if ( sockfd < 0 )
+	hints.ai_family = PF_UNSPEC;
+	hints.ai_protocol = IPPROTO_TCP;
+	hints.ai_socktype = SOCK_STREAM;
+	hints.ai_flags = AI_NUMERICHOST;
+
+	char port_str[16];
+	modp_uitoa10(peer->port, port_str);
+
+	// TODO: better to accept string arguments from the user to pass into
+	// getaddrinfo? This might make it easier to explicitly connect to
+	// non-global IPv6 addresses with a scope zone identifier (RFC 4007).
+	status = getaddrinfo(peer->ip.AsString().c_str(), port_str, &hints, &res0);
+	if ( status != 0 )
 		{
-		Error(fmt("can't create socket, %s", strerror(errno)));
+		Error(fmt("getaddrinfo error: %s", gai_strerror(status)));
 		return false;
 		}
 
-	bzero(&server, sizeof(server));
-	server.sin_family = AF_INET;
-	server.sin_port = htons(peer->port);
-	server.sin_addr.s_addr = htonl(peer->ip);
-
-	bool connected = true;
-
-	if ( connect(sockfd, (sockaddr*) &server, sizeof(server)) < 0 )
+	int sockfd = -1;
+	for ( res = res0; res; res = res->ai_next )
 		{
-		Error(fmt("connect failed: %s", strerror(errno)), peer);
-		close(sockfd);
-		connected = false;
+		sockfd = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
+		if ( sockfd < 0 )
+			{
+			Error(fmt("can't create connect socket, %s", strerror(errno)));
+			continue;
+			}
+
+		if ( connect(sockfd, res->ai_addr, res->ai_addrlen) < 0 )
+			{
+			Error(fmt("connect failed: %s", strerror(errno)), peer);
+			close(sockfd);
+			sockfd = -1;
+			continue;
+			}
+
+		break;
 		}
 
+	freeaddrinfo(res0);
+
+	bool connected = sockfd != -1;
+
 	if ( ! (connected || peer->retry) )
 		{
 		CloseConnection(peer, false);
@@ -3947,9 +3948,7 @@ bool SocketComm::Connect(Peer* peer)
 	if ( connected )
 		{
 		if ( peer->ssl )
-			{
 			peer->io = new ChunkedIOSSL(sockfd, false);
-			}
 		else
 			peer->io = new ChunkedIOFd(sockfd, "child->peer");
 
@@ -3964,7 +3963,12 @@ bool SocketComm::Connect(Peer* peer)
 	if ( connected )
 		{
 		Log("connected", peer);
-		if ( ! SendToParent(MSG_CONNECTED, peer, 2, peer->ip, peer->port) )
+
+		uint32 bytes[4];
+		peer->ip.CopyIPv6(bytes, IPAddr::Host);
+
+		if ( ! SendToParent(MSG_CONNECTED, peer, 5, bytes[0], bytes[1],
+		                    bytes[2], bytes[3], peer->port) )
 			return false;
 		}
 
@@ -4001,86 +4005,139 @@ bool SocketComm::CloseConnection(Peer* peer, bool reconnect)
 	return true;
 	}
 
-bool SocketComm::Listen(uint32 ip, uint16 port, bool expect_ssl)
+bool SocketComm::Listen()
 	{
-	int* listen_fd = expect_ssl ? &listen_fd_ssl : &listen_fd_clear;
+	int status, on = 1;
+	addrinfo hints, *res, *res0;
+	bzero(&hints, sizeof(hints));
 
-	if ( *listen_fd >= 0 )
-		close(*listen_fd);
-
-	struct sockaddr_in server;
-
-	*listen_fd = socket(PF_INET, SOCK_STREAM, 0);
-	if ( *listen_fd < 0 )
+	if ( enable_ipv6 )
 		{
-		Error(fmt("can't create listen socket, %s",
-				strerror(errno)));
+		if ( listen_if == IPAddr("0.0.0.0") || listen_if == IPAddr("::") )
+			hints.ai_family = PF_UNSPEC;
+		else
+			hints.ai_family = listen_if.GetFamily() == IPv4 ? PF_INET : PF_INET6;
+		}
+	else
+		hints.ai_family = PF_INET;
+
+	hints.ai_protocol = IPPROTO_TCP;
+	hints.ai_socktype = SOCK_STREAM;
+	hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG | AI_NUMERICHOST;
+
+	char port_str[16];
+	modp_uitoa10(listen_port, port_str);
+
+	const char* addr_str = 0;
+	if ( listen_if != IPAddr("0.0.0.0") && listen_if != IPAddr("::") )
+		addr_str = listen_if.AsString().c_str();
+
+	CloseListenFDs();
+
+	// TODO: better to accept string arguments from the user to pass into
+	// getaddrinfo?  This might make it easier to explicitly bind to a
+	// non-global IPv6 address with a scope zone identifier (RFC 4007).
+	if ( (status = getaddrinfo(addr_str, port_str, &hints, &res0)) != 0 )
+		{
+		Error(fmt("getaddrinfo error: %s", gai_strerror(status)));
 		return false;
 		}
 
-	// Set SO_REUSEADDR.
-	int turn_on = 1;
-	if ( setsockopt(*listen_fd, SOL_SOCKET, SO_REUSEADDR,
-			&turn_on, sizeof(turn_on)) < 0 )
+	for ( res = res0; res; res = res->ai_next )
 		{
-		Error(fmt("can't set SO_REUSEADDR, %s",
-				strerror(errno)));
-		return false;
-		}
-
-	bzero(&server, sizeof(server));
-	server.sin_family = AF_INET;
-	server.sin_port = htons(port);
-	server.sin_addr.s_addr = htonl(ip);
-
-	if ( bind(*listen_fd, (sockaddr*) &server, sizeof(server)) < 0 )
-		{
-		Error(fmt("can't bind to port %d, %s", port, strerror(errno)));
-		close(*listen_fd);
-		*listen_fd = -1;
-
-		if ( errno == EADDRINUSE )
+		if ( res->ai_family != AF_INET && res->ai_family != AF_INET6 )
 			{
-			listen_if = ip;
-			listen_port = port;
-			listen_ssl = expect_ssl;
-			// FIXME: Make this timeout configurable.
-			listen_next_try = time(0) + 30;
+			Error(fmt("can't create listen socket: unknown address family, %d",
+			          res->ai_family));
+			continue;
 			}
-		return false;
+
+		IPAddr a = res->ai_family == AF_INET ?
+				IPAddr(((sockaddr_in*)res->ai_addr)->sin_addr) :
+				IPAddr(((sockaddr_in6*)res->ai_addr)->sin6_addr);
+
+		int fd = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
+		if ( fd < 0 )
+			{
+			Error(fmt("can't create listen socket, %s", strerror(errno)));
+			continue;
+			}
+
+		if ( setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) < 0 )
+			Error(fmt("can't set SO_REUSEADDR, %s", strerror(errno)));
+
+		// For IPv6 listening sockets, we don't want do dual binding to also
+		// get IPv4-mapped addresses because that's not as portable. e.g.
+		// many BSDs don't allow that.
+		if ( res->ai_family == AF_INET6 &&
+		     setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0 )
+			Error(fmt("can't set IPV6_V6ONLY, %s", strerror(errno)));
+
+		if ( bind(fd, res->ai_addr, res->ai_addrlen) < 0 )
+			{
+			Error(fmt("can't bind to %s:%s, %s", a.AsURIString().c_str(),
+			          port_str, strerror(errno)));
+			close(fd);
+
+			if ( errno == EADDRINUSE )
+				{
+				// Abandon completely this attempt to set up listening sockets,
+				// try again later.
+				CloseListenFDs();
+				listen_next_try = time(0) + bind_retry_interval;
+				return false;
+				}
+			continue;
+			}
+
+		if ( listen(fd, 50) < 0 )
+			{
+			Error(fmt("can't listen on %s:%s, %s", a.AsURIString().c_str(),
+			          port_str, strerror(errno)));
+			close(fd);
+			continue;
+			}
+
+		listen_fds.push_back(fd);
+		Log(fmt("listening on %s:%s (%s)", a.AsURIString().c_str(), port_str,
+		        listen_ssl ? "ssl" : "clear"));
 		}
 
-	if ( listen(*listen_fd, 50) < 0 )
-		{
-		Error(fmt("can't listen, %s", strerror(errno)));
-		return false;
-		}
+	freeaddrinfo(res0);
 
 	listen_next_try = 0;
-	Log(fmt("listening on %s:%d (%s)",
-		ip2a(ip), port, expect_ssl ? "ssl" : "clear"));
-	return true;
+	return listen_fds.size() > 0;
 	}
 
 bool SocketComm::AcceptConnection(int fd)
 	{
-	sockaddr_in client;
+	sockaddr_storage client;
 	socklen_t len = sizeof(client);
 
 	int clientfd = accept(fd, (sockaddr*) &client, &len);
 	if ( clientfd < 0 )
 		{
-		Error(fmt("accept failed, %s %d",
-				strerror(errno), errno));
+		Error(fmt("accept failed, %s %d", strerror(errno), errno));
+		return false;
+		}
+
+	if ( client.ss_family != AF_INET && client.ss_family != AF_INET6 )
+		{
+		Error(fmt("accept fail, unknown address family %d", client.ss_family));
+		close(clientfd);
 		return false;
 		}
 
