diff --git a/scripts/base/protocols/conn/main.zeek b/scripts/base/protocols/conn/main.zeek index f399d1efeb..81ce786b7d 100644 --- a/scripts/base/protocols/conn/main.zeek +++ b/scripts/base/protocols/conn/main.zeek @@ -160,7 +160,7 @@ export { tunnel_parents: set[string] &log &optional; ## For IP-based connections, this contains the protocol ## identifier passed in the IP header. This is different - ## from the ``proto`` field in that this value comes + ## from the *proto* field in that this value comes ## directly from the header. ip_proto: count &log &optional; }; @@ -287,7 +287,8 @@ function set_conn(c: connection, eoc: bool) c$conn$history=c$history; } - c$conn$ip_proto = c$id$proto; + if ( c$id$proto != 65535 ) + c$conn$ip_proto = c$id$proto; } event content_gap(c: connection, is_orig: bool, seq: count, length: count) &priority=5 diff --git a/scripts/policy/protocols/conn/disable-unknown-ip-proto-support.zeek b/scripts/policy/protocols/conn/disable-unknown-ip-proto-support.zeek index 9e5ed58518..a6394b5f48 100644 --- a/scripts/policy/protocols/conn/disable-unknown-ip-proto-support.zeek +++ b/scripts/policy/protocols/conn/disable-unknown-ip-proto-support.zeek @@ -8,4 +8,4 @@ redef record Conn::Info$ip_proto -= { &log }; event zeek_init() { Analyzer::disable_analyzer(PacketAnalyzer::ANALYZER_UNKNOWN_IP_TRANSPORT); -} \ No newline at end of file +} diff --git a/scripts/policy/protocols/conn/ip-proto-name-logging.zeek b/scripts/policy/protocols/conn/ip-proto-name-logging.zeek index 1f8cb86771..63ac846914 100644 --- a/scripts/policy/protocols/conn/ip-proto-name-logging.zeek +++ b/scripts/policy/protocols/conn/ip-proto-name-logging.zeek @@ -157,15 +157,13 @@ global protocol_names: table[count] of string = { [142] = "rohc", [143] = "ethernet", [144] = "aggfrag", - [145] = "nsh" + [145] = "nsh", + [146] = "homa" }; event new_connection(c: connection) &priority=5 { # In case we're the first access Conn::set_conn(c, F); - if ( c$conn?$ip_proto && c$conn$ip_proto in protocol_names ) { + if ( c$conn?$ip_proto && c$conn$ip_proto in protocol_names ) c$conn$ip_proto_name = protocol_names[c$conn$ip_proto]; - } else { - c$conn$ip_proto_name = "unknown"; - } } diff --git a/src/IPAddr.cc b/src/IPAddr.cc index 08dd4d400c..ea32a2f755 100644 --- a/src/IPAddr.cc +++ b/src/IPAddr.cc @@ -60,7 +60,7 @@ ConnKey::ConnKey(Val* v) { int orig_h, orig_p; // indices into record's value list int resp_h, resp_p; - uint8_t proto; + int proto; if ( vr == id::conn_id ) { orig_h = 0; @@ -77,7 +77,7 @@ ConnKey::ConnKey(Val* v) { resp_p = vr->FieldOffset("resp_p"); proto = vr->FieldOffset("proto"); - if ( orig_h < 0 || resp_h < 0 || orig_p < 0 || resp_p < 0 ) { + if ( orig_h < 0 || resp_h < 0 || orig_p < 0 || resp_p < 0 || proto < 0 ) { valid = false; return; } diff --git a/src/TunnelEncapsulation.cc b/src/TunnelEncapsulation.cc index 968db28b8f..ad041a790d 100644 --- a/src/TunnelEncapsulation.cc +++ b/src/TunnelEncapsulation.cc @@ -14,7 +14,7 @@ EncapsulatingConn::EncapsulatingConn(Connection* c, BifEnum::Tunnel::Type t) src_port(c->OrigPort()), dst_port(c->RespPort()), proto(c->ConnTransport()), - proto_id(c->KeyProto()), + ip_proto(c->KeyProto()), type(t), uid(c->GetUID()) { if ( ! uid ) { @@ -31,7 +31,7 @@ RecordValPtr EncapsulatingConn::ToVal() const { id_val->Assign(1, val_mgr->Port(ntohs(src_port), proto)); id_val->Assign(2, make_intrusive(dst_addr)); id_val->Assign(3, val_mgr->Port(ntohs(dst_port), proto)); - id_val->Assign(4, proto_id); + id_val->Assign(4, ip_proto); rv->Assign(0, std::move(id_val)); rv->Assign(1, BifType::Enum::Tunnel::Type->GetEnumVal(type)); diff --git a/src/TunnelEncapsulation.h b/src/TunnelEncapsulation.h index fb8687a891..dddca6ca90 100644 --- a/src/TunnelEncapsulation.h +++ b/src/TunnelEncapsulation.h @@ -46,7 +46,7 @@ public: src_port(0), dst_port(0), proto(TRANSPORT_UNKNOWN), - proto_id(UNKNOWN_IP_PROTO), + ip_proto(UNKNOWN_IP_PROTO), type(t), uid(UID(detail::bits_per_uid)) {} @@ -71,7 +71,7 @@ public: src_port(other.src_port), dst_port(other.dst_port), proto(other.proto), - proto_id(other.proto_id), + ip_proto(other.ip_proto), type(other.type), uid(other.uid) {} @@ -87,7 +87,7 @@ public: src_port = other.src_port; dst_port = other.dst_port; proto = other.proto; - proto_id = other.proto_id; + ip_proto = other.ip_proto; type = other.type; uid = other.uid; ip_hdr = other.ip_hdr; @@ -109,7 +109,7 @@ public: if ( ec1.type == BifEnum::Tunnel::IP || ec1.type == BifEnum::Tunnel::GRE ) // Reversing endpoints is still same tunnel. - return ec1.uid == ec2.uid && ec1.proto == ec2.proto && ec1.proto_id == ec2.proto_id && + return ec1.uid == ec2.uid && ec1.proto == ec2.proto && ec1.ip_proto == ec2.ip_proto && ((ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr) || (ec1.src_addr == ec2.dst_addr && ec1.dst_addr == ec2.src_addr)); @@ -117,13 +117,13 @@ public: // Reversing endpoints is still same tunnel, destination port is // always the same. return ec1.dst_port == ec2.dst_port && ec1.uid == ec2.uid && ec1.proto == ec2.proto && - ec1.proto_id == ec2.proto_id && + ec1.ip_proto == ec2.ip_proto && ((ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr) || (ec1.src_addr == ec2.dst_addr && ec1.dst_addr == ec2.src_addr)); return ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr && ec1.src_port == ec2.src_port && ec1.dst_port == ec2.dst_port && ec1.uid == ec2.uid && ec1.proto == ec2.proto && - ec1.proto_id == ec2.proto_id; + ec1.ip_proto == ec2.ip_proto; } friend bool operator!=(const EncapsulatingConn& ec1, const EncapsulatingConn& ec2) { return ! (ec1 == ec2); } @@ -137,7 +137,7 @@ protected: uint16_t src_port; uint16_t dst_port; TransportProto proto; - uint16_t proto_id; + uint16_t ip_proto; BifEnum::Tunnel::Type type; UID uid; }; diff --git a/src/zeek.bif b/src/zeek.bif index bfcdd9f007..b164395fa6 100644 --- a/src/zeek.bif +++ b/src/zeek.bif @@ -315,7 +315,6 @@ zeek::RecordValPtr zeek::detail::build_dummy_conn_record() id_val->Assign(1, zeek::val_mgr->Port(ntohs(0), TRANSPORT_UDP)); id_val->Assign(2, zeek::make_intrusive((unsigned int) 0)); id_val->Assign(3, zeek::val_mgr->Port(ntohs(0), TRANSPORT_UDP)); - id_val->Assign(4, 255); c->Assign(0, std::move(id_val)); auto orig_endp = zeek::make_intrusive(zeek::id::endpoint);