Loading policy/protocols/conntuple/vlan adapts Zeek's flow hashing and the
script-layer conn_id record to show VLAN tags when present.
I'm using script-layer ints for the VLAN tag representation for consistency with
what we alrady do elsewhere, but it seems odd since they can never be negative.
I'm currently skipping protocols/conntuple/vlan in test-all-policy since it
otherwise affects the external testsuites -- could revisit if people feel it
should run on these.
This allows tuple builders to complete conn_id instances in implementations that
redef that record. We could be more invasive here and shift most of GetVal() into
the five-tuple builder implementation.
The class previously kept a full copy, preventing virtualization.
There are 3 remaining uses of the existing Connection object constructor, all in
C++ unit tests. Since Connection isn't in the detail namespace we can't
immediately change its API, but we could deprecate the existing constructor at
this time.
ConnKey instances encodes connection tuples for connection lookups via session
keys. They so far relied on their internal memory layout as input for session
keying: given a pointer to an instance plus its sizeof() was used as hash
data input.
This approach breaks when virtualizing ConnKeys, with compilers explicitly
warning against using this approach. To allow virtualizing ConnKeys, this commit
changes the hashing approach to explicit packing of the tuple context into a
memory chunk, allowing derived classes to provide their own/additional
implementations. One benefit of this approach is that the packed chunks can vary
in size, using space for additional fields only when actually present in the
traffic. It also reduces the packed size somewhat: on my machine full object
ConnKey instances account for 48 bytes, while the packed chunk makes up 38 --
and we no longer need to memset() out the extra space to ensure hash
correctness.
This also removes unneeded versions of the comparison operators, and bases the
remaining ones on the session key values themselves. There's some potential for
optimization here to avoid repeated creation of the packed region since it will
never change for a given tuple.
Builders are intermediaries that encapsulate the details of how to instantiate
connection tuples & keys. By virtualizing those data structures, builder
implementations can adapt Zeek's notion of connection tuples.
* origin/topic/awelzel/generic-metadata-pre-work:
cluster/Backend: Add name and lookup component tag
cluster/Event: Hide members behind accessors
cluster/PublishEvent:: Make event non-const
broker/Manager: Re-use broker serializer for conversion
EventMgr: Add Dispatch() with handler and args
plugin/Manager: Fix MetaHookPre and MetaHookPost using HOOK_CALL_FUNCTION
For scheduled events, the event timestamp is the intended timestamp. If
we force timer expiration, the timestamp might be in the future. Today,
this happens on shutdown. This change guarantees that event timestamps
are never set beyond network time.
Allow users to call event_mgr.Dispatch(handler, args) instead of
constructing the Event instance themselves. Deprecate the old API
and replace users.
There's a subtle change that net_done() may be propagated via
auto_publish() now, but that still needs opt-in from script land
and likely no one did that, or else they'd expected to have it
work anyhow.
This test is very sensitive to new enum values that perturb the final
order of the output. Listing the commits that modify that file in the
past clearly shows changes to the baseline happen when a new component
with an enum value is introduced.
40f04d4ccf broker: Add WebSocketShim backend
51836d08ae protocol: Add StreamEvent analyzer
fdde1e9841 cluster/serializer: Add binary-serialization-format
6fb73aa9da broker: Add shim plugin adding a backend component
85ca59484b postgresql: Initial parser implementation
efc2681152 WebSocket: Introduce new analyzer and log
...
That's just distraction. Point fix the test to sort the analyzers before
writing the final log line.
I've previously attempted this in a more complete fashion in PR #3365
(issue #3364), but seems this direct fix might just make more sense.
This test has become flaky after #4295. It hasn't been failing regularly
enough locally to make it approachable. Annotate with
BTEST_BG_RUN_SLEEP=1 to revert to pre #4295 behavior, hopefully
fixing the flakiness as a side-effect.
After further testing with the fuzzer corpus, std::unreachable isn't
necessary here. It's fine to just let the default case break to fix
the Coverity warning.
* topic/timw/coverity-fixes:
Add move assignment operator to ZeekString, which already had a move constructor
Don't initialize telemetry listener at all if ZEEKCTL_CHECK_CONFIG is set
Avoid extra temporary strings in concatenation
Use const auto references to avoid some copies
Clean up initialization of TunnelEncapsulation to use default member values
Remove some unnecessary std::move calls in broker::Manager
Avoid divide-by-zero in CardinalityCounter::Size
Minor fixes in POP3 analyzer based on flycheck warnings
More std::move changes based on Coverity findings
Fix a potential memory leak in Debug function
* origin/topic/timw/4281-unconditionally-forward-out-of-snap:
Make SNAP analyzer use both OUI and protocol for forwarding
Change packet analyzer identifiers to be 64-bit