 	Peer* peer = new Peer;
 	peer->id = id_counter++;
-	peer->ip = ntohl(client.sin_addr.s_addr);
-	peer->port = ntohs(client.sin_port);
+	peer->ip = client.ss_family == AF_INET ?
+	           IPAddr(((sockaddr_in*)&client)->sin_addr) :
+	           IPAddr(((sockaddr_in6*)&client)->sin6_addr);
+	peer->port = client.ss_family == AF_INET ?
+	             ntohs(((sockaddr_in*)&client)->sin_port) :
+	             ntohs(((sockaddr_in6*)&client)->sin6_port);
 	peer->connected = true;
-	peer->ssl = (fd == listen_fd_ssl);
+	peer->ssl = listen_ssl;
 	peer->compressor = false;
 
 	if ( peer->ssl )
@@ -4090,8 +4147,7 @@ bool SocketComm::AcceptConnection(int fd)
 
 	if ( ! peer->io->Init() )
 		{
-		Error(fmt("can't init peer io: %s",
-				  peer->io->Error()), false);
+		Error(fmt("can't init peer io: %s", peer->io->Error()), false);
 		return false;
 		}
 
@@ -4099,7 +4155,11 @@ bool SocketComm::AcceptConnection(int fd)
 
 	Log(fmt("accepted %s connection", peer->ssl ? "SSL" : "clear"), peer);
 
-	if ( ! SendToParent(MSG_CONNECTED, peer, 2, peer->ip, peer->port) )
+	uint32 bytes[4];
+	peer->ip.CopyIPv6(bytes, IPAddr::Host);
+
+	if ( ! SendToParent(MSG_CONNECTED, peer, 5, bytes[0], bytes[1], bytes[2],
+	                    bytes[3], peer->port) )
 		return false;
 
 	return true;
@@ -4117,12 +4177,19 @@ const char* SocketComm::MakeLogString(const char* msg, Peer* peer)
 
 	if ( peer )
 		len = snprintf(buffer, BUFSIZE, "[#%d/%s:%d] ", int(peer->id),
-				ip2a(peer->ip), peer->port);
+		               peer->ip.AsURIString().c_str(), peer->port);
 
 	len += safe_snprintf(buffer + len, BUFSIZE - len, "%s", msg);
 	return buffer;
 	}
 
+void SocketComm::CloseListenFDs()
+	{
+	for ( size_t i = 0; i < listen_fds.size(); ++i )
+		close(listen_fds[i]);
+	listen_fds.clear();
+	}
+
 void SocketComm::Error(const char* msg, bool kill_me)
 	{
 	if ( kill_me )
@@ -4165,7 +4232,7 @@ void SocketComm::Log(const char* msg, Peer* peer)
 
 void SocketComm::InternalError(const char* msg)
 	{
-	fprintf(stderr, "interal error in child: %s\n", msg);
+	fprintf(stderr, "internal error in child: %s\n", msg);
 	Kill();
 	}
 
@@ -4180,8 +4247,7 @@ void SocketComm::Kill()
 	LogProf();
 	Log("terminating");
 
-	close(listen_fd_clear);
-	close(listen_fd_ssl);
+	CloseListenFDs();
 
 	kill(getpid(), SIGTERM);
 
diff --git a/src/RemoteSerializer.h b/src/RemoteSerializer.h
index 05d25ca525..f6f94f53d3 100644
--- a/src/RemoteSerializer.h
+++ b/src/RemoteSerializer.h
@@ -10,8 +10,7 @@
 #include "Stats.h"
 #include "File.h"
 
-// All IP arguments are in host byte-order.
-// FIXME: Change this to network byte order
+#include <vector>
 
 class IncrementalSendTimer;
 
@@ -63,7 +62,8 @@ public:
 	bool CompleteHandshake(PeerID peer);
 
 	// Start to listen.
-	bool Listen(const IPAddr& ip, uint16 port, bool expect_ssl);
+	bool Listen(const IPAddr& ip, uint16 port, bool expect_ssl, bool ipv6,
+	            double retry);
 
 	// Stop it.
 	bool StopListening();
@@ -179,9 +179,7 @@ protected:
 	struct Peer {
 		PeerID id; // Unique ID (non-zero) per peer.
 
-		// ### Fix: currently, we only work for IPv4.
-		// addr_type ip;
-		uint32 ip;
+		IPAddr ip;
 
 		uint16 port;
 		handler_list handlers;
@@ -277,7 +275,7 @@ protected:
 	bool ProcessLogWrite();
 	bool ProcessRequestLogs();
 
-	Peer* AddPeer(uint32 ip, uint16 port, PeerID id = PEER_NONE);
+	Peer* AddPeer(const IPAddr& ip, uint16 port, PeerID id = PEER_NONE);
 	Peer* LookupPeer(PeerID id, bool only_if_connected);
 	void RemovePeer(Peer* peer);
 	bool IsConnectedPeer(PeerID id);
@@ -412,7 +410,6 @@ protected:
 			{
 			id = 0;
 			io = 0;
-			ip = 0;
 			port = 0;
 			state = 0;
 			connected = false;
@@ -424,7 +421,7 @@ protected:
 
 		RemoteSerializer::PeerID id;
 		ChunkedIO* io;
-		uint32 ip;
+		IPAddr ip;
 		uint16 port;
 		char state;
 		bool connected;
@@ -437,7 +434,7 @@ protected:
 		bool compressor;
 	};
 
-	bool Listen(uint32 ip, uint16 port, bool expect_ssl);
+	bool Listen();
 	bool AcceptConnection(int listen_fd);
 	bool Connect(Peer* peer);
 	bool CloseConnection(Peer* peer, bool reconnect);
@@ -482,6 +479,9 @@ protected:
 	bool ForwardChunkToPeer();
 	const char* MakeLogString(const char* msg, Peer *peer);
 
+	// Closes all file descriptors associated with listening sockets.
+	void CloseListenFDs();
+
 	// Peers we are communicating with:
 	declare(PList, Peer);
 	typedef PList(Peer) peer_list;
@@ -498,14 +498,15 @@ protected:
 	char parent_msgtype;
 	ChunkedIO::Chunk* parent_args;
 
-	int listen_fd_clear;
-	int listen_fd_ssl;
+	vector<int> listen_fds;
 
 	// If the port we're trying to bind to is already in use, we will retry
 	// it regularly.
-	uint32 listen_if;	// Fix: only supports IPv4
+	IPAddr listen_if;
 	uint16 listen_port;
 	bool listen_ssl;
+	bool enable_ipv6; // allow IPv6 listen sockets
+	uint32 bind_retry_interval;
 	time_t listen_next_try;
 	bool shutting_conns_down;
 	bool terminating;
diff --git a/src/bro.bif b/src/bro.bif
index 15740a83c7..3f4215dc13 100644
--- a/src/bro.bif
+++ b/src/bro.bif
@@ -5402,12 +5402,17 @@ function set_compression_level%(p: event_peer, level: count%) : bool
 ##
 ## ssl: If true, Bro uses SSL to encrypt the session.
 ##
+## ipv6: If true, enable listening on IPv6 addresses.
+##
+## retry_interval: If address *ip* is found to be already in use, this is
+##                 the interval at which to automatically retry binding.
+##
 ## Returns: True on success.
 ##
 ## .. bro:see:: connect disconnect
-function listen%(ip: addr, p: port, ssl: bool %) : bool
+function listen%(ip: addr, p: port, ssl: bool, ipv6: bool, retry_interval: interval%) : bool
 	%{
-	return new Val(remote_serializer->Listen(ip->AsAddr(), p->Port(), ssl), TYPE_BOOL);
+	return new Val(remote_serializer->Listen(ip->AsAddr(), p->Port(), ssl, ipv6, retry_interval), TYPE_BOOL);
 	%}
 
