* topic/robin/input-threads-merge: (130 commits)
And now it even compiles after my earlier changes.
A set of input framework refactoring, cleanup, and polishing.
another small memory leak in ascii reader:
and another small memory leak when using streaming reads.
fix another memory lead (when updating tables).
Input framework merge in progress.
filters have been called streams for eternity. And I always was too lazy to change it everywhere...
reactivate network_time check in threading manager. previously this line made all input framework tests fail - it works now. Some of the other recent changes of the threading manager must have fixed that problem.
fix up the executeraw test - now it works for the first time and does not always fail
baselines for the autostart removal.
remove last remnants of autostart, which has been removed for quite a while.
make input framework source (hopefully) adhere to the usual indentation style. No functional changes.
fix two memory leaks which occured when one used filters.
update description to current interface.
rename a couple of structures and make the names in manager fit the api more.
fix memory leak in tables and vectors that are read into tables
fix missing get call for heart beat in benchmark reader.
fix heart_beat_interval -- initialization in constructor does not work anymore (probably due to change in init ordering?)
fix memory leak for tables... nearly completely.
fix a couple more leaks. But - still leaking quite a lot with tables.
...
Without this change, flow labeling of connections over IPv6 are
only available in the per-packet types of events (e.g. new_packet)
in which header fields can be inspected, but now minimal tracking
of the most recent flow label is done internally and that's available
per-connection for all events that use connection record arguments.
Specifically, this adds a "flow_label" field to the "endpoint" record
type, which is used for both the "orig" and "resp" fields of
"connection" records. The new "connection_flow_label_changed" event
also allows tracking of changes in flow labels: it's raised each time
one direction of the connection starts using a different label.
- Unserializing files that were previously kicked out of the open-file
cache would cause them to be fopen'd with the original access
permissions which is usually 'w' and causes truncation. They
are now opened in 'a' mode. (addresses #780)
- Add 'max_files_in_cache' script option to manually set the maximum
amount of opened files to keep cached. Mainly this just helped
to create a simple test case for the above change.
- Remove unused NO_HAVE_SETRLIMIT preprocessor switch.
- On systems that don't enforce a limit on number of files opened for
the process, raise default max size of open-file cache from
32 to 512.
- The 'icmp_conn' record now contains an 'hlim' field since hop limit
in the IP header is an interesting field for at least these ND
messages.
- Changed 'icmp_router_advertisement' event parameters.
'router_lifetime' is now an interval. Fix 'reachable_time' and
'retrans_timer' using wrong internal Val type for intervals.
Made more of the known router advertisement flags available through
boolean parameters.
- Changed 'icmp_neighbor_advertisement' event parameters to add
more of the known boolean flags.
* origin/topic/icmp6:
Fixes for IPv6 truncation and ICMP/ICMP6 analysis.
Change ICMPv6 checksum calculation to use IP_Hdr wrapper.
Update IPv6 atomic fragment unit test to filter output of ICMPv6.
Add more data to icmp events
More code cleanup
Add more icmpv6 events, and general code cleanup
Fix compile failure after merge from master
Significant edit pass over ICMPv6 code.
Porting Matti's branch to git.
Closes#808.
- Add more guards against trying to analyze captured packets with a
truncated IPv6 static header or extension header chain.
- Add back in the ICMP payload tracking for ICMP "connections".
- Fix 'icmp_context' record construction. Some field assignments
were mismatched for ICMP and ICMP6. Source and destination
addresses were set incorrectly for context packets that don't
contain a full IP header. Some fields for ICMP6 weren't filled out.
- Changed ICMP Time Exceeded packets to raise the 'icmp_time_exceeded'
event instead of 'icmp_error_message'.
- Add unit tests for truncation and the main types of ICMP/ICMP6
that have specific events.
- Documentation clarifications.
* origin/topic/jsiwek/mobile-ipv6:
Add support for mobile IPv6 Mobility Header (RFC 6275).
Refactor IP_Hdr routing header handling, add MobileIPv6 Home Address handling.
Revert TCP checksumming to cache common data, like it did before.
Revert "Improve handling of IPv6 Routing Type 0 headers."
Improve handling of IPv6 routing type 0 extension headers.
- Accessible at script-layer through 'mobile_ipv6_message' event.
- All Mobile IPv6 analysis now enabled through --enable-mobile-ipv6
configure-time option, otherwise the mobility header, routing type 2,
and Home Address Destination option are ignored.
In response to feedback from Robin:
- rename "ip_hdr" to "ip4_hdr"
- pkt_hdr$ip6 is now of type "ip6_hdr" instead of "ip6_hdr_chain"
- "ip6_hdr_chain" no longer contains an "ip6_hdr" field, instead
it's the other way around, "ip6_hdr" contains an "ip6_hdr_chain"
- other internal refactoring
* origin/topic/jsiwek/ipv6-ext-headers:
Update PacketFilter/Discarder code for IP version independence.
Add a few comments to IP.h
Fix some IPv6 header related bugs.
Add IPv6 fragment reassembly.
Add handling for IPv6 extension header chains (addresses #531)
The signatures of script-layer functions 'discarder_check_ip',
'discarder_check_tcp', 'discarder_check_udp', and 'discarder_check_icmp'
were changed to use the more general 'pkt_hdr' type as a parameter
instead of individual header types.
- The script-layer 'pkt_hdr' type is extended with a new 'ip6' field
representing the full IPv6 header chain.
- The 'new_packet' event is now raised for IPv6 packets (addresses #523)
- A new event called 'ipv6_ext_header' is raised for any IPv6 packet
containing extension headers.
- A new event called 'esp_packet' is raised for any packets using ESP
('new_packet' and 'ipv6_ext_header' events provide connection info,
but that info can't be provided here since the upper-layer payload
is encrypted).
- The 'unknown_protocol' weird is now raised more reliably when Bro
sees a transport protocol or IPv6 extension header it can't handle.
(addresses #522)
Still need to do IPv6 fragment reassembly and needs more testing.
Also replaced the --snaplen/-l command line option with a
scripting-layer option called "snaplen" (which can also be
redefined on the command line, e.g. `bro -i eth0 snaplen=65535`).
