From: Ron Dempster (rdempste) <rdempste@cisco.com>
Date: Fri, 29 Apr 2022 20:27:35 +0000 (+0000)
Subject: Pull request #3331: Tenant id
X-Git-Tag: 3.1.29.0~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fa97dbc6ba19879e39a4d44131d650fc620a460e;p=thirdparty%2Fsnort3.git

Pull request #3331: Tenant id

Merge in SNORT/snort3 from ~RDEMPSTE/snort3:tenant_id to master

Squashed commit of the following:

commit 49bcaac681921062b79be6e17ffc319a9d7f831b
Author: Ron Dempster (rdempste) <rdempste@cisco.com>
Date:   Thu Apr 28 17:02:22 2022 -0400

    flow: change the padding and bits in the flow key to make it more clear

commit 76553e101331382ee5e7daca82fb34e513fbb23d
Author: Ron Dempster (rdempste) <rdempste@cisco.com>
Date:   Wed Apr 27 12:18:04 2022 -0400

    dce_rpc: update address space id in the smb keys

commit 3d78363477fcfe1c866ff62d73eb3a6a9970b3cf
Author: Ron Dempster (rdempste) <rdempste@cisco.com>
Date:   Tue Mar 22 12:04:08 2022 -0400

    flow: add inline cppcheck suppressions

commit f54d8a3cc078023a153b576e78583569dfd4bbb6
Author: Ron Dempster (rdempste) <rdempste@cisco.com>
Date:   Mon Mar 21 13:13:19 2022 -0400

    flow, network_inspectors, policy_selectors, stream: make address space id 32 bits and add a tenant id to the daq header
---

diff --git a/daqs/daq_file.c b/daqs/daq_file.c
index ebad16b81..0c438a3f5 100644
--- a/daqs/daq_file.c
+++ b/daqs/daq_file.c
@@ -127,12 +127,10 @@ static int create_message_pool(FileContext* fc, unsigned size)
 
         /* Initialize non-zero invariant packet header fields. */
         DAQ_PktHdr_t *pkthdr = &desc->pkthdr;
-        pkthdr->address_space_id = 0;
         pkthdr->ingress_index = DAQ_PKTHDR_UNKNOWN;
         pkthdr->ingress_group = DAQ_PKTHDR_UNKNOWN;
         pkthdr->egress_index = DAQ_PKTHDR_UNKNOWN;
         pkthdr->egress_group = DAQ_PKTHDR_UNKNOWN;
-        pkthdr->flags = 0;
 
         /* Initialize non-zero invariant message header fields. */
         DAQ_Msg_t *msg = &desc->msg;
diff --git a/daqs/daq_hext.c b/daqs/daq_hext.c
index 44644d37a..261b5fd20 100644
--- a/daqs/daq_hext.c
+++ b/daqs/daq_hext.c
@@ -139,12 +139,10 @@ static int create_message_pool(HextContext* hc, unsigned size)
 
         /* Initialize non-zero invariant packet header fields. */
         DAQ_PktHdr_t *pkthdr = &desc->pkthdr;
-        pkthdr->address_space_id = 0;
         pkthdr->ingress_index = DAQ_PKTHDR_UNKNOWN;
         pkthdr->ingress_group = DAQ_PKTHDR_UNKNOWN;
         pkthdr->egress_index = DAQ_PKTHDR_UNKNOWN;
         pkthdr->egress_group = DAQ_PKTHDR_UNKNOWN;
-        pkthdr->flags = 0;
 
         /* Initialize non-zero invariant message header fields. */
         DAQ_Msg_t *msg = &desc->msg;
@@ -260,11 +258,12 @@ static bool parse_flowstats(DAQ_MsgType type, const char* line, HextMsgDesc *des
     "%" SCNu8  " "  /* is_qos_applied_on_src_intf */ \
     "%" SCNu32 " "  /* sof_timestamp.tv_sec */  \
     "%" SCNu32 " "  /* eof_timestamp.tv_sec */  \
+    "%" SCNu32 " "  /* address_space_id */  \
+    "%" SCNu32 " "  /* tenant_id */  \
     "%" SCNu16 " "  /* vlan_tag */      \
-    "%" SCNu16 " "  /* address_space_id */  \
     "%" SCNu8  " "  /* protocol */ \
     "%" SCNu8       /* flags */
-#define FLOWSTATS_ITEMS 22
+#define FLOWSTATS_ITEMS 23
     DAQ_FlowStats_t* f = &desc->flowstats;
     char srcaddr[INET6_ADDRSTRLEN], dstaddr[INET6_ADDRSTRLEN];
     uint32_t sof_sec, eof_sec;
@@ -272,7 +271,7 @@ static bool parse_flowstats(DAQ_MsgType type, const char* line, HextMsgDesc *des
             &f->egress_intf, srcaddr, &f->initiator_port, dstaddr, &f->responder_port, &f->opaque,
             &f->initiator_pkts, &f->responder_pkts, &f->initiator_pkts_dropped, &f->responder_pkts_dropped,
             &f->initiator_bytes_dropped, &f->responder_bytes_dropped, &f->is_qos_applied_on_src_intf,
-            &sof_sec, &eof_sec, &f->vlan_tag, &f->address_space_id,
+            &sof_sec, &eof_sec, &f->address_space_id, &f->tenant_id, &f->vlan_tag,
             &f->protocol, &f->flags);
     if (rval != FLOWSTATS_ITEMS)
         return false;
diff --git a/doc/user/daq.txt b/doc/user/daq.txt
index d2922763c..809df169d 100644
--- a/doc/user/daq.txt
+++ b/doc/user/daq.txt
@@ -258,8 +258,8 @@ The available commands are:
 