 ## Checks whether the last raised event came from a remote peer.
diff --git a/testing/btest/Baseline/istate.bro-ipv6/recv..stdout b/testing/btest/Baseline/istate.bro-ipv6/recv..stdout
new file mode 100644
index 0000000000..673af68234
--- /dev/null
+++ b/testing/btest/Baseline/istate.bro-ipv6/recv..stdout
@@ -0,0 +1 @@
+handshake done with peer: ::1
diff --git a/testing/btest/Baseline/istate.bro-ipv6/send..stdout b/testing/btest/Baseline/istate.bro-ipv6/send..stdout
new file mode 100644
index 0000000000..fbc855464d
--- /dev/null
+++ b/testing/btest/Baseline/istate.bro-ipv6/send..stdout
@@ -0,0 +1,2 @@
+handshake done with peer: ::1
+my_event: hello world
diff --git a/testing/btest/Baseline/istate.events-ssl/events.rec.log b/testing/btest/Baseline/istate.events-ssl/events.rec.log
new file mode 100644
index 0000000000..04993fb84a
--- /dev/null
+++ b/testing/btest/Baseline/istate.events-ssl/events.rec.log
@@ -0,0 +1,33 @@
+http_request
+http_begin_entity
+http_header
+http_header
+http_header
+http_header
+http_all_headers
+http_content_type
+http_end_entity
+http_message_done
+http_signature_found
+http_reply
+http_begin_entity
+http_header
+http_header
+http_header
+http_header
+http_header
+http_header
+http_header
+http_header
+http_header
+http_all_headers
+http_content_type
+http_entity_data
+http_entity_data
+http_entity_data
+http_entity_data
+http_entity_data
+http_entity_data
+http_entity_data
+http_end_entity
+http_message_done
diff --git a/testing/btest/Baseline/istate.events-ssl/events.snd.log b/testing/btest/Baseline/istate.events-ssl/events.snd.log
new file mode 100644
index 0000000000..04993fb84a
--- /dev/null
+++ b/testing/btest/Baseline/istate.events-ssl/events.snd.log
@@ -0,0 +1,33 @@
+http_request
+http_begin_entity
+http_header
+http_header
+http_header
+http_header
+http_all_headers
+http_content_type
+http_end_entity
+http_message_done
+http_signature_found
+http_reply
+http_begin_entity
+http_header
+http_header
+http_header
+http_header
+http_header
+http_header
+http_header
+http_header
+http_header
+http_all_headers
+http_content_type
+http_entity_data
+http_entity_data
+http_entity_data
+http_entity_data
+http_entity_data
+http_entity_data
+http_entity_data
+http_end_entity
+http_message_done
diff --git a/testing/btest/Baseline/istate.events-ssl/receiver.http.log b/testing/btest/Baseline/istate.events-ssl/receiver.http.log
index 1601f8ad3c..5a7912d23d 100644
--- a/testing/btest/Baseline/istate.events-ssl/receiver.http.log
+++ b/testing/btest/Baseline/istate.events-ssl/receiver.http.log
@@ -5,4 +5,4 @@
 #path	http
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	string	string	file
-1324314406.995958	arKYeMETxOg	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	Wget/1.10	0	9130	200	OK	-	-	-	(empty)	-	-	-	text/html	-	-
+1336588614.060989	arKYeMETxOg	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	Wget/1.10	0	9130	200	OK	-	-	-	(empty)	-	-	-	text/html	-	-
diff --git a/testing/btest/Baseline/istate.events-ssl/sender.http.log b/testing/btest/Baseline/istate.events-ssl/sender.http.log
index 1601f8ad3c..5a7912d23d 100644
--- a/testing/btest/Baseline/istate.events-ssl/sender.http.log
+++ b/testing/btest/Baseline/istate.events-ssl/sender.http.log
@@ -5,4 +5,4 @@
 #path	http
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	string	string	file
-1324314406.995958	arKYeMETxOg	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	Wget/1.10	0	9130	200	OK	-	-	-	(empty)	-	-	-	text/html	-	-
+1336588614.060989	arKYeMETxOg	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	Wget/1.10	0	9130	200	OK	-	-	-	(empty)	-	-	-	text/html	-	-
diff --git a/testing/btest/Baseline/istate.events/events.rec.log b/testing/btest/Baseline/istate.events/events.rec.log
new file mode 100644
index 0000000000..04993fb84a
--- /dev/null
+++ b/testing/btest/Baseline/istate.events/events.rec.log
@@ -0,0 +1,33 @@
+http_request
+http_begin_entity
+http_header
+http_header
+http_header
+http_header
+http_all_headers
+http_content_type
+http_end_entity
+http_message_done
+http_signature_found
+http_reply
+http_begin_entity
+http_header
+http_header
+http_header
+http_header
+http_header
+http_header
+http_header
+http_header
+http_header
+http_all_headers
+http_content_type
+http_entity_data
+http_entity_data
+http_entity_data
+http_entity_data
+http_entity_data
+http_entity_data
+http_entity_data
+http_end_entity
+http_message_done
diff --git a/testing/btest/Baseline/istate.events/events.snd.log b/testing/btest/Baseline/istate.events/events.snd.log
new file mode 100644
index 0000000000..04993fb84a
--- /dev/null
+++ b/testing/btest/Baseline/istate.events/events.snd.log
@@ -0,0 +1,33 @@
+http_request
+http_begin_entity
+http_header
+http_header
+http_header
+http_header
+http_all_headers
+http_content_type
+http_end_entity
+http_message_done
+http_signature_found
+http_reply
+http_begin_entity
+http_header
+http_header
+http_header
+http_header
+http_header
+http_header
+http_header
+http_header
+http_header
+http_all_headers
+http_content_type
+http_entity_data
+http_entity_data
+http_entity_data
+http_entity_data
+http_entity_data
+http_entity_data
+http_entity_data
+http_end_entity
+http_message_done
diff --git a/testing/btest/Baseline/istate.events/receiver.http.log b/testing/btest/Baseline/istate.events/receiver.http.log
index 25a7f289c0..55a0189cec 100644
--- a/testing/btest/Baseline/istate.events/receiver.http.log
+++ b/testing/btest/Baseline/istate.events/receiver.http.log
@@ -5,4 +5,4 @@
 #path	http
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	string	string	file
-1324314415.616486	arKYeMETxOg	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	Wget/1.10	0	9130	200	OK	-	-	-	(empty)	-	-	-	text/html	-	-
+1336587178.164598	arKYeMETxOg	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	Wget/1.10	0	9130	200	OK	-	-	-	(empty)	-	-	-	text/html	-	-
diff --git a/testing/btest/Baseline/istate.events/sender.http.log b/testing/btest/Baseline/istate.events/sender.http.log
index 25a7f289c0..55a0189cec 100644
--- a/testing/btest/Baseline/istate.events/sender.http.log
+++ b/testing/btest/Baseline/istate.events/sender.http.log
@@ -5,4 +5,4 @@
 #path	http
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	string	string	file
-1324314415.616486	arKYeMETxOg	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	Wget/1.10	0	9130	200	OK	-	-	-	(empty)	-	-	-	text/html	-	-
+1336587178.164598	arKYeMETxOg	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	Wget/1.10	0	9130	200	OK	-	-	-	(empty)	-	-	-	text/html	-	-
diff --git a/testing/btest/istate/bro-ipv6.bro b/testing/btest/istate/bro-ipv6.bro
new file mode 100644
index 0000000000..6230018636
--- /dev/null
+++ b/testing/btest/istate/bro-ipv6.bro
@@ -0,0 +1,52 @@
+# @TEST-GROUP: comm
+#
+# @TEST-REQUIRES: ifconfig | grep -q "inet6 ::1"
+#
+# @TEST-EXEC: btest-bg-run recv bro -b ../recv.bro
+# @TEST-EXEC: btest-bg-run send bro -b ../send.bro
+# @TEST-EXEC: btest-bg-wait -k 20
+# 
+# @TEST-EXEC: btest-diff recv/.stdout
+# @TEST-EXEC: btest-diff send/.stdout
+
+@TEST-START-FILE send.bro
+
+@load base/frameworks/communication
+
+redef Communication::nodes += {
+    ["foo"] = [$host=[::1], $connect=T, $events=/my_event/]
+};
+
+global my_event: event(s: string);
+
+event remote_connection_handshake_done(p: event_peer)
+	{
+	print fmt("handshake done with peer: %s", p$host);
+	}
+
+event my_event(s: string)
+	{
+	print fmt("my_event: %s", s);
+	terminate();
+	}
+
+@TEST-END-FILE
+
+#############
+
+@TEST-START-FILE recv.bro
+
+@load frameworks/communication/listen
+
+redef Communication::listen_ipv6=T;
+
+global my_event: event(s: string);
+
+event remote_connection_handshake_done(p: event_peer)
+	{
+	print fmt("handshake done with peer: %s", p$host);
+	event my_event("hello world");
+	terminate();
+	}
+
+@TEST-END-FILE
diff --git a/testing/btest/istate/events-ssl.bro b/testing/btest/istate/events-ssl.bro
index 25aa2dc8fb..c86087df81 100644
--- a/testing/btest/istate/events-ssl.bro
+++ b/testing/btest/istate/events-ssl.bro
@@ -8,8 +8,10 @@
 # @TEST-EXEC: btest-diff receiver/http.log
 # @TEST-EXEC: cmp sender/http.log receiver/http.log
 # 
-# @TEST-EXEC: bro -x sender/events.bst http/base   | sed 's/^Event \[[-0-9.]*\] //g' | grep '^http_' | grep -v http_stats | sed 's/(.*$//g'  >events.snd.log
-# @TEST-EXEC: bro -x receiver/events.bst http/base | sed 's/^Event \[[-0-9.]*\] //g' | grep '^http_' | grep -v http_stats | sed 's/(.*$//g'  >events.rec.log
+# @TEST-EXEC: bro -x sender/events.bst | sed 's/^Event \[[-0-9.]*\] //g' | grep '^http_' | grep -v http_stats | sed 's/(.*$//g'  >events.snd.log
+# @TEST-EXEC: bro -x receiver/events.bst | sed 's/^Event \[[-0-9.]*\] //g' | grep '^http_' | grep -v http_stats | sed 's/(.*$//g'  >events.rec.log
+# @TEST-EXEC: btest-diff events.rec.log
+# @TEST-EXEC: btest-diff events.snd.log
 # @TEST-EXEC: cmp events.rec.log events.snd.log
 # 
 # We don't compare the transmitted event paramerters anymore. With the dynamic
diff --git a/testing/btest/istate/events.bro b/testing/btest/istate/events.bro
index 81a1d765db..6d8227c810 100644
--- a/testing/btest/istate/events.bro
+++ b/testing/btest/istate/events.bro
@@ -10,6 +10,8 @@
 # 
 # @TEST-EXEC: bro -x sender/events.bst | sed 's/^Event \[[-0-9.]*\] //g' | grep '^http_' | grep -v http_stats | sed 's/(.*$//g'  >events.snd.log
 # @TEST-EXEC: bro -x receiver/events.bst | sed 's/^Event \[[-0-9.]*\] //g' | grep '^http_' | grep -v http_stats | sed 's/(.*$//g'  >events.rec.log
+# @TEST-EXEC: btest-diff events.rec.log
+# @TEST-EXEC: btest-diff events.snd.log
 # @TEST-EXEC: cmp events.rec.log events.snd.log
 # 
 # We don't compare the transmitted event paramerters anymore. With the dynamic

From 8bb62eaaa2df13adf1de74081ca4f8b1dfc66423 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@ncsa.illinois.edu>
Date: Wed, 9 May 2012 16:09:16 -0500
Subject: [PATCH 2/5] Undo communication protocol version bump.

