[Bro] new_packet, BuildHeader and IPv6
vern at icir.org
Sat Jul 28 22:13:12 PDT 2007
> - This function is called in NetSessions::DoNextPacket just after a "if
> ( new_packet )" but this condition seems to be always false.
> Is there something to activate to make it work ?
As Robin mentioned, if you define a "new_packet" event handler in your
policy script, then the variable will be assigned to a non-null value and
the test will succeed.
> - As NetSessions::BuildHeader takes in parameter "const struct ip* ip" I
> have two solutions to make it work with IPv6 : copy this function and
> adapt it for IPv6 or change the prototype to :
> "NetSessions::BuildHeader(const IP_Hdr* hdr)".
> I have currently chosen the second option, but I'd like to hear what you
> think about that before I make too much changes.
That's a reasonable approach. Currently, the new_packet event takes a
pkt_hdr record, which is currently defined to hold an ip_hdr record. I think
the cleanest approach would be to modify pkt_hdr to take either in ip_hdr
record *or* an ip6_hdr record (which you would need to define); you can
make both &optional, establishing a convention that at most one of them
is set for any given packet.
More information about the Bro