     $packet <addr> <port> -> <addr> <port>
 
-    $sof <i32:ingressZone> <i32:egressZone> <i32:ingressIntf> <i32:egressIntf> <s:srcIp> <i16:srcPort> <s:destIp> <i16:dstPort> <u32:opaque> <u64:initiatorPkts> <u64:responderPkts> <u64:initiatorPktsDropped> <u64:responderPktsDropped> <u64:initiatorBytesDropped> <u64:responderBytesDropped> <u8:isQosAppliedOnSrcIntf> <timeval:sof_timestamp> <timeval:eof_timestamp> <u16:vlan> <u16:address_space_id> <u8:protocol>
-    $eof <i32:ingressZone> <i32:egressZone> <i32:ingressIntf> <i32:egressIntf> <s:srcIp> <i16:srcPort> <s:destIp> <i16:dstPort> <u32:opaque> <u64:initiatorPkts> <u64:responderPkts> <u64:initiatorPktsDropped> <u64:responderPktsDropped> <u64:initiatorBytesDropped> <u64:responderBytesDropped> <u8:isQosAppliedOnSrcIntf> <timeval:sof_timestamp> <timeval:eof_timestamp> <u16:vlan> <u16:address_space_id> <u8:protocol>
+    $sof <i32:ingressZone> <i32:egressZone> <i32:ingressIntf> <i32:egressIntf> <s:srcIp> <i16:srcPort> <s:destIp> <i16:dstPort> <u32:opaque> <u64:initiatorPkts> <u64:responderPkts> <u64:initiatorPktsDropped> <u64:responderPktsDropped> <u64:initiatorBytesDropped> <u64:responderBytesDropped> <u8:isQosAppliedOnSrcIntf> <timeval:sof_timestamp> <timeval:eof_timestamp> <u32:address_space_id> <u32:tenant_id> <u16:vlan> <u8:protocol> <u8:flags>
+    $eof <i32:ingressZone> <i32:egressZone> <i32:ingressIntf> <i32:egressIntf> <s:srcIp> <i16:srcPort> <s:destIp> <i16:dstPort> <u32:opaque> <u64:initiatorPkts> <u64:responderPkts> <u64:initiatorPktsDropped> <u64:responderPktsDropped> <u64:initiatorBytesDropped> <u64:responderBytesDropped> <u8:isQosAppliedOnSrcIntf> <timeval:sof_timestamp> <timeval:eof_timestamp> <u32:address_space_id> <u32:tenant_id> <u16:vlan> <u8:protocol> <u8:flags>
 
 Client and server are determined as follows.  $packet -> client indicates
 to the client (from server) and $packet -> server indicates a packet to the
diff --git a/piglet/tests/interface/daq_header.lua b/piglet/tests/interface/daq_header.lua
index 72b4ab9e5..bdd1ed993 100644
--- a/piglet/tests/interface/daq_header.lua
+++ b/piglet/tests/interface/daq_header.lua
@@ -20,6 +20,7 @@ DEFAULT_VALUES =
     opaque = 0,
     flow_id = 0,
     address_space_id = 0
+    tenant_id = 0
 }
 
