Minor review nits

scripts/base/protocols/conn/main.zeek

@@ -160,7 +160,7 @@ export {
 		tunnel_parents: set[string] &log &optional;
 		## For IP-based connections, this contains the protocol
 		## identifier passed in the IP header. This is different
-		## from the ``proto`` field in that this value comes
+		## from the *proto* field in that this value comes
 		## directly from the header.
 		ip_proto:   count      &log &optional;
 	};
@@ -287,7 +287,8 @@ function set_conn(c: connection, eoc: bool)
 			c$conn$history=c$history;
 		}
 
-	c$conn$ip_proto = c$id$proto;
+	if ( c$id$proto != 65535 )
+		c$conn$ip_proto = c$id$proto;
 	}
 
 event content_gap(c: connection, is_orig: bool, seq: count, length: count) &priority=5

scripts/policy/protocols/conn/disable-unknown-ip-proto-support.zeek

@@ -8,4 +8,4 @@ redef record Conn::Info$ip_proto -= { &log };
 
 event zeek_init() {
 	Analyzer::disable_analyzer(PacketAnalyzer::ANALYZER_UNKNOWN_IP_TRANSPORT);
-}
+}

scripts/policy/protocols/conn/ip-proto-name-logging.zeek

@@ -157,15 +157,13 @@ global protocol_names: table[count] of string = {
 	[142] = "rohc",
 	[143] = "ethernet",
 	[144] = "aggfrag",
-	[145] = "nsh"
+	[145] = "nsh",
+	[146] = "homa"
 };
 
 event new_connection(c: connection) &priority=5 {
 	# In case we're the first access
 	Conn::set_conn(c, F);
-	if ( c$conn?$ip_proto && c$conn$ip_proto in protocol_names ) {
+	if ( c$conn?$ip_proto && c$conn$ip_proto in protocol_names )
 		c$conn$ip_proto_name = protocol_names[c$conn$ip_proto];
-	} else {
-		c$conn$ip_proto_name = "unknown";
-	}
 }

src/IPAddr.cc

@@ -60,7 +60,7 @@ ConnKey::ConnKey(Val* v) {
 
     int orig_h, orig_p; // indices into record's value list
     int resp_h, resp_p;
-    uint8_t proto;
+    int proto;
 
     if ( vr == id::conn_id ) {
         orig_h = 0;
@@ -77,7 +77,7 @@ ConnKey::ConnKey(Val* v) {
         resp_p = vr->FieldOffset("resp_p");
         proto = vr->FieldOffset("proto");
 
-        if ( orig_h < 0 || resp_h < 0 || orig_p < 0 || resp_p < 0 ) {
+        if ( orig_h < 0 || resp_h < 0 || orig_p < 0 || resp_p < 0 || proto < 0 ) {
             valid = false;
             return;
         }

src/TunnelEncapsulation.cc

@@ -14,7 +14,7 @@ EncapsulatingConn::EncapsulatingConn(Connection* c, BifEnum::Tunnel::Type t)
       src_port(c->OrigPort()),
       dst_port(c->RespPort()),
       proto(c->ConnTransport()),
-      proto_id(c->KeyProto()),
+      ip_proto(c->KeyProto()),
       type(t),
       uid(c->GetUID()) {
     if ( ! uid ) {
@@ -31,7 +31,7 @@ RecordValPtr EncapsulatingConn::ToVal() const {
     id_val->Assign(1, val_mgr->Port(ntohs(src_port), proto));
     id_val->Assign(2, make_intrusive<AddrVal>(dst_addr));
     id_val->Assign(3, val_mgr->Port(ntohs(dst_port), proto));
-    id_val->Assign(4, proto_id);
+    id_val->Assign(4, ip_proto);
     rv->Assign(0, std::move(id_val));
     rv->Assign(1, BifType::Enum::Tunnel::Type->GetEnumVal(type));
 

src/TunnelEncapsulation.h

@@ -46,7 +46,7 @@ public:
           src_port(0),
           dst_port(0),
           proto(TRANSPORT_UNKNOWN),
-          proto_id(UNKNOWN_IP_PROTO),
+          ip_proto(UNKNOWN_IP_PROTO),
           type(t),
           uid(UID(detail::bits_per_uid)) {}
 
@@ -71,7 +71,7 @@ public:
           src_port(other.src_port),
           dst_port(other.dst_port),
           proto(other.proto),
-          proto_id(other.proto_id),
+          ip_proto(other.ip_proto),
           type(other.type),
           uid(other.uid) {}
 
@@ -87,7 +87,7 @@ public:
             src_port = other.src_port;
             dst_port = other.dst_port;
             proto = other.proto;
-            proto_id = other.proto_id;
+            ip_proto = other.ip_proto;
             type = other.type;
             uid = other.uid;
             ip_hdr = other.ip_hdr;
@@ -109,7 +109,7 @@ public:
 
         if ( ec1.type == BifEnum::Tunnel::IP || ec1.type == BifEnum::Tunnel::GRE )
             // Reversing endpoints is still same tunnel.
-            return ec1.uid == ec2.uid && ec1.proto == ec2.proto && ec1.proto_id == ec2.proto_id &&
+            return ec1.uid == ec2.uid && ec1.proto == ec2.proto && ec1.ip_proto == ec2.ip_proto &&
                    ((ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr) ||
                     (ec1.src_addr == ec2.dst_addr && ec1.dst_addr == ec2.src_addr));
 
@@ -117,13 +117,13 @@ public:
             // Reversing endpoints is still same tunnel, destination port is
             // always the same.
             return ec1.dst_port == ec2.dst_port && ec1.uid == ec2.uid && ec1.proto == ec2.proto &&
-                   ec1.proto_id == ec2.proto_id &&
+                   ec1.ip_proto == ec2.ip_proto &&
                    ((ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr) ||
                     (ec1.src_addr == ec2.dst_addr && ec1.dst_addr == ec2.src_addr));
 
         return ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr && ec1.src_port == ec2.src_port &&
                ec1.dst_port == ec2.dst_port && ec1.uid == ec2.uid && ec1.proto == ec2.proto &&
-               ec1.proto_id == ec2.proto_id;
+               ec1.ip_proto == ec2.ip_proto;
     }
 
     friend bool operator!=(const EncapsulatingConn& ec1, const EncapsulatingConn& ec2) { return ! (ec1 == ec2); }
@@ -137,7 +137,7 @@ protected:
     uint16_t src_port;
     uint16_t dst_port;
     TransportProto proto;
-    uint16_t proto_id;
+    uint16_t ip_proto;
     BifEnum::Tunnel::Type type;
     UID uid;
 };

src/zeek.bif

@@ -315,7 +315,6 @@ zeek::RecordValPtr zeek::detail::build_dummy_conn_record()
 	id_val->Assign(1, zeek::val_mgr->Port(ntohs(0), TRANSPORT_UDP));
 	id_val->Assign(2, zeek::make_intrusive<zeek::AddrVal>((unsigned int) 0));
 	id_val->Assign(3, zeek::val_mgr->Port(ntohs(0), TRANSPORT_UDP));
-    id_val->Assign(4, 255);
 	c->Assign(0, std::move(id_val));
 
 	auto orig_endp = zeek::make_intrusive<zeek::RecordVal>(zeek::id::endpoint);