* origin/topic/jsiwek/mobile-ipv6:
Add support for mobile IPv6 Mobility Header (RFC 6275).
Refactor IP_Hdr routing header handling, add MobileIPv6 Home Address handling.
Revert TCP checksumming to cache common data, like it did before.
Revert "Improve handling of IPv6 Routing Type 0 headers."
Improve handling of IPv6 routing type 0 extension headers.
- The option to use integers insteads of double was ignored.
- Renaming script-level options to remove the ds_ prefix.
- Log rotation didn't work.
- A set of simple unit tests.
- Accessible at script-layer through 'mobile_ipv6_message' event.
- All Mobile IPv6 analysis now enabled through --enable-mobile-ipv6
configure-time option, otherwise the mobility header, routing type 2,
and Home Address Destination option are ignored.
Value assigned in bro_init() to a table with &create_expire
weren't expiring when reading traffic from an interface. It worked
when reading a pcap file, but I added a test case to show it still
working.
The FragReassembler expire_timer was left uninitialized until after
the first fragment is added, but since the atomic fragment is also
the last, the reassembler thought expire_timer needed to be deleted.
This fix just initializes expire_timer before the first fragment is
added.
- For RH0 headers with non-zero segments left, a "routing0_segleft"
flow_weird event is raised (with a destination indicating the last
address in the routing header), and an "rh0_segleft" event can also
be handled if the other contents of the packet header are of interest.
No further analysis is done as the complexity required to correctly
identify destination endpoints of connections doesn't seem worth it
as RH0 has been deprecated by RFC 5095.
- For RH0 headers without any segments left, a "routing0_header"
flow_weird event is raised, but further analysis still occurs
as normal.
- flow_weird event with name argument value of "routing0_hdr" is raised
for packets containing an IPv6 routing type 0 header because this
type of header is now deprecated according to RFC 5095.
- packets with a routing type 0 header and non-zero segments left
now use the last address in that header in order to associate
with a connection/flow and for calculating TCP/UDP checksums.
- added a set of IPv4/IPv6 TCP/UDP checksum unit tests
* topic/jsiwek/ipv6-ext-headers:
Cosmetics in preparation for merge.
Removing remaining comments. Looks fine.
Refactor script-layer IPv6 ext. header chain (addresses #795)
Changes to IPv6 ext. header parsing (addresses #795).
Fix ipv6_ext_headers event and add routing0_data_to_addrs BIF.
Remove the default "tcp or udp or icmp" filter.
Merge remote-tracking branch 'origin/topic/jsiwek/ipv6-ext-headers'
Add unit test for IPv6 fragment reassembly.
Update PacketFilter/Discarder code for IP version independence.
Add a few comments to IP.h
Fix some IPv6 header related bugs.
Add IPv6 fragment reassembly.
Add handling for IPv6 extension header chains (addresses #531)
Closes#795.
This do not have to be present in the input file and are marked as &optional in the record description.
Those can e.g. be used to create field values on the file in a predicate while reading a file - example:
Input::add_table([$source="input.log", $name="input", $idx=Idx, $val=Val, $destination=servers,
$pred(typ: Input::Event, left: Idx, right: Val) = { right$notb = !right$b; return T; }
In response to feedback from Robin:
- rename "ip_hdr" to "ip4_hdr"
- pkt_hdr$ip6 is now of type "ip6_hdr" instead of "ip6_hdr_chain"
- "ip6_hdr_chain" no longer contains an "ip6_hdr" field, instead
it's the other way around, "ip6_hdr" contains an "ip6_hdr_chain"
- other internal refactoring
support reading from commands by adppending | to the filename.
support streaming reads from command.
Fix something to make rearead work better. (magically happened)
Note that fdstream.h is from boost and has a separate license:
* (C) Copyright Nicolai M. Josuttis 2001.
* Permission to copy, use, modify, sell and distribute this software
* is granted provided this copyright notice appears in all copies.
* This software is provided "as is" without express or implied
* warranty, and with no claim as to its suitability for any purpose.
compiles, not really tested.
basic test works 70% of the time, coredumps in the other 30 - but was not easy to debug on a first glance (most interestingly the crash happens in the logging framework - I wonder how that works).
Other tests are not adjusted to the new interface yet.
This is to avoid ambiguity between compressed hex notation and
module namespacing, both which use "::". E.g.: "aaaa::bbbb" could
be an identifier or an IPv6 address, but "[aaaa::bbbb]" is now
clearly the address.
Also added IPv6 mixed notation to allow an IPv4 dotted-decimal
address to be specified in the lower 32-bits.