 VALUES =
@@ -34,6 +35,7 @@ VALUES =
     opaque = 8,
     flow_id = 9,
     address_space_id = 10
+    tenant_id = 11
 }
 
 tests =
diff --git a/src/flow/flow.cc b/src/flow/flow.cc
index c772815a9..62683cda9 100644
--- a/src/flow/flow.cc
+++ b/src/flow/flow.cc
@@ -350,6 +350,7 @@ void Flow::free_flow_data()
         {
             _daq_pkt_hdr pkthdr = {};
             pkthdr.address_space_id = key->addressSpaceId;
+            pkthdr.tenant_id = tenant;
             select_default_policy(pkthdr, sc);
         }
     }
diff --git a/src/flow/flow_control.cc b/src/flow/flow_control.cc
index 28decb08c..a8936fb64 100644
--- a/src/flow/flow_control.cc
+++ b/src/flow/flow_control.cc
@@ -322,7 +322,7 @@ static void init_roles(Packet* p, Flow* flow)
         flow->server_group = p->pkth->egress_group;
     }
 
-    flow->tenant = p->get_flow_geneve_vni();
+    flow->tenant = p->pkth->tenant_id;
 
     flow->flags.app_direction_swapped = false;
     if ( flow->ssn_state.direction == FROM_CLIENT )
diff --git a/src/flow/flow_key.cc b/src/flow/flow_key.cc
index b638d8bba..a490b5c98 100644
--- a/src/flow/flow_key.cc
+++ b/src/flow/flow_key.cc
@@ -193,7 +193,7 @@ void FlowKey::init_vlan(const SnortConfig* sc, uint16_t vlanId)
         vlan_tag = 0;
 }
 
-void FlowKey::init_address_space(const SnortConfig* sc, uint16_t addrSpaceId)
+void FlowKey::init_address_space(const SnortConfig* sc, uint32_t addrSpaceId)
 {
     if (!sc->address_space_agnostic())
         addressSpaceId = addrSpaceId;
@@ -234,7 +234,7 @@ bool FlowKey::init(
     const SfIp *srcIP, uint16_t srcPort,
     const SfIp *dstIP, uint16_t dstPort,
     uint16_t vlanId, uint32_t mplsId,
-    uint16_t addrSpaceId, int16_t ingress_group,
+    uint32_t addrSpaceId, int16_t ingress_group,
     int16_t egress_group)
 {
     bool reversed;
@@ -263,14 +263,11 @@ bool FlowKey::init(
     init_address_space(sc, addrSpaceId);
     init_mpls(sc, mplsId);
 
-    if (ingress_group == DAQ_PKTHDR_UNKNOWN or egress_group == DAQ_PKTHDR_UNKNOWN)
-        flags.group_used = 0;
-    else
-        flags.group_used = 1;
+    padding = flags.padding_bits = 0;
 
+    flags.group_used = (ingress_group != DAQ_PKTHDR_UNKNOWN and egress_group != DAQ_PKTHDR_UNKNOWN);
     init_groups(ingress_group, egress_group, reversed);
 
-    flags.ubits = 0;
     return reversed;
 }
 
@@ -308,11 +305,10 @@ bool FlowKey::init(
     init_address_space(sc, pkt_hdr.address_space_id);
     init_mpls(sc, mplsId);
 
+    padding = flags.padding_bits = 0;
     flags.group_used = ((pkt_hdr.flags & DAQ_PKT_FLAG_SIGNIFICANT_GROUPS) != 0);
     init_groups(pkt_hdr.ingress_group, pkt_hdr.egress_group, reversed);
 
-    flags.ubits = 0;
-
     return reversed;
 }
 
@@ -321,7 +317,7 @@ bool FlowKey::init(
     PktType type, IpProtocol ip_proto,
     const SfIp *srcIP, const SfIp *dstIP,
     uint32_t id, uint16_t vlanId,
-    uint32_t mplsId, uint16_t addrSpaceId,
+    uint32_t mplsId, uint32_t addrSpaceId,
     int16_t ingress_group, int16_t egress_group)
 {
     // to avoid confusing 2 different datagrams or confusing a datagram
@@ -350,15 +346,11 @@ bool FlowKey::init(
     init_address_space(sc, addrSpaceId);
     init_mpls(sc, mplsId);
 
-    if (ingress_group == DAQ_PKTHDR_UNKNOWN or egress_group == DAQ_PKTHDR_UNKNOWN)
-        flags.group_used = 0;
-    else
-        flags.group_used = 1;
+    padding = flags.padding_bits = 0;
 
+    flags.group_used = (ingress_group != DAQ_PKTHDR_UNKNOWN and egress_group != DAQ_PKTHDR_UNKNOWN);
     init_groups(ingress_group, egress_group, reversed);
 
-    flags.ubits = 0;
-
     return false;
 }
 
@@ -395,11 +387,11 @@ bool FlowKey::init(
     init_address_space(sc, pkt_hdr.address_space_id);
     init_mpls(sc, mplsId);
 
