Fedora 30 is EOL. For Fedora 32, we need to add the diffutils RPM to
the installation list, since cmp and diff aren't automatically
available in the base image. (Also, sort the RPMs alphabetically.)
* origin/topic/jsiwek/gh-1119-conn-removal-callbacks:
GH-1119: add base/protcols/conn/removal-hooks.zeek
Avoid run-time cost of find-filtered-trace.zeek for live traffic
Remove connection_successful and successful_connection_remove events
Historically, a 'when' condition performed an AST-traversal to locate
any index-expressions like `x[9]` and evaluated them so that it could
register the associated value as something for which it needs to receive
"modification" notifications.
Evaluating arbitrary expressions during an AST-traversal like that ignores
the typical order-of-evaluation/short-circuiting you'd expect if the
condition was evaluated normally, from its root expression.
Now, a new subclass of IndexExpr is used to keep track of all IndexExpr
results in the context of evaluating a 'when' condition without having
to do a secondary AST-traversal-and-eval. i.e. the first evaluation of
the full 'when' condition follows the typical expression-evaluation
semantics (as always), but additionally now captures all the values
a Trigger needs to monitor for modifications.
Those operations done between a vector-of-interval and a
vector-of-arithmetic-type previously threw a runtime expression error
due to an incorrect coercion being used internally.
The RSTOS0 `conn_state` label is documented as "Originator sent a SYN
followed by a RST, never saw SYN-ACK from responder", but was previously
applied to cases where no originator SYN exists, like a single RST-only
packet.
This adds two new functions: `Conn::register_removal_hook()` and
`Conn::unregister_removal_hook()` for registering a hook function to be
called back during `connection_state_remove`. The benefit of using hook
callback approach is better scalability: the overhead of unrelated
protocols having to dispatch no-op `connection_state_remove` handlers is
avoided.
If the inner packet of a decapsulated GTPv1 frame maps to the same
Connection as the outer packet and also contains another GTPv1
encapsulation, the same GTPv1 analyzer attempts to parse the inner
packet. In the process, the inner parsing method overwrites pointers to
memory resources the outer parsing method has not yet released and
results in a memory leak.
If the inner packet of a decapsulated AYIYA frame maps to the same
Connection as the outer packet and also contains another AYIYA
encapsulation, the same AYIYA analyzer attempts to parse the inner
packet. In the process, the inner parsing method overwrites pointers to
memory resources the outer parsing method has not yet released and
results in a memory leak.
Credit to OSS-Fuzz for discovery
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25256
- Merge adjustments:
- Minor whitespace/style tweaks
- Fixed portability of the btest due to differences in `uniq -c`
output format
* origin/topic/robin/gh-623-sampling:
Extend weird sampling with option to track selected weirds globally.
This is to avoid missing large sessions where a single side exceeds
the DPD buffer size. It comes with the trade-off that now the analyzer
can be triggered by anybody controlling one of the endpoints (instead
of both).
Test suite changes are minor, and nothing in "external".
Closes#343.
