* origin/master:
Fix shadowed variable that breaks lookup_hostname()
GH-1025: allow copying/cloning of `opaque of Broker::Store`
Fix "possibly-truncated" compiler warning in BuildJSON snprintf()
Update submodule(s)
Fixed some places where tabs became spaces
Convert to using permissions to check for access to cirrus variables in benchmark script
Integrate review feedback: improve command-line option redef parsing
Fix several issues with command-line option redefs
Remove last_access_time from TableEntryVal.
Minimize data published for expected FTP data channel analysis
Stricter checking if we have a dns field on the connection being processed
Modified the DNS protocol analyzer to add a new parameter to the dns_request event which includes the DNS query in its original case. Added a policy script that will add the original_case to the dns.log file as well. Created new btests to test both.
Place build file in explicit location for benchmarking to work correctly
cmake: Make musl support more distro agnostic
Update highwayhash submodule to upstream.
GH-998: Fix Reporter::conn_weird() to handle expired connections
Makes some attributes conflict with each other. This also needed the
test to change.
The test is a bit flaky - but I can, for the heck of it, not figure out
why. I am punting that for the future after spending a few hours on it.
* origin/master: (33 commits)
Fix location where CI places build.tgz
Update submodule(s)
Disable some deprecation diagnostics for GCC
Compare pcap_next_ex() result to PCAP_ERROR/PCAP_ERROR_BREAK
Optimize Connection::RemovalEvent() for bare-mode usage
Rename BroType to Type
Update NEWS
Review cleanup
Move Type types to zeek namespace
Review cleanup
Restrict Cirrus CI to only zeek repo's branches
GH-977: Improve pcap error handling
Remove not-useful code in iosource::Manager::OpenPktSrc
GH-999: Stop formatting DHCP Client ID Hardware Type 0 as MAC
Remove inline from some static KeyedHash members
Improve Func.h inclusion
Fix NVT analyzer memory leak from multiple telnet authn name options
Rename aux/ to auxil/
Move Flare/Pipe from the bro namespace to zeek::detail
Move Attr to the zeek::detail namespace
...
This commit fixes a few more loose ends to actually make the
Zeek Table<->brokerstore syncing work. This mostly slightly changes the
TableVal assign/remove operators to prevent loops when a remote change
arrives.
The tests inserts a value into a table on the manager, and it pops out
in a table on a clone - which is the easiest case.
Timeouts are still not handled at all; the behavior when inserting into
a clone is untested.
* origin/master:
Fix use-after-move of proc_status_file breaking -U flag
Change Cirrus CI config to use org-level secured variable
Deprecate Val(double, TypeTag) ctor, add TimeVal/DoubleVal subclasses
GH-973: Fix the return type of topk_get_top()
* origin/master: (172 commits)
GH-985: Fix descriptions of double_to_interval() return values
Decrease number of CPUs/memory for Cirrus CI tasks
Change CI script to compile from build/Makefile
Add missing include in util.cc
Remove Analyzer.h from bro-bif.h
Remove IPAddr.h from Reporter.h
Remove the inclusion of Func.h from NetVar.h, which reduces the inclusion of Func.h overall.
Update submodule(s)
Update submodule(s)
Integrate review feedback
Update submodule(s)
Fix crash on using some deprecated environment variables
Update NEWS
Update test baselines for new Broker connection status/error strings
Switch Broker Val converter visitor to return IntrusivePtr
Change BroFunc ctor to take const-ref IntrusivePtr<ID>
Add version of Frame::SetElement() taking IntrusivePtr<ID>
Change Scope/Func inits from id_list* to vector<IntrusivePtr<ID>>
Change Scope::GenerateTemporary() to return IntrusivePtr
Deprecate Scope::ReturnType(), replace with GetReturnType()
...
This also updates all usages of the deprecated Val ctor to use
either IntervalVal, TimeVal, or DoubleVal ctors. The reason for
doing away with the old constructor is that using it with TYPE_INTERVAL
isn't strictly correct since there exists a more specific subclass,
IntervalVal, with overriden ValDescribe() method that ought to be used
to print such values in a more descriptive way.
* Add deprecation for MIME_Entity::ContentType(), use GetContentType()
* Add deprecation for MIME_Entity::ContentSubType(), use GetContentSubType()
* Add deprecation for MIME_Message::BuildHeaderVal(), use ToHeaderVal()
* Add deprecation for MIME_Message::BuildHeaderTable(), use ToHeaderTable()
* Add deprecation for mime::new_string_val(), use mime::to_stringval()
* Add deprecation for ARP_Analyzer::ConstructAddrVal(), use ToAddrVal()
* Add deprecation for ARP_Analyzer::EthAddrToStr(), use ToEthAddrStr()
* Change the Func::Call() replacement to be named Func::Invoke()
In this commit we change our approach and just store table keys as
broker keys and table values as broker indexes. This means we only can
have a single table in a broker store.
This seems to work perfectly - and leads to vastly less complex code.
Code should work, but is actually pretty untested. Might break with
certain types. Does not yet handle item expiration.
Also - this has the tiny issue that all remote operations currently lead
to loops (the operation will immediately be sent to the broker-store
again), which is not quite optimal.
This compiles, but besides giving debug messages (and partially
performing inserts/updates) it is not really helpful and definitely WIP.
This also shows that I might have to re-think the approach that we will
take here. So far, we actually insert tables as tables into
Brokerstores. This opens up the potential to just have several tables
synchronized via a single brokerstore.
However, it turns out, that the current store_event API sends the
complete table with each update. Which is problematic for obvious
reasons - and not really sustainable.
It turns out that directly passing a Broker::Store is not really a
bright idea. Because - if we do that - we have to later try to intercept
when the master/clone is generated to figure out what the actual name of
the backing store is.
Turns out that it is much easier to just use the name directly - and
check if a store with that name exists when we want to insert something.
I might want to reconsider this in the future in any case. At the moment
this approach just stores one table into an entire store. In theory, one
store should be able to handle several tables, but... that's more
complex. So let's start with this for now.
This also changes the argument type of Func::operator() to zeek::Args*
to allow plugins to be able to alter function arguments in place as
was previously documented.
* Deprecated ComputeHash() methods and replaced with MakeHashKey()
which returns std::unique_ptr<HashKey>
* Deprecated RecoverIndex() and replaced with RecreateIndex()
which takes HashKey& and returns IntrusivePtr.
* Updated the new TableVal Assign()/Remove() methods to take either
std::unique_ptr<HashKey> or HashKey& as appropriate for clarity of
ownership expectations.
(The former was previously changed during this release cycle to return
Intrusive pointer, but this just changes it back to return Val* and
deprecates it).