Looks like it wasn't necessary because no message between remote peers
needed to be changed to support IPv6, just messages between Bro
parent and child processes were changed.
---
 src/RemoteSerializer.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc
index 3abec00f59..0383977de1 100644
--- a/src/RemoteSerializer.cc
+++ b/src/RemoteSerializer.cc
@@ -196,7 +196,7 @@ extern "C" {
 
 // Gets incremented each time there's an incompatible change
 // to the communication internals.
-static const unsigned short PROTOCOL_VERSION = 0x08;
+static const unsigned short PROTOCOL_VERSION = 0x07;
 
 static const char MSG_NONE = 0x00;
 static const char MSG_VERSION = 0x01;

From 2338a322882e966c9f1ce673ae3f180b153f73bd Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@ncsa.illinois.edu>
Date: Thu, 10 May 2012 10:47:39 -0500
Subject: [PATCH 3/5] Remove AI_ADDRCONFIG getaddrinfo hints flag for listening
 sockets.

Because, according to RFC 3493, that will cause getaddrinfo to
overlook the ::1 loopback if there's not some other interface with
a global IPv6 address.  The rationale being that the flag helps
prevent unnecessary AAAA lookups, but since I set AI_NUMERICHOST,
lookups aren't going to happen anyway.

Also update the IPv6 Bro communication test to get it to work more
reliably.
---
 src/RemoteSerializer.cc                                   | 2 +-
 .../recv..stdout                                          | 0
 .../send..stdout                                          | 0
 .../btest/istate/{bro-ipv6.bro => bro-ipv6-socket.bro}    | 8 ++++++--
 4 files changed, 7 insertions(+), 3 deletions(-)
 rename testing/btest/Baseline/{istate.bro-ipv6 => istate.bro-ipv6-socket}/recv..stdout (100%)
 rename testing/btest/Baseline/{istate.bro-ipv6 => istate.bro-ipv6-socket}/send..stdout (100%)
 rename testing/btest/istate/{bro-ipv6.bro => bro-ipv6-socket.bro} (88%)

diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc
index 0383977de1..9123e99ef4 100644
--- a/src/RemoteSerializer.cc
+++ b/src/RemoteSerializer.cc
@@ -4023,7 +4023,7 @@ bool SocketComm::Listen()
 
 	hints.ai_protocol = IPPROTO_TCP;
 	hints.ai_socktype = SOCK_STREAM;
-	hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG | AI_NUMERICHOST;
+	hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
 
 	char port_str[16];
 	modp_uitoa10(listen_port, port_str);
diff --git a/testing/btest/Baseline/istate.bro-ipv6/recv..stdout b/testing/btest/Baseline/istate.bro-ipv6-socket/recv..stdout
similarity index 100%
rename from testing/btest/Baseline/istate.bro-ipv6/recv..stdout
rename to testing/btest/Baseline/istate.bro-ipv6-socket/recv..stdout
diff --git a/testing/btest/Baseline/istate.bro-ipv6/send..stdout b/testing/btest/Baseline/istate.bro-ipv6-socket/send..stdout
similarity index 100%
rename from testing/btest/Baseline/istate.bro-ipv6/send..stdout
rename to testing/btest/Baseline/istate.bro-ipv6-socket/send..stdout
diff --git a/testing/btest/istate/bro-ipv6.bro b/testing/btest/istate/bro-ipv6-socket.bro
similarity index 88%
rename from testing/btest/istate/bro-ipv6.bro
rename to testing/btest/istate/bro-ipv6-socket.bro
index 6230018636..ae77a42c54 100644
--- a/testing/btest/istate/bro-ipv6.bro
+++ b/testing/btest/istate/bro-ipv6-socket.bro
@@ -1,11 +1,11 @@
 # @TEST-GROUP: comm
 #
-# @TEST-REQUIRES: ifconfig | grep -q "inet6 ::1"
+# @TEST-REQUIRES: ifconfig | grep -q -E "inet6 ::1|inet6 addr: ::1"
 #
 # @TEST-EXEC: btest-bg-run recv bro -b ../recv.bro
 # @TEST-EXEC: btest-bg-run send bro -b ../send.bro
 # @TEST-EXEC: btest-bg-wait -k 20
-# 
+#
 # @TEST-EXEC: btest-diff recv/.stdout
 # @TEST-EXEC: btest-diff send/.stdout
 
@@ -46,6 +46,10 @@ event remote_connection_handshake_done(p: event_peer)
 	{
 	print fmt("handshake done with peer: %s", p$host);
 	event my_event("hello world");
+	}
+
+event remote_connection_closed(p: event_peer)
+	{
 	terminate();
 	}
 

From d3ea3127822e2c51edbba02a88dc49a591ef9d11 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@ncsa.illinois.edu>
Date: Fri, 11 May 2012 17:16:57 -0500
Subject: [PATCH 4/5] Add unit tests for Broccoli SSL and Broccoli IPv6
 connectivity.

---
 .../istate.broccoli-ipv6-socket/bro..stdout   |  9 +++
 .../broccoli..stdout                          |  6 ++
 .../Baseline/istate.broccoli-ssl/bro..stdout  |  9 +++
 .../istate.broccoli-ssl/broccoli..stdout      |  6 ++
 testing/btest/istate/broccoli-ipv6-socket.bro | 10 +++
 testing/btest/istate/broccoli-ipv6.bro        |  8 +--
 testing/btest/istate/broccoli-ssl.bro         | 68 +++++++++++++++++++
 7 files changed, 109 insertions(+), 7 deletions(-)
 create mode 100644 testing/btest/Baseline/istate.broccoli-ipv6-socket/bro..stdout
 create mode 100644 testing/btest/Baseline/istate.broccoli-ipv6-socket/broccoli..stdout
 create mode 100644 testing/btest/Baseline/istate.broccoli-ssl/bro..stdout
 create mode 100644 testing/btest/Baseline/istate.broccoli-ssl/broccoli..stdout
 create mode 100644 testing/btest/istate/broccoli-ipv6-socket.bro
 create mode 100644 testing/btest/istate/broccoli-ssl.bro

diff --git a/testing/btest/Baseline/istate.broccoli-ipv6-socket/bro..stdout b/testing/btest/Baseline/istate.broccoli-ipv6-socket/bro..stdout
new file mode 100644
index 0000000000..0a7bac52c5
--- /dev/null
+++ b/testing/btest/Baseline/istate.broccoli-ipv6-socket/bro..stdout
@@ -0,0 +1,9 @@
+handshake done with peer
+bro_addr(1.2.3.4)
+bro_subnet(10.0.0.0/16)
+bro_addr(2607:f8b0:4009:802::1014)
+bro_subnet(2607:f8b0::/32)
+broccoli_addr(1.2.3.4)
+broccoli_subnet(10.0.0.0/16)
+broccoli_addr(2607:f8b0:4009:802::1014)
+broccoli_subnet(2607:f8b0::/32)
diff --git a/testing/btest/Baseline/istate.broccoli-ipv6-socket/broccoli..stdout b/testing/btest/Baseline/istate.broccoli-ipv6-socket/broccoli..stdout
new file mode 100644
index 0000000000..dba9318891
--- /dev/null
+++ b/testing/btest/Baseline/istate.broccoli-ipv6-socket/broccoli..stdout
@@ -0,0 +1,6 @@
+Connected to Bro instance at: ::1:47757
+Received bro_addr(1.2.3.4)
+Received bro_subnet(10.0.0.0/16)
+Received bro_addr(2607:f8b0:4009:802::1014)
+Received bro_subnet(2607:f8b0::/32)
+Terminating
diff --git a/testing/btest/Baseline/istate.broccoli-ssl/bro..stdout b/testing/btest/Baseline/istate.broccoli-ssl/bro..stdout
new file mode 100644
index 0000000000..0a7bac52c5
--- /dev/null
+++ b/testing/btest/Baseline/istate.broccoli-ssl/bro..stdout
@@ -0,0 +1,9 @@
+handshake done with peer
+bro_addr(1.2.3.4)
+bro_subnet(10.0.0.0/16)
+bro_addr(2607:f8b0:4009:802::1014)
+bro_subnet(2607:f8b0::/32)
+broccoli_addr(1.2.3.4)
+broccoli_subnet(10.0.0.0/16)
+broccoli_addr(2607:f8b0:4009:802::1014)
+broccoli_subnet(2607:f8b0::/32)
diff --git a/testing/btest/Baseline/istate.broccoli-ssl/broccoli..stdout b/testing/btest/Baseline/istate.broccoli-ssl/broccoli..stdout
new file mode 100644
index 0000000000..481778c98a
--- /dev/null
+++ b/testing/btest/Baseline/istate.broccoli-ssl/broccoli..stdout
@@ -0,0 +1,6 @@
+Connected to Bro instance at: localhost:47757
+Received bro_addr(1.2.3.4)
+Received bro_subnet(10.0.0.0/16)
+Received bro_addr(2607:f8b0:4009:802::1014)
+Received bro_subnet(2607:f8b0::/32)
+Terminating
diff --git a/testing/btest/istate/broccoli-ipv6-socket.bro b/testing/btest/istate/broccoli-ipv6-socket.bro
new file mode 100644
index 0000000000..e36ac9e9f7
--- /dev/null
+++ b/testing/btest/istate/broccoli-ipv6-socket.bro
@@ -0,0 +1,10 @@
+# @TEST-GROUP: comm
+#
+# @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so || test -e $BUILD/aux/broccoli/src/libbroccoli.dylib
+# @TEST-REQUIRES: ifconfig | grep -q -E "inet6 ::1|inet6 addr: ::1"
+#
+# @TEST-EXEC: btest-bg-run bro bro $DIST/aux/broccoli/test/broccoli-v6addrs.bro "Communication::listen_ipv6=T"
+# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broccoli-v6addrs -6 ::1
+# @TEST-EXEC: btest-bg-wait -k 20
+# @TEST-EXEC: btest-diff bro/.stdout
+# @TEST-EXEC: btest-diff broccoli/.stdout
diff --git a/testing/btest/istate/broccoli-ipv6.bro b/testing/btest/istate/broccoli-ipv6.bro
index b7ab5bdb05..415c8bb2d2 100644
--- a/testing/btest/istate/broccoli-ipv6.bro
+++ b/testing/btest/istate/broccoli-ipv6.bro
@@ -2,14 +2,8 @@
 #
 # @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so || test -e $BUILD/aux/broccoli/src/libbroccoli.dylib
 #
-# @TEST-EXEC: btest-bg-run bro bro %INPUT $DIST/aux/broccoli/test/broccoli-v6addrs.bro
+# @TEST-EXEC: btest-bg-run bro bro $DIST/aux/broccoli/test/broccoli-v6addrs.bro
 # @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broccoli-v6addrs
 # @TEST-EXEC: btest-bg-wait -k 20
 # @TEST-EXEC: btest-diff bro/.stdout
 # @TEST-EXEC: btest-diff broccoli/.stdout
-
-event remote_connection_closed(p: event_peer)
-	{
-	terminate();
-	}
-
diff --git a/testing/btest/istate/broccoli-ssl.bro b/testing/btest/istate/broccoli-ssl.bro
new file mode 100644
index 0000000000..61401c483a
--- /dev/null
+++ b/testing/btest/istate/broccoli-ssl.bro
@@ -0,0 +1,68 @@
+# @TEST-GROUP: comm
+#
+# @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so || test -e $BUILD/aux/broccoli/src/libbroccoli.dylib
+#
+# @TEST-EXEC: chmod 600 broccoli.conf
+# @TEST-EXEC: btest-bg-run bro bro $DIST/aux/broccoli/test/broccoli-v6addrs.bro "Communication::listen_ssl=T" "ssl_ca_certificate=../ca_cert.pem" "ssl_private_key=../bro.pem"
+# @TEST-EXEC: btest-bg-run broccoli BROCCOLI_CONFIG_FILE=../broccoli.conf $BUILD/aux/broccoli/test/broccoli-v6addrs
+# @TEST-EXEC: btest-bg-wait -k 20
+# @TEST-EXEC: btest-diff bro/.stdout
+# @TEST-EXEC: btest-diff broccoli/.stdout
+
+@TEST-START-FILE broccoli.conf
+/broccoli/use_ssl      yes
+/broccoli/ca_cert      ../ca_cert.pem
+/broccoli/host_cert    ../bro.pem
+/broccoli/host_key     ../bro.pem
+@TEST-END-FILE
+
+@TEST-START-FILE bro.pem
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQD17FE8UVaO224Y8UL2bH1okCYxr5dVytTQ93uE5J9caGADzPZe
+qYPuvtPt9ivhBtf2L9odK7unQU60v6RsO3bb9bQktQbEdh0FEjnso2UHe/nLreYn
+VyLCEp9Sh1OFQnMhJNYuzNwVzWOqH/TYNy3ODueZTS4YBsRyEkpEfgeoaQIDAQAB
+AoGAJ/S1Xi94+Mz+Hl9UmeUWmx6QlhIJbI7/9NPA5d6fZcwvjW6HuOmh3fBzTn5o
+sq8B96Xesk6gtpQNzaA1fsBKlzDSpGRDVg2odN9vIT3jd0Dub2F47JHdFCqtMUIV
+rCsO+fpGtavv1zJ/rzlJz7rx4cRP+/Gwd5YlH0q5cFuHhAECQQD9q328Ye4A7o2e
+cLOhzuWUZszqdIY7ZTgDtk06F57VrjLVERrZjrtAwbs77m+ybw4pDKKU7H5inhQQ
+03PU40ARAkEA+C6cCM6E4hRwuR+QyIqpNC4CzgPaKlF+VONZLYYvHEwFvx2/EPtX
+zOZdE4HdJwnXBYx7+AGFeq8uHhrN2Tq62QJBAMory2JAinejqKsGF6R2SPMlm1ug
+0vqziRksShBqkuSqmUjHASczYnoR7S+usMb9S8PblhgrA++FHWjrnf2lwIECQQCj
++/AfpY2J8GWW/HNm/q/UiX5S75qskZI+tsXK3bmtIdI+OIJxzxFxktj3NbyRud+4
+i92xvhebO7rmK2HOYg7pAkEA2wrwY1E237twoYXuUInv9F9kShKLQs19nup/dfmF
+xfoVqYjJwidzPfgngowJZij7SoTaIBKv/fKp5Tq6xW3AEg==
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIICZDCCAc2gAwIBAgIJAKoxR9yFGsk8MA0GCSqGSIb3DQEBBQUAMCsxKTAnBgNV
+BAMTIEJybyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTExMDYxNTIx
+MjgxNVoYDzIxMTEwNTIyMjEyODE1WjArMSkwJwYDVQQDEyBCcm8gUm9vdCBDZXJ0
+aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+9exRPFFWjttuGPFC9mx9aJAmMa+XVcrU0Pd7hOSfXGhgA8z2XqmD7r7T7fYr4QbX
+9i/aHSu7p0FOtL+kbDt22/W0JLUGxHYdBRI57KNlB3v5y63mJ1ciwhKfUodThUJz
+ISTWLszcFc1jqh/02Dctzg7nmU0uGAbEchJKRH4HqGkCAwEAAaOBjTCBijAdBgNV
+HQ4EFgQU2vIsKYuGhHP8c7GeJLfWAjbKCFgwWwYDVR0jBFQwUoAU2vIsKYuGhHP8
+c7GeJLfWAjbKCFihL6QtMCsxKTAnBgNVBAMTIEJybyBSb290IENlcnRpZmljYXRp
+b24gQXV0aG9yaXR5ggkAqjFH3IUayTwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
+AQUFAAOBgQAF2oceL61dA7WxA9lxcxsA/Fccr7+J6sO+pLXoZtx5tpknEuIUebkm
+UfMGAiyYIenHi8u0Sia8KrIfuCDc2dG3DYmfX7/faCEbtSx8KtNQFIs3aXr1zhsw
+3sX9fLS0gp/qHoPMuhbhlvTlMFSE/Mih3KDsZEGcifzI6ooLF0YP5A==
+-----END CERTIFICATE-----
+@TEST-END-FILE
+
+@TEST-START-FILE ca_cert.pem
+-----BEGIN CERTIFICATE-----
+MIICZDCCAc2gAwIBAgIJAKoxR9yFGsk8MA0GCSqGSIb3DQEBBQUAMCsxKTAnBgNV
+BAMTIEJybyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTExMDYxNTIx
+MjgxNVoYDzIxMTEwNTIyMjEyODE1WjArMSkwJwYDVQQDEyBCcm8gUm9vdCBDZXJ0
+aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+9exRPFFWjttuGPFC9mx9aJAmMa+XVcrU0Pd7hOSfXGhgA8z2XqmD7r7T7fYr4QbX
+9i/aHSu7p0FOtL+kbDt22/W0JLUGxHYdBRI57KNlB3v5y63mJ1ciwhKfUodThUJz
+ISTWLszcFc1jqh/02Dctzg7nmU0uGAbEchJKRH4HqGkCAwEAAaOBjTCBijAdBgNV
+HQ4EFgQU2vIsKYuGhHP8c7GeJLfWAjbKCFgwWwYDVR0jBFQwUoAU2vIsKYuGhHP8
+c7GeJLfWAjbKCFihL6QtMCsxKTAnBgNVBAMTIEJybyBSb290IENlcnRpZmljYXRp
+b24gQXV0aG9yaXR5ggkAqjFH3IUayTwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
+AQUFAAOBgQAF2oceL61dA7WxA9lxcxsA/Fccr7+J6sO+pLXoZtx5tpknEuIUebkm
+UfMGAiyYIenHi8u0Sia8KrIfuCDc2dG3DYmfX7/faCEbtSx8KtNQFIs3aXr1zhsw
+3sX9fLS0gp/qHoPMuhbhlvTlMFSE/Mih3KDsZEGcifzI6ooLF0YP5A==
+-----END CERTIFICATE-----
+@TEST-END-FILE

From 74f3a32321010928cf380abec3df30640382b289 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@ncsa.illinois.edu>
Date: Thu, 17 May 2012 12:59:20 -0500
Subject: [PATCH 5/5] Enable Bro to communicate with peers over non-global IPv6
 addresses.

This usually requires specifying an additional zone identifier
(see RFC 4007).  The connect() and listen() BIFs have been
changed to accept this zone identifier as an argument.
---
 scripts/base/frameworks/cluster/main.bro      |   3 +
 .../frameworks/cluster/setup-connections.bro  |  25 ++-
 .../base/frameworks/communication/main.bro    |  16 +-
 scripts/base/frameworks/control/main.bro      |   4 +
 .../frameworks/communication/listen.bro       |   2 +-
 .../policy/frameworks/control/controller.bro  |   4 +-
 src/RemoteSerializer.cc                       | 197 +++++++++++++-----
 src/RemoteSerializer.h                        |  18 +-
 src/bro.bif                                   |  19 +-
 src/util.cc                                   |   2 +
 10 files changed, 215 insertions(+), 75 deletions(-)

diff --git a/scripts/base/frameworks/cluster/main.bro b/scripts/base/frameworks/cluster/main.bro
index 1e89e9b2a7..766dea912f 100644
--- a/scripts/base/frameworks/cluster/main.bro
+++ b/scripts/base/frameworks/cluster/main.bro
@@ -77,6 +77,9 @@ export {
 		node_type:    NodeType;
 		## The IP address of the cluster node.
 		ip:           addr;
+		## If the *ip* field is a non-global IPv6 address, this field
+		## can specify a particular :rfc:`4007` ``zone_id``.
+		zone_id:      string      &default="";
 		## The port to which the this local node can connect when
 		## establishing communication.
 		p:            port;
diff --git a/scripts/base/frameworks/cluster/setup-connections.bro b/scripts/base/frameworks/cluster/setup-connections.bro
index b5a0d25e1f..3d89e39f30 100644
--- a/scripts/base/frameworks/cluster/setup-connections.bro
+++ b/scripts/base/frameworks/cluster/setup-connections.bro
@@ -19,23 +19,26 @@ event bro_init() &priority=9
 		# Connections from the control node for runtime control and update events.
 		# Every node in a cluster is eligible for control from this host.
 		if ( n$node_type == CONTROL )
-			Communication::nodes["control"] = [$host=n$ip, $connect=F,
-			                                   $class="control", $events=control_events];
+			Communication::nodes["control"] = [$host=n$ip, $zone_id=n$zone_id,
+			                                   $connect=F, $class="control",
+			                                   $events=control_events];
 		
 		if ( me$node_type == MANAGER )
 			{
 			if ( n$node_type == WORKER && n$manager == node )
 				Communication::nodes[i] =
-				    [$host=n$ip, $connect=F,
+				    [$host=n$ip, $zone_id=n$zone_id, $connect=F,
 				     $class=i, $events=worker2manager_events, $request_logs=T];
 			
 			if ( n$node_type == PROXY && n$manager == node )
 				Communication::nodes[i] =
-				    [$host=n$ip, $connect=F,
+				    [$host=n$ip, $zone_id=n$zone_id, $connect=F,
 				     $class=i, $events=proxy2manager_events, $request_logs=T];
 				
 			if ( n$node_type == TIME_MACHINE && me?$time_machine && me$time_machine == i )
-				Communication::nodes["time-machine"] = [$host=nodes[i]$ip, $p=nodes[i]$p,
+				Communication::nodes["time-machine"] = [$host=nodes[i]$ip,
+				                                        $zone_id=nodes[i]$zone_id,
+				                                        $p=nodes[i]$p,
 				                                        $connect=T, $retry=1min,
 				                                        $events=tm2manager_events];
 			}
@@ -44,7 +47,8 @@ event bro_init() &priority=9
 			{
 			if ( n$node_type == WORKER && n$proxy == node )
 				Communication::nodes[i] =
-					[$host=n$ip, $connect=F, $class=i, $sync=T, $auth=T, $events=worker2proxy_events];
+					[$host=n$ip, $zone_id=n$zone_id, $connect=F, $class=i,
+				     $sync=T, $auth=T, $events=worker2proxy_events];
 			
 			# accepts connections from the previous one. 
 			# (This is not ideal for setups with many proxies)
@@ -53,16 +57,18 @@ event bro_init() &priority=9
 				{
 				if ( n?$proxy )
 					Communication::nodes[i]
-					     = [$host=n$ip, $p=n$p,
+					     = [$host=n$ip, $zone_id=n$zone_id, $p=n$p,
 					        $connect=T, $auth=F, $sync=T, $retry=1mins];
 				else if ( me?$proxy && me$proxy == i )
 					Communication::nodes[me$proxy]
-					     = [$host=nodes[i]$ip, $connect=F, $auth=T, $sync=T];
+					     = [$host=nodes[i]$ip, $zone_id=nodes[i]$zone_id,
+					        $connect=F, $auth=T, $sync=T];
 				}
 			
 			# Finally the manager, to send it status updates.
 			if ( n$node_type == MANAGER && me$manager == i )
 				Communication::nodes["manager"] = [$host=nodes[i]$ip, 
+				                                   $zone_id=nodes[i]$zone_id, 
 				                                   $p=nodes[i]$p, 
 				                                   $connect=T, $retry=1mins, 
 				                                   $class=node,
@@ -72,6 +78,7 @@ event bro_init() &priority=9
 			{
 			if ( n$node_type == MANAGER && me$manager == i )
 				Communication::nodes["manager"] = [$host=nodes[i]$ip, 
+				                                   $zone_id=nodes[i]$zone_id,
 				                                   $p=nodes[i]$p,
 				                                   $connect=T, $retry=1mins, 
 				                                   $class=node, 
@@ -79,6 +86,7 @@ event bro_init() &priority=9
 			
 			if ( n$node_type == PROXY && me$proxy == i )
 				Communication::nodes["proxy"] = [$host=nodes[i]$ip, 
+				                                 $zone_id=nodes[i]$zone_id,
 				                                 $p=nodes[i]$p,
 				                                 $connect=T, $retry=1mins, 
 				                                 $sync=T, $class=node, 
@@ -87,6 +95,7 @@ event bro_init() &priority=9
 			if ( n$node_type == TIME_MACHINE && 
 			     me?$time_machine && me$time_machine == i )
 				Communication::nodes["time-machine"] = [$host=nodes[i]$ip, 
+				                                        $zone_id=nodes[i]$zone_id,
 				                                        $p=nodes[i]$p,
 				                                        $connect=T, 
 				                                        $retry=1min,
diff --git a/scripts/base/frameworks/communication/main.bro b/scripts/base/frameworks/communication/main.bro
index 26ec9f41b8..b9b15bfd22 100644
--- a/scripts/base/frameworks/communication/main.bro
+++ b/scripts/base/frameworks/communication/main.bro
@@ -23,9 +23,14 @@ export {
 	## Defines if a listening socket can bind to IPv6 addresses.
 	const listen_ipv6 = F &redef;
 
+	## If :bro:id:`Communication::listen_interface` is a non-global
+	## IPv6 address and requires a specific :rfc:`4007` ``zone_id``,
+	## it can be specified here.
+	const listen_ipv6_zone_id = "" &redef;
+
 	## Defines the interval at which to retry binding to
-	## :bro:id:`listen_interface` on :bro:id:`listen_port` if it's already in
-	## use.
+	## :bro:id:`Communication::listen_interface` on
+	## :bro:id:`Communication::listen_port` if it's already in use.
 	const listen_retry = 30 secs &redef;
 
 	## Default compression level.  Compression level is 0-9, with 0 = no 
@@ -60,6 +65,10 @@ export {
 	type Node: record {
 		## Remote address.
 		host: addr;
+
+		## If the *host* field is a non-global IPv6 address, this field
+		## can specify a particular :rfc:`4007` ``zone_id``.
+		zone_id: string &optional;
 		
 		## Port of the remote Bro communication endpoint if we are initiating
 		## the connection based on the :bro:id:`connect` field.
@@ -187,7 +196,8 @@ function connect_peer(peer: string)
 		p = node$p;
 
 	local class = node?$class ? node$class : "";
-	local id = connect(node$host, p, class, node$retry, node$ssl);
+	local zone_id = node?$zone_id ? node$zone_id : "";
+	local id = connect(node$host, zone_id, p, class, node$retry, node$ssl);
     
 	if ( id == PEER_ID_NONE )
 		Log::write(Communication::LOG, [$ts = network_time(), 
diff --git a/scripts/base/frameworks/control/main.bro b/scripts/base/frameworks/control/main.bro
index 4fe8872801..63e5f639a0 100644
--- a/scripts/base/frameworks/control/main.bro
+++ b/scripts/base/frameworks/control/main.bro
@@ -11,6 +11,10 @@ export {
 	## The port of the host that will be controlled.
 	const host_port = 0/tcp &redef;
 
+	## If :bro:id:`Control::host` is a non-global IPv6 address and
+	## requires a specific :rfc:`4007` ``zone_id``, it can be set here.
+	const zone_id = "" &redef;
+
 	## The command that is being done.  It's typically set on the
 	## command line.
 	const cmd = "" &redef;
diff --git a/scripts/policy/frameworks/communication/listen.bro b/scripts/policy/frameworks/communication/listen.bro
index 609e8c91d6..111bc64a23 100644
--- a/scripts/policy/frameworks/communication/listen.bro
+++ b/scripts/policy/frameworks/communication/listen.bro
@@ -9,5 +9,5 @@ event bro_init() &priority=-10
 	{
 	enable_communication();
 	listen(listen_interface, listen_port, listen_ssl, listen_ipv6,
-	       listen_retry);
+	       listen_ipv6_zone_id, listen_retry);
 	}
diff --git a/scripts/policy/frameworks/control/controller.bro b/scripts/policy/frameworks/control/controller.bro
index 39647095db..22b19bf973 100644
--- a/scripts/policy/frameworks/control/controller.bro
+++ b/scripts/policy/frameworks/control/controller.bro
@@ -25,8 +25,8 @@ event bro_init() &priority=5
 	
 	# Establish the communication configuration and only request response
 	# messages.
-	Communication::nodes["control"] = [$host=host, $p=host_port,
-	                                   $sync=F, $connect=T,
+	Communication::nodes["control"] = [$host=host, $zone_id=zone_id,
+	                                   $p=host_port, $sync=F, $connect=T,
 	                                   $class="control", $events=Control::controllee_events];
 	}
 
diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc
index 9123e99ef4..b73494204c 100644
--- a/src/RemoteSerializer.cc
+++ b/src/RemoteSerializer.cc
@@ -173,6 +173,9 @@
 #include <sys/resource.h>
 
 #include <algorithm>
+#include <string>
+#include <sstream>
+#include <vector>
 
 #include "RemoteSerializer.h"
 #include "Func.h"
@@ -323,6 +326,16 @@ static const char* msgToStr(int msg)
 	}
 	}
 
+static vector<string> tokenize(const string& s, char delim)
+	{
+	vector<string> tokens;
+	stringstream ss(s);
+	string token;
+	while ( std::getline(ss, token, delim) )
+		tokens.push_back(token);
+	return tokens;
+	}
+
 // Start of every message between two processes. We do the low-level work
 // ourselves to make this 64-bit safe. (The actual layout is an artifact of
 // an earlier design that depended on how a 32-bit GCC lays out its structs ...)
@@ -665,7 +678,8 @@ void RemoteSerializer::Fork()
 	}
 
 RemoteSerializer::PeerID RemoteSerializer::Connect(const IPAddr& ip,
-			uint16 port, const char* our_class, double retry, bool use_ssl)
+		const string& zone_id, uint16 port, const char* our_class, double retry,
+		bool use_ssl)
 	{
 	if ( ! using_communication )
 		return true;
@@ -682,11 +696,13 @@ RemoteSerializer::PeerID RemoteSerializer::Connect(const IPAddr& ip,
 	if ( our_class )
 		p->our_class = our_class;
 
-	uint32 bytes[4];
-	ip.CopyIPv6(bytes, IPAddr::Host);
+	const size_t BUFSIZE = 1024;
+	char* data = new char[BUFSIZE];
+	snprintf(data, BUFSIZE, "%"PRIu64",%s,%s,%"PRIu16",%"PRIu32",%d", p->id,
+	         ip.AsString().c_str(), zone_id.c_str(), port, uint32(retry),
+	         use_ssl);
 
-	if ( ! SendToChild(MSG_CONNECT_TO, p, 8, p->id, bytes[0], bytes[1],
-	                   bytes[2], bytes[3], port, uint32(retry), use_ssl) )
+	if ( ! SendToChild(MSG_CONNECT_TO, p, data) )
 		{
 		RemovePeer(p);
 		return false;
@@ -1219,7 +1235,7 @@ bool RemoteSerializer::SendCapabilities(Peer* peer)
 	}
 
 bool RemoteSerializer::Listen(const IPAddr& ip, uint16 port, bool expect_ssl,
-                              bool ipv6, double retry)
+                              bool ipv6, const string& zone_id, double retry)
 	{
 	if ( ! using_communication )
 		return true;
@@ -1229,13 +1245,16 @@ bool RemoteSerializer::Listen(const IPAddr& ip, uint16 port, bool expect_ssl,
 
 	if ( ! ipv6 && ip.GetFamily() == IPv6 &&
 	     ip != IPAddr("0.0.0.0") && ip != IPAddr("::") )
-		reporter->FatalError("Attempt to listen on address %s, but IPv6 communication disabled", ip.AsString().c_str());
+		reporter->FatalError("Attempt to listen on address %s, but IPv6 "
+		                     "communication disabled", ip.AsString().c_str());
 
-	uint32 bytes[4];
-	ip.CopyIPv6(bytes, IPAddr::Host);
+	const size_t BUFSIZE = 1024;
+	char* data = new char[BUFSIZE];
+	snprintf(data, BUFSIZE, "%s,%"PRIu16",%d,%d,%s,%"PRIu32,
+	         ip.AsString().c_str(), port, expect_ssl, ipv6, zone_id.c_str(),
+	         (uint32) retry);
 
-	if ( ! SendToChild(MSG_LISTEN, 0, 8, bytes[0], bytes[1], bytes[2], bytes[3],
-	                   port, expect_ssl, ipv6, (uint32) retry) )
+	if ( ! SendToChild(MSG_LISTEN, 0, data) )
 		return false;
 
 	listening = true;
@@ -1947,9 +1966,22 @@ bool RemoteSerializer::EnterPhaseRunning(Peer* peer)
 bool RemoteSerializer::ProcessConnected()
 	{
 	// IP and port follow.
-	uint32* args = (uint32*) current_args->data;
-	IPAddr host = IPAddr(IPv6, args, IPAddr::Network);
-	uint16 port = (uint16) ntohl(args[4]);
+	vector<string> args = tokenize(current_args->data, ',');
+
+	if ( args.size() != 2 )
+		{
+		InternalCommError("ProcessConnected() bad number of arguments");
+		return false;
+		}
+
+	IPAddr host = IPAddr(args[0]);
+	uint16 port;
+
+	if ( ! atoi_n(args[1].size(), args[1].c_str(), 0, 10, port) )
+		{
+		InternalCommError("ProcessConnected() bad peer port string");
+		return false;
+		}
 
 	if ( ! current_peer )
 		{
@@ -3692,14 +3724,43 @@ bool SocketComm::ForwardChunkToPeer()
 bool SocketComm::ProcessConnectTo()
 	{
 	assert(parent_args);
-	uint32* args = (uint32*) parent_args->data;
+	vector<string> args = tokenize(parent_args->data, ',');
+
+	if ( args.size() != 6 )
+		{
+		Error(fmt("ProcessConnectTo() bad number of arguments"));
+		return false;
+		}
 
 	Peer* peer = new Peer;
-	peer->id = ntohl(args[0]);
-	peer->ip = IPAddr(IPv6, &args[1], IPAddr::Network);
-	peer->port = ntohl(args[5]);
-	peer->retry = ntohl(args[6]);
-	peer->ssl = ntohl(args[7]);
+
+	if ( ! atoi_n(args[0].size(), args[0].c_str(), 0, 10, peer->id) )
+		{
+		Error(fmt("ProccessConnectTo() bad peer id string"));
+		delete peer;
+		return false;
+		}
+
+	peer->ip = IPAddr(args[1]);
+	peer->zone_id = args[2];
+
+	if ( ! atoi_n(args[3].size(), args[3].c_str(), 0, 10, peer->port) )
+		{
+		Error(fmt("ProcessConnectTo() bad peer port string"));
+		delete peer;
+		return false;
+		}
+
+	if ( ! atoi_n(args[4].size(), args[4].c_str(), 0, 10, peer->retry) )
+		{
+		Error(fmt("ProcessConnectTo() bad peer retry string"));
+		delete peer;
+		return false;
+		}
+
+	peer->ssl = false;
+	if ( args[5] != "0" )
+		peer->ssl = true;
 
 	return Connect(peer);
 	}
@@ -3707,13 +3768,37 @@ bool SocketComm::ProcessConnectTo()
 bool SocketComm::ProcessListen()
 	{
 	assert(parent_args);
-	uint32* args = (uint32*) parent_args->data;
+	vector<string> args = tokenize(parent_args->data, ',');
 
-	listen_if = IPAddr(IPv6, args, IPAddr::Network);
-	listen_port = uint16(ntohl(args[4]));
-	listen_ssl = ntohl(args[5]) != 0;
-	enable_ipv6 = ntohl(args[6]) != 0;
-	bind_retry_interval = ntohl(args[7]);
+	if ( args.size() != 6 )
+		{
+		Error(fmt("ProcessListen() bad number of arguments"));
+		return false;
+		}
+
+	listen_if = args[0];
+
+	if ( ! atoi_n(args[1].size(), args[1].c_str(), 0, 10, listen_port) )
+		{
+		Error(fmt("ProcessListen() bad peer port string"));
+		return false;
+		}
+
+	listen_ssl = false;
+	if ( args[2] != "0" )
+		listen_ssl = true;
+
+	enable_ipv6 = false;
+	if ( args[3] != "0" )
+		enable_ipv6 = true;
+
+	listen_zone_id = args[4];
+
+	if ( ! atoi_n(args[5].size(), args[5].c_str(), 0, 10, bind_retry_interval) )
+		{
+		Error(fmt("ProcessListen() bad peer port string"));
+		return false;
+		}
 
 	return Listen();
 	}
@@ -3889,10 +3974,11 @@ bool SocketComm::Connect(Peer* peer)
 	char port_str[16];
 	modp_uitoa10(peer->port, port_str);
 
-	// TODO: better to accept string arguments from the user to pass into
-	// getaddrinfo? This might make it easier to explicitly connect to
-	// non-global IPv6 addresses with a scope zone identifier (RFC 4007).
-	status = getaddrinfo(peer->ip.AsString().c_str(), port_str, &hints, &res0);
+	string gaihostname(peer->ip.AsString());
+	if ( peer->zone_id != "" )
+		gaihostname.append("%").append(peer->zone_id);
+
+	status = getaddrinfo(gaihostname.c_str(), port_str, &hints, &res0);
 	if ( status != 0 )
 		{
 		Error(fmt("getaddrinfo error: %s", gai_strerror(status)));
@@ -3964,11 +4050,12 @@ bool SocketComm::Connect(Peer* peer)
 		{
 		Log("connected", peer);
 
-		uint32 bytes[4];
-		peer->ip.CopyIPv6(bytes, IPAddr::Host);
+		const size_t BUFSIZE = 1024;
+		char* data = new char[BUFSIZE];
+		snprintf(data, BUFSIZE, "%s,%"PRIu32, peer->ip.AsString().c_str(),
+		         peer->port);
 
-		if ( ! SendToParent(MSG_CONNECTED, peer, 5, bytes[0], bytes[1],
-		                    bytes[2], bytes[3], peer->port) )
+		if ( ! SendToParent(MSG_CONNECTED, peer, data) )
 			return false;
 		}
 
@@ -4011,12 +4098,14 @@ bool SocketComm::Listen()
 	addrinfo hints, *res, *res0;
 	bzero(&hints, sizeof(hints));
 
+	IPAddr listen_ip(listen_if);
+
 	if ( enable_ipv6 )
 		{
-		if ( listen_if == IPAddr("0.0.0.0") || listen_if == IPAddr("::") )
+		if ( listen_ip == IPAddr("0.0.0.0") || listen_ip == IPAddr("::") )
 			hints.ai_family = PF_UNSPEC;
 		else
-			hints.ai_family = listen_if.GetFamily() == IPv4 ? PF_INET : PF_INET6;
+			hints.ai_family = listen_ip.GetFamily() == IPv4 ? PF_INET : PF_INET6;
 		}
 	else
 		hints.ai_family = PF_INET;
@@ -4028,15 +4117,15 @@ bool SocketComm::Listen()
 	char port_str[16];
 	modp_uitoa10(listen_port, port_str);
 
