declaration error: &default function type clash

So I am trying to convert tables into using opaque of cardinality since thats more memory efficient (or counting bloomfilters for that matter):

works: if table (0) converted to (1)
errors: if table (2) converted to (3)

Details: I am trying the following, original table (0) converted to (1):

(0) global likely_scanner: table[addr,port] of set[addr] &read_expire=1 day &synchronized ;

(1) global c_likely_scanner: table[addr] of opaque of cardinality
        &default = function(n: any): opaque of cardinality { return hll_cardinality_init(0.1, 0.95); }
        &read_expire=1 day ;

ERRORS:

(2) global likely_scanner: table[addr,port] of set[addr] &read_expire=1 day &synchronized ;

Converted table:

(3) global c_likely_scanner: table[addr,port] of opaque of cardinality
        &default = function(n: any): opaque of cardinality { return hll_cardinality_init(0.1, 0.95); }
        &read_expire=1 day ;

I get this error:

check-knock.bro, line 58: &default function type clash (&default=anonymous-function{ return (hll_cardinality_init(0.1, 0.95))})

Question:

how do I declare (3) so that I can avoid the "&default function type clash" error above.

I am not sure what am I doing wrong in the declaration. Any thoughts/advice how to get past this issue ?

Thanks,
Aashish

how do I declare (3) so that I can avoid the "&default function type clash" error above.

I guess the function for initialization receives the index that should
be initialized. In this case the index consists of two values. I tried
the following and Bro did not complain:

global c_likely_scanner: table[addr,port] of opaque of cardinality
        &default = function(a: addr, p: port): opaque of cardinality {
return hll_cardinality_init(0.1, 0.95); }
        &read_expire=1 day;

Hope that works for you!

Regards,
Jan

Jan,

I guess the function for initialization receives the index that should
be initialized.

Thank you. This works!

For future reference:

I also needed to convert the following table to use opaque of cardinality for this table grows reasonably big:

global distinct_backscatter_peers: table[addr] of table[port] of set[addr] &read_expire=1 day;

Here is how I did this one:

type bs: table[port] of opaque of cardinality &default=function(p:port): opaque of cardinality {return hll_cardinality_init(0.1, 0.95); };
global c_distinct_backscatter_peers: table[addr] of bs &read_expire=1 day ;

and to access:

        if ( orig !in c_distinct_backscatter_peers)
                c_distinct_backscatter_peers[orig] = table() ;

  if (s_port !in c_distinct_backscatter_peers[orig])
         {
           local cp: opaque of cardinality = hll_cardinality_init(0.1, 0.95);
                 c_distinct_backscatter_peers[orig][s_port]=cp ;
  }

         hll_cardinality_add(c_distinct_backscatter_peers[orig][s_port], resp);

         local d_val = double_to_count(hll_cardinality_estimate(c_distinct_backscatter_peers[orig][s_port]));

  ### use d_val here ....

Now may be there is a better more elegant way to do this, but above seems to work for me.

Again, thanks Jan!!

Aashish