Fix type clash fatal error with log filters that use $ext_func and $include/$exclude

The logging manager's Manager::TraverseRecord(), called when adding a log filter to a stream, skipped any fields intoduced by a filter's $ext_func when such fields weren't mentioned in a $include restriction or mentioned in an $exclude restriction. This was inconsistent with Manager::RecordToFilterVals, used when actually writing log entries, which does include those values. The result was that the record indices descent in Manager::RecordToFilterVals expects to find only record values, when in fact only the record provided by ext_func is present. This leads to type mismatches and hard Zeek exits like this one: 1300475173.475401 fatal error in zeek/share/zeek//base/init-bare.zeek, line 4810: Val::CONVERTER (string/record) (zeek) The fix makes ext_func's field additions decisive, meaning the filter's include/exclude lists don't apply to it. If a user really wants to override this, they can reset the filter's ext_func back to our no-op default. The included btest produces the above error when the fix is not present.
2025-10-02 06:38:20 +00:00 · 2020-11-10 16:34:04 -08:00 · 2020-11-10 16:34:04 -08:00 · f97a33e14d
commit f97a33e14d
parent ee31673154
4 changed files with 123 additions and 2 deletions
--- a/testing/btest/scripts/base/frameworks/logging/field-extension-include-exclude.zeek
+++ b/testing/btest/scripts/base/frameworks/logging/field-extension-include-exclude.zeek
@ -0,0 +1,31 @@
+# This tests the intersection of log filters with a custom extension
+# function that also use $include/$exclude: the extension function
+# overrides those restrictions.
+#
+# @TEST-EXEC: zeek -b -r $TRACES/wikipedia.trace %INPUT
+# @TEST-EXEC: btest-diff conn-inc.log
+# @TEST-EXEC: btest-diff conn-exc.log
+
+@load base/protocols/conn
+
+type Extension: record {
+	write_ts: time &log;
+	stream: string &log;
+	system_name: string &log;
+};
+
+function add_extension(path: string): Extension
+	{
+	return Extension($write_ts    = network_time(),
+	                 $stream      = path,
+	                 $system_name = peer_description);
+	}
+
+redef Log::default_ext_func = add_extension;
+
+event zeek_init()
+{
+        Log::remove_default_filter(Conn::LOG);
+        Log::add_filter(Conn::LOG, [$name="default-inc", $path="conn-inc", $include=set("ts", "uid", "id.orig_h", "id.resp_h")]);
+        Log::add_filter(Conn::LOG, [$name="default-exc", $path="conn-exc", $exclude=set("_write_ts")]);
+}