+	string scoped_addr(listen_if);
+	if ( listen_zone_id != "" )
+		scoped_addr.append("%").append(listen_zone_id);
 	const char* addr_str = 0;
-	if ( listen_if != IPAddr("0.0.0.0") && listen_if != IPAddr("::") )
-		addr_str = listen_if.AsString().c_str();
+	if ( listen_ip != IPAddr("0.0.0.0") && listen_ip != IPAddr("::") )
+		addr_str = scoped_addr.c_str();
 
 	CloseListenFDs();
 
-	// TODO: better to accept string arguments from the user to pass into
-	// getaddrinfo?  This might make it easier to explicitly bind to a
-	// non-global IPv6 address with a scope zone identifier (RFC 4007).
 	if ( (status = getaddrinfo(addr_str, port_str, &hints, &res0)) != 0 )
 		{
 		Error(fmt("getaddrinfo error: %s", gai_strerror(status)));
@@ -4056,6 +4145,10 @@ bool SocketComm::Listen()
 				IPAddr(((sockaddr_in*)res->ai_addr)->sin_addr) :
 				IPAddr(((sockaddr_in6*)res->ai_addr)->sin6_addr);
 
+		string l_addr_str(a.AsURIString());
+		if ( listen_zone_id != "")
+			l_addr_str.append("%").append(listen_zone_id);
+
 		int fd = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
 		if ( fd < 0 )
 			{
@@ -4075,7 +4168,7 @@ bool SocketComm::Listen()
 
 		if ( bind(fd, res->ai_addr, res->ai_addrlen) < 0 )
 			{
-			Error(fmt("can't bind to %s:%s, %s", a.AsURIString().c_str(),
+			Error(fmt("can't bind to %s:%s, %s", l_addr_str.c_str(),
 			          port_str, strerror(errno)));
 			close(fd);
 
@@ -4092,14 +4185,14 @@ bool SocketComm::Listen()
 
 		if ( listen(fd, 50) < 0 )
 			{
-			Error(fmt("can't listen on %s:%s, %s", a.AsURIString().c_str(),
+			Error(fmt("can't listen on %s:%s, %s", l_addr_str.c_str(),
 			          port_str, strerror(errno)));
 			close(fd);
 			continue;
 			}
 
 		listen_fds.push_back(fd);
-		Log(fmt("listening on %s:%s (%s)", a.AsURIString().c_str(), port_str,
+		Log(fmt("listening on %s:%s (%s)", l_addr_str.c_str(), port_str,
 		        listen_ssl ? "ssl" : "clear"));
 		}
 
@@ -4155,11 +4248,12 @@ bool SocketComm::AcceptConnection(int fd)
 
 	Log(fmt("accepted %s connection", peer->ssl ? "SSL" : "clear"), peer);
 
-	uint32 bytes[4];
-	peer->ip.CopyIPv6(bytes, IPAddr::Host);
+	const size_t BUFSIZE = 1024;
+	char* data = new char[BUFSIZE];
+	snprintf(data, BUFSIZE, "%s,%"PRIu32, peer->ip.AsString().c_str(),
+	         peer->port);
 
-	if ( ! SendToParent(MSG_CONNECTED, peer, 5, bytes[0], bytes[1], bytes[2],
-	                    bytes[3], peer->port) )
+	if ( ! SendToParent(MSG_CONNECTED, peer, data) )
 		return false;
 
 	return true;
@@ -4176,8 +4270,13 @@ const char* SocketComm::MakeLogString(const char* msg, Peer* peer)
 	int len = 0;
 
 	if ( peer )
+		{
+		string scoped_addr(peer->ip.AsURIString());
+		if ( peer->zone_id != "" )
+			scoped_addr.append("%").append(peer->zone_id);
 		len = snprintf(buffer, BUFSIZE, "[#%d/%s:%d] ", int(peer->id),
-		               peer->ip.AsURIString().c_str(), peer->port);
+		               scoped_addr.c_str(), peer->port);
+		}
 
 	len += safe_snprintf(buffer + len, BUFSIZE - len, "%s", msg);
 	return buffer;
diff --git a/src/RemoteSerializer.h b/src/RemoteSerializer.h
index f6f94f53d3..4ebf15e68d 100644
--- a/src/RemoteSerializer.h
+++ b/src/RemoteSerializer.h
@@ -11,6 +11,7 @@
 #include "File.h"
 
 #include <vector>
+#include <string>
 
 class IncrementalSendTimer;
 
@@ -34,7 +35,8 @@ public:
 	static const PeerID PEER_NONE = SOURCE_LOCAL;
 
 	// Connect to host (returns PEER_NONE on error).
-	PeerID Connect(const IPAddr& ip, uint16 port, const char* our_class, double retry, bool use_ssl);
+	PeerID Connect(const IPAddr& ip, const string& zone_id, uint16 port,
+	               const char* our_class, double retry, bool use_ssl);
 
 	// Close connection to host.
 	bool CloseConnection(PeerID peer);
@@ -63,7 +65,7 @@ public:
 
 	// Start to listen.
 	bool Listen(const IPAddr& ip, uint16 port, bool expect_ssl, bool ipv6,
-	            double retry);
+	            const string& zone_id, double retry);
 
 	// Stop it.
 	bool StopListening();
@@ -422,6 +424,7 @@ protected:
 		RemoteSerializer::PeerID id;
 		ChunkedIO* io;
 		IPAddr ip;
+		string zone_id;
 		uint16 port;
 		char state;
 		bool connected;
@@ -502,12 +505,13 @@ protected:
 
 	// If the port we're trying to bind to is already in use, we will retry
 	// it regularly.
-	IPAddr listen_if;
+	string listen_if;
+	string listen_zone_id;		// RFC 4007 IPv6 zone_id
 	uint16 listen_port;
-	bool listen_ssl;
-	bool enable_ipv6; // allow IPv6 listen sockets
-	uint32 bind_retry_interval;
-	time_t listen_next_try;
+	bool listen_ssl;            // use SSL for IO
+	bool enable_ipv6;           // allow IPv6 listen sockets
+	uint32 bind_retry_interval; // retry interval for already-in-use sockets
+	time_t listen_next_try;     // time at which to try another bind
 	bool shutting_conns_down;
 	bool terminating;
 	bool killing;
diff --git a/src/bro.bif b/src/bro.bif
index 3f4215dc13..f1e451bb03 100644
--- a/src/bro.bif
+++ b/src/bro.bif
@@ -5267,6 +5267,10 @@ function capture_state_updates%(filename: string%) : bool
 ##
 ## ip: The IP address of the remote peer.
 ##
+## zone_id: If *ip* is a non-global IPv6 address, a particular :rfc:`4007`
+##          ``zone_id`` can given here.  An empty string, ``""``, means
+##          not to add any ``zone_id``.
+##
 ## port: The port of the remote peer.
 ##
 ## our_class: If an non-empty string, the remote (listening) peer checks it
@@ -5290,10 +5294,11 @@ function capture_state_updates%(filename: string%) : bool
 ##              set_compression_level
 ##              send_state
 ##              send_id
-function connect%(ip: addr, p: port, our_class: string, retry: interval, ssl: bool%) : count
+function connect%(ip: addr, zone_id: string, p: port, our_class: string, retry: interval, ssl: bool%) : count
 	%{
-	return new Val(uint32(remote_serializer->Connect(ip->AsAddr(), p->Port(),
-				our_class->CheckString(), retry, ssl)),
+	return new Val(uint32(remote_serializer->Connect(ip->AsAddr(),
+	               zone_id->CheckString(), p->Port(), our_class->CheckString(),
+	               retry, ssl)),
 			TYPE_COUNT);
 	%}
 
@@ -5404,15 +5409,19 @@ function set_compression_level%(p: event_peer, level: count%) : bool
 ##
 ## ipv6: If true, enable listening on IPv6 addresses.
 ##
+## zone_id: If *ip* is a non-global IPv6 address, a particular :rfc:`4007`
+##          ``zone_id`` can given here.  An empty string, ``""``, means
+##          not to add any ``zone_id``.
+##
 ## retry_interval: If address *ip* is found to be already in use, this is
 ##                 the interval at which to automatically retry binding.
 ##
 ## Returns: True on success.
 ##
 ## .. bro:see:: connect disconnect
-function listen%(ip: addr, p: port, ssl: bool, ipv6: bool, retry_interval: interval%) : bool
+function listen%(ip: addr, p: port, ssl: bool, ipv6: bool, zone_id: string, retry_interval: interval%) : bool
 	%{
-	return new Val(remote_serializer->Listen(ip->AsAddr(), p->Port(), ssl, ipv6, retry_interval), TYPE_BOOL);
+	return new Val(remote_serializer->Listen(ip->AsAddr(), p->Port(), ssl, ipv6, zone_id->CheckString(), retry_interval), TYPE_BOOL);
 	%}
 
 ## Checks whether the last raised event came from a remote peer.
diff --git a/src/util.cc b/src/util.cc
index 90143923f1..798be400d1 100644
--- a/src/util.cc
+++ b/src/util.cc
@@ -376,6 +376,8 @@ template<class T> int atoi_n(int len, const char* s, const char** end, int base,
 
 // Instantiate the ones we need.
 template int atoi_n<int>(int len, const char* s, const char** end, int base, int& result);
+template int atoi_n<uint16_t>(int len, const char* s, const char** end, int base, uint16_t& result);
+template int atoi_n<uint32_t>(int len, const char* s, const char** end, int base, uint32_t& result);
 template int atoi_n<int64_t>(int len, const char* s, const char** end, int base, int64_t& result);
 template int atoi_n<uint64_t>(int len, const char* s, const char** end, int base, uint64_t& result);