+    padding = flags.padding_bits = 0;
+
     flags.group_used = ((pkt_hdr.flags & DAQ_PKT_FLAG_SIGNIFICANT_GROUPS) != 0);
     init_groups(pkt_hdr.ingress_group, pkt_hdr.egress_group, reversed);
 
-    flags.ubits = 0;
-
     return false;
 }
 
@@ -412,8 +404,6 @@ bool FlowKey::is_equal(const void* s1, const void* s2, size_t)
 {
     const uint64_t* a = (const uint64_t*)s1;
     const uint64_t* b = (const uint64_t*)s2;
-    const uint32_t* c;
-    const uint32_t* d;
 
     if (*a - *b)
         return false;               /* Compares IPv4 lo/hi
@@ -438,17 +428,17 @@ bool FlowKey::is_equal(const void* s1, const void* s2, size_t)
     a++;
     b++;
     if (*a - *b)
-        return false;               /* Compares MPLS label, port lo/hi */
+        return false;               /* Compares MPLS label, addressSpaceId */
 
     a++;
     b++;
     if (*a - *b)
-        return false;               /* Compares group lo/hi, addressSpaceId, vlan */
+        return false;               /* Compares port lo/hi, group lo/hi, vlan */
 
-    c = (const uint32_t*)(++a);
-    d = (const uint32_t*)(++b);
-    if (*c - *d)
-        return false;               /* ip_proto, type, version, 8 bit pad */
+    a++;
+    b++;
+    if (*a - *b)
+        return false;               /* vlan, pad, ip_proto, type, version, flags */
 
     return true;
 }
@@ -478,13 +468,14 @@ unsigned FlowHashKeyOps::do_hash(const unsigned char* k, int)
 
     mix(a, b, c);
 
-    a += d[9];   // port lo & port hi
-    b += d[10];  // group lo & group hi
-    c += d[11];  // addressSpaceId, vlan
+    a += d[9];   // addressSpaceId
+    b += d[10];  // port lo & port hi
+    c += d[11];  // group lo & group hi
 
     mix(a, b, c);
 
-    a += d[12];  // ip_proto, pkt_type, version, 8 bits of zeroed pad
+    a += d[12];  // vlan & pad
+    b += d[13];  // ip_proto, pkt_type, version, flags
 
     finalize(a, b, c);
 
diff --git a/src/flow/flow_key.h b/src/flow/flow_key.h
index 98f09ccbd..05c7f0b92 100644
--- a/src/flow/flow_key.h
+++ b/src/flow/flow_key.h
@@ -56,18 +56,20 @@ struct SO_PUBLIC FlowKey
     uint32_t   ip_l[4]; /* Low IP */
     uint32_t   ip_h[4]; /* High IP */
     uint32_t   mplsLabel;
+    uint32_t   addressSpaceId;
     uint16_t   port_l;  /* Low Port - 0 if ICMP */
     uint16_t   port_h;  /* High Port - 0 if ICMP */
     int16_t    group_l;
     int16_t    group_h;
-    uint16_t   addressSpaceId;
     uint16_t   vlan_tag;
+    uint16_t   padding;
     uint8_t    ip_protocol;
     PktType    pkt_type;
     uint8_t    version;
-    struct {
-        uint8_t group_used:1; // Is group being used to build key.
-        uint8_t ubits:7;
+    struct
+    {
+        bool group_used : 1;
+        uint8_t padding_bits : 7;
     } flags;
 
     /* The init() functions return true if the key IP/port fields were actively
@@ -78,14 +80,14 @@ struct SO_PUBLIC FlowKey
         const SnortConfig*, PktType, IpProtocol,
         const snort::SfIp *srcIP, uint16_t srcPort,
         const snort::SfIp *dstIP, uint16_t dstPort,
-        uint16_t vlanId, uint32_t mplsId, uint16_t addrSpaceId,
+        uint16_t vlanId, uint32_t mplsId, uint32_t addrSpaceId,
         int16_t group_h = DAQ_PKTHDR_UNKNOWN, int16_t group_l = DAQ_PKTHDR_UNKNOWN);
 
     bool init(
         const SnortConfig*, PktType, IpProtocol,
         const snort::SfIp *srcIP, const snort::SfIp *dstIP,
         uint32_t id, uint16_t vlanId,
-        uint32_t mplsId, uint16_t addrSpaceId,
+        uint32_t mplsId, uint32_t addrSpaceId,
         int16_t group_h = DAQ_PKTHDR_UNKNOWN, int16_t group_l = DAQ_PKTHDR_UNKNOWN);
 
     bool init(
@@ -101,7 +103,7 @@ struct SO_PUBLIC FlowKey
 
     void init_mpls(const SnortConfig*, uint32_t);
     void init_vlan(const SnortConfig*, uint16_t);
-    void init_address_space(const SnortConfig*, uint16_t);
+    void init_address_space(const SnortConfig*, uint32_t);
     void init_groups(int16_t, int16_t, bool);
 
