From fe6a05e2ade5151db7d22b7b6d39c04182e77145 Mon Sep 17 00:00:00 2001 From: Gregor Maier Date: Sun, 7 Aug 2011 15:33:50 -0700 Subject: [PATCH] Tunnel documentation tweaks. Checkpoint. Need to check cross-references once "make doc" works again. --- scripts/policy/frameworks/tunnel.bro | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/scripts/policy/frameworks/tunnel.bro b/scripts/policy/frameworks/tunnel.bro index 80e46c31a4..ebec2b0f06 100644 --- a/scripts/policy/frameworks/tunnel.bro +++ b/scripts/policy/frameworks/tunnel.bro @@ -2,7 +2,21 @@ ##! ##! Bro can decapsulate IPinIP and IPinUDP tunnels, were "IP" can be either ##! IPv4 or IPv6. The most common case will be decapsulating Teredo, 6to4, -##! 6in4, and AYIAY. +##! 6in4, and AYIAY. When this script is loaded, decapsulation will be +##! enabled. "tunnel.log" will log the "parent" for each tunneled +##! connection. The identity (and existence) of the tunnel connection +##! is otherwise lost. +##! +##! Currently handles: +##! +##! * IP6 in IP{4,6}. (IP4 in IP is easy to add, but omitted due to lack +##! of test cases. +##! * IP{4,6} in UDP. This decapsulates e.g., standard *Teredo* packets +##! (without authentication or origin indicator) +##! * IP{4,6} in AYIAY +##! * Only checks for UDP tunnels on Teredo's and AYIAY's default +##! ports. See :bro:id:`udp_tunnel_ports` and +##! :bro:id:`udp_tunnel_allports` ##! ##! Decapsulation happens early in a packets processing, right after IP ##! defragmentation but before there is a connection context. The tunnel @@ -11,13 +25,14 @@ ##! which is of type :bro:type:`parent_t`. ##! ##! *Limitation:* The decapsulated packets are not fed through the -##! defragmenter again. +##! defragmenter again and decapsulation happens only on the primary +##! path, i.e., it's not available for the secondary path. ##! ##! module Tunnel; -redef use_connection_compressor = F; +#redef use_connection_compressor = F; redef Tunnel::decapsulate_ip = T; redef Tunnel::decapsulate_udp = T; redef Tunnel::udp_tunnel_allports = T;