quic: Bump maximum history length, make configurable

scripts/main.zeek

@@ -69,6 +69,9 @@ export {
 	global log_policy: Log::PolicyHook;
 
 	global finalize_quic: Conn::RemovalHook;
+
+	## The maximum length of the history field.
+	option max_history_length = 100;
 }
 
 redef record connection += {
@@ -84,12 +87,15 @@ const quic_ports = {
 	784/udp, # DNS-over-QUIC early
 };
 
-function add_to_history(quic: Info, is_orig: bool, what: string)
+function add_to_history(c: connection, is_orig: bool, what: string)
 	{
-	if ( |quic$history_state| == 10 )
+	if ( |c$quic$history_state| == max_history_length )
 		return;
 
-	quic$history_state += is_orig ? to_upper(what[0]) : to_lower(what[0]);
+	c$quic$history_state += is_orig ? to_upper(what[0]) : to_lower(what[0]);
+
+	if ( |c$quic$history_state| == max_history_length )
+		Reporter::conn_weird("QUIC_max_history_length_reached", c);
 	}
 
 function log_record(quic: Info)
@@ -123,19 +129,19 @@ function set_conn(c: connection, is_orig: bool, version: count, dcid: string, sc
 event QUIC::initial_packet(c: connection, is_orig: bool, version: count, dcid: string, scid: string)
 	{
 	set_conn(c, is_orig, version, dcid, scid);
-	add_to_history(c$quic, is_orig, "INIT");
+	add_to_history(c, is_orig, "INIT");
 	}
 
 event QUIC::handshake_packet(c: connection, is_orig: bool, version: count, dcid: string, scid: string)
 	{
 	set_conn(c, is_orig, version, dcid, scid);
-	add_to_history(c$quic, is_orig, "HANDSHAKE");
+	add_to_history(c, is_orig, "HANDSHAKE");
 	}
 
 event QUIC::zero_rtt_packet(c: connection, is_orig: bool, version: count, dcid: string, scid: string)
 	{
 	set_conn(c, is_orig, version, dcid, scid);
-	add_to_history(c$quic, is_orig, "ZeroRTT");
+	add_to_history(c, is_orig, "ZeroRTT");
 	}
 
 # RETRY packets trigger a log entry and state reset.
@@ -144,7 +150,7 @@ event QUIC::retry_packet(c: connection, is_orig: bool, version: count, dcid: str
 	if ( ! c?$quic )
 		set_conn(c, is_orig, version, dcid, scid);
 
-	add_to_history(c$quic, is_orig, "RETRY");
+	add_to_history(c, is_orig, "RETRY");
 
 	log_record(c$quic);
 
@@ -158,7 +164,7 @@ event QUIC::connection_close_frame(c: connection, is_orig: bool, version: count,
 	if ( ! c?$quic )
 		return;
 
-	add_to_history(c$quic, is_orig, "CONNECTION_CLOSE");
+	add_to_history(c, is_orig, "CONNECTION_CLOSE");
 
 	log_record(c$quic);
 
@@ -189,15 +195,15 @@ event ssl_client_hello(c: connection, version: count, record_version: count, pos
 	if ( ! c?$quic )
 		return;
 
-	add_to_history(c$quic, T, "SSL");
+	add_to_history(c, T, "SSL");
 	}
 
 event ssl_server_hello(c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=-5
 	{
 	if ( ! c?$quic )
 		return;
 
-	add_to_history(c$quic, F, "SSL");
+	add_to_history(c, F, "SSL");
 	}
 
 hook finalize_quic(c: connection)

testing/Baseline/tests.curl-http3/quic.log

@@ -7,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	client_initial_dcid	server_scid	server_name	client_protocol	history
 #types	time	string	addr	port	addr	port	string	string	string	string	string	string
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.2	34347	64.233.166.94	443	1	815d62c70884f4b51e8ccadd5beed372	c15d62c70884f4b5	www.google.de	h3	ISishIhHhh
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.2	34347	64.233.166.94	443	1	815d62c70884f4b51e8ccadd5beed372	c15d62c70884f4b5	www.google.de	h3	ISishIhHhhH
 #close XXXX-XX-XX-XX-XX-XX

testing/Baseline/tests.firefox/quic.log

@@ -7,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	client_initial_dcid	server_scid	server_name	client_protocol	history
 #types	time	string	addr	port	addr	port	string	string	string	string	string	string
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	82.239.54.117	44174	250.58.23.113	443	1	c5a5015ae8f479784a	01275b138ee6aca8a6276b132ae6b3547cf7773f	blog.cloudflare.com	h3	ISiihIhhhH
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	82.239.54.117	44174	250.58.23.113	443	1	c5a5015ae8f479784a	01275b138ee6aca8a6276b132ae6b3547cf7773f	blog.cloudflare.com	h3	ISiihIhhhHHhHH
 #close XXXX-XX-XX-XX-XX-XX

testing/Baseline/tests.max-history-length/quic.log.cut

@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	history
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	ISi

testing/Baseline/tests.max-history-length/weird.log

@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	82.239.54.117	44174	250.58.23.113	443	QUIC_max_history_length_reached	-	F	zeek	-
+#close XXXX-XX-XX-XX-XX-XX

testing/Baseline/tests.quic-log/quic.log

@@ -7,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	client_initial_dcid	server_scid	server_name	client_protocol	history
 #types	time	string	addr	port	addr	port	string	string	string	string	string	string
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	669b:cb7a:de99:6a13:4a9b:46ef:3bed:cb6c	57538	6699:ded3:da8c:be73:5a99:ca73:5a99:cadb	443	1	5a37463b0eb7cc5d	da37463b0eb7cc5d	www.google.de	h3	ISishIhHhh
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	669b:cb7a:de99:6a13:4a9b:46ef:3bed:cb6c	57538	6699:ded3:da8c:be73:5a99:ca73:5a99:cadb	443	1	5a37463b0eb7cc5d	da37463b0eb7cc5d	www.google.de	h3	ISishIhHhhHH
 #close XXXX-XX-XX-XX-XX-XX

testing/tests/max-history-length.zeek

@@ -0,0 +1,5 @@
+# @TEST-DOC: Test that runs the pcap
+# @TEST-EXEC: zeek -Cr $TRACES/firefox-102.13.0esr-blog-cloudflare-com.pcap $PACKAGE QUIC::max_history_length=3
+# @TEST-EXEC: zeek-cut -m ts uid history < quic.log > quic.log.cut
+# @TEST-EXEC: btest-diff quic.log.cut
+# @TEST-EXEC: btest-diff weird.log