     // If this data structure changes size, compare must be updated!
diff --git a/src/flow/test/flow_control_test.cc b/src/flow/test/flow_control_test.cc
index b1fef5347..f2116c769 100644
--- a/src/flow/test/flow_control_test.cc
+++ b/src/flow/test/flow_control_test.cc
@@ -130,7 +130,7 @@ bool FlowKey::init(
     const SfIp*, uint16_t,
     const SfIp*, uint16_t,
     uint16_t, uint32_t,
-    uint16_t, int16_t, int16_t)
+    uint32_t, int16_t, int16_t)
 {
    return true;
 }
@@ -150,7 +150,7 @@ bool FlowKey::init(
     PktType, IpProtocol,
     const SfIp*, const SfIp*,
     uint32_t, uint16_t,
-    uint32_t, uint16_t, int16_t,
+    uint32_t, uint32_t, int16_t,
     int16_t)
 {
     return true;
diff --git a/src/flow/test/ha_test.cc b/src/flow/test/ha_test.cc
index a6efa6557..49775341e 100644
--- a/src/flow/test/ha_test.cc
+++ b/src/flow/test/ha_test.cc
@@ -37,20 +37,20 @@ class StreamHAClient;
 
 static const FlowKey s_test_key =
 {
-    { 1, 2, 3, 4 },
-    { 5, 6, 7, 8 },
-    9,
-    10,
-    11,
-    0,
-    0,
-    0,
-    12,
-    14,
-    PktType::TCP,
-    14,
-    0,
-    0
+    /* .ip_l = */ { 1, 2, 3, 4 },
+    /* .ip_h = */ { 5, 6, 7, 8 },
+    /* .mplsLabel = */ 9,
+    /* .addressSpaceId = */ 0,
+    /* .port_l = */ 10,
+    /* .port_h = */ 11,
+    /* .group_l = */ 0,
+    /* .group_h = */ 0,
+    /* .vlan_tag = */ 12,
+    /* .padding = */ 0,
+    /* .ip_protocol = */ 14,
+    /* .pkt_type = */ PktType::TCP,
+    /* .version = */ 14,
+    /* .flags = */ 0,
 };
 
 static struct __attribute__((__packed__)) TestDeleteMessage {
@@ -61,7 +61,7 @@ static struct __attribute__((__packed__)) TestDeleteMessage {
     {
         HA_DELETE_EVENT,
         HA_MESSAGE_VERSION,
-        0x39,
+        61,
         KEY_TYPE_IP6
     },
     s_test_key
@@ -71,13 +71,14 @@ static struct __attribute__((__packed__)) TestUpdateMessage {
     HAMessageHeader mhdr;
     FlowKey key;
     HAClientHeader schdr;
+    // cppcheck-suppress unusedStructMember
     uint8_t scmsg[10];
 } s_update_stream_message =
 {
     {
         HA_UPDATE_EVENT,
         HA_MESSAGE_VERSION,
-        0x45,
+        73,
         KEY_TYPE_IP6
     },
     s_test_key,
@@ -527,6 +528,7 @@ TEST(high_availability_test, consume_error_truncated_client_msg)
     struct __attribute__((__packed__))
     {
         HAClientHeader chdr = { 0, 0x42 };
+        // cppcheck-suppress unusedStructMember
         uint8_t cmsg[0x42 / 2] = { };
     } input;
     HAMessage msg((uint8_t*) &input, sizeof(input));
@@ -542,6 +544,7 @@ TEST(high_availability_test, consume_error_client_consume)
     struct __attribute__((__packed__))
     {
         HAClientHeader chdr = { 0, 10 };
+        // cppcheck-suppress unusedStructMember
         uint8_t cmsg[0x42 / 2] = { };
     } input;
     HAMessage msg((uint8_t*) &input, sizeof(input));
diff --git a/src/loggers/log_hext.cc b/src/loggers/log_hext.cc
index 4f7773d91..709a92ee6 100644
--- a/src/loggers/log_hext.cc
+++ b/src/loggers/log_hext.cc
@@ -101,9 +101,11 @@ void DaqMessageEventHandler::handle(DataEvent& event, Flow*)
         "%hhu "         // is_qos_applied_on_src_intf
         "%ld "          // sