In the merge, I changed IP.cc to use icmp6_hdr for icmpv6 instead of the
icmp* that was used in the patch. While it does not make a difference
for this case, it seems cleaner.
BIT-1570 #merged
* 'topic/rework-packets' of https://github.com/jsbarber/bro:
One more tinker to Packet -- ensure no uninitialized values
Packet::IP()-created IP_Hdr should not free
Make enums work for non-C++11 config
Refactor to make bro use a common Packet object. Do a better job of parsing layer 2 and keeping track of layer 3 proto. Add support for raw packet event, including Layer2 headers.
Conflicts:
aux/plugins
This prevented one from writing a packet-wise analyzer that needs access
to IP headers and can be attached to a connection via signature match.
None of the analyzers currently shipping are affected. And maybe it's
unlikely there will be many that ever would be, but it's awkward for the
API to omit IP headers in this special case (i.e. packets buffer for use
with DPD signature matching).
Addresses BIT-1298
Replaced some with InternalWarning or InternalAnalyzerError, the later
being a new method which signals the analyzer to not process further
input. Some usages I just removed if they didn't make sense or clearly
couldn't happen. Also did some minor refactors of related code while
reviewing/exploring ways to get rid of InternalError usages.
Also, for TCP content file write failures there's a new event:
"contents_file_write_failure".
* origin/fastpath:
Fix construction of ip6_ah (Authentication Header) record values.
Update compile/dependency docs for OS X.
Adjusting Mac binary packaging script.
Unit test reliability adjustment.
Adjusting some unit tests that do cluster communication.
Small change to non-blocking DNS initialization.
reorder a few statements in scan.l to make 1.5msecs etc work.
Authentication Headers with a Payload Len field set to zero would cause
a crash due to invalid memory allocation because the previous code
assumed Payload Len would always be great enough to contain all
mandatory fields of the header. This changes it so the length of
the header is explicitly checked before attempting to extract fields
located past the minimum length (8 bytes) of an Authentication Header.
Crashes due to this are only possible when handling script-layer events
ipv6_ext_headers, new_packet, esp_packet, or teredo_*. Or also when
implementing one of the discarder_check_* family of functions.
Otherwise, Bro correctly parses past such a header.
* origin/topic/icmp6:
Fixes for IPv6 truncation and ICMP/ICMP6 analysis.
Change ICMPv6 checksum calculation to use IP_Hdr wrapper.
Update IPv6 atomic fragment unit test to filter output of ICMPv6.
Add more data to icmp events
More code cleanup
Add more icmpv6 events, and general code cleanup
Fix compile failure after merge from master
Significant edit pass over ICMPv6 code.
Porting Matti's branch to git.
Closes#808.
- Add more guards against trying to analyze captured packets with a
truncated IPv6 static header or extension header chain.
- Add back in the ICMP payload tracking for ICMP "connections".
- Fix 'icmp_context' record construction. Some field assignments
were mismatched for ICMP and ICMP6. Source and destination
addresses were set incorrectly for context packets that don't
contain a full IP header. Some fields for ICMP6 weren't filled out.
- Changed ICMP Time Exceeded packets to raise the 'icmp_time_exceeded'
event instead of 'icmp_error_message'.
- Add unit tests for truncation and the main types of ICMP/ICMP6
that have specific events.
- Documentation clarifications.
* origin/topic/jsiwek/mobile-ipv6:
Add support for mobile IPv6 Mobility Header (RFC 6275).
Refactor IP_Hdr routing header handling, add MobileIPv6 Home Address handling.
Revert TCP checksumming to cache common data, like it did before.
Revert "Improve handling of IPv6 Routing Type 0 headers."
Improve handling of IPv6 routing type 0 extension headers.
- Accessible at script-layer through 'mobile_ipv6_message' event.
- All Mobile IPv6 analysis now enabled through --enable-mobile-ipv6
configure-time option, otherwise the mobility header, routing type 2,
and Home Address Destination option are ignored.
- For RH0 headers with non-zero segments left, a "routing0_segleft"
flow_weird event is raised (with a destination indicating the last
address in the routing header), and an "rh0_segleft" event can also
be handled if the other contents of the packet header are of interest.
No further analysis is done as the complexity required to correctly
identify destination endpoints of connections doesn't seem worth it
as RH0 has been deprecated by RFC 5095.
- For RH0 headers without any segments left, a "routing0_header"
flow_weird event is raised, but further analysis still occurs
as normal.
- flow_weird event with name argument value of "routing0_hdr" is raised
for packets containing an IPv6 routing type 0 header because this
type of header is now deprecated according to RFC 5095.
- packets with a routing type 0 header and non-zero segments left
now use the last address in that header in order to associate
with a connection/flow and for calculating TCP/UDP checksums.
- added a set of IPv4/IPv6 TCP/UDP checksum unit tests
In response to feedback from Robin:
- rename "ip_hdr" to "ip4_hdr"
- pkt_hdr$ip6 is now of type "ip6_hdr" instead of "ip6_hdr_chain"
- "ip6_hdr_chain" no longer contains an "ip6_hdr" field, instead
it's the other way around, "ip6_hdr" contains an "ip6_hdr_chain"
- other internal refactoring
The signatures of script-layer functions 'discarder_check_ip',
'discarder_check_tcp', 'discarder_check_udp', and 'discarder_check_icmp'
were changed to use the more general 'pkt_hdr' type as a parameter
instead of individual header types.
- IPv6 payload length calculation didn't count main 40 byte IPv6 header.
- Fix how IPv6 headers that use TLV options are built.
- Fix ip6_hdr_chain$ext_order starting index at 1 instead of 0.
- The script-layer 'pkt_hdr' type is extended with a new 'ip6' field
representing the full IPv6 header chain.
- The 'new_packet' event is now raised for IPv6 packets (addresses #523)
- A new event called 'ipv6_ext_header' is raised for any IPv6 packet
containing extension headers.
- A new event called 'esp_packet' is raised for any packets using ESP
('new_packet' and 'ipv6_ext_header' events provide connection info,
but that info can't be provided here since the upper-layer payload
is encrypted).
- The 'unknown_protocol' weird is now raised more reliably when Bro
sees a transport protocol or IPv6 extension header it can't handle.
(addresses #522)
Still need to do IPv6 fragment reassembly and needs more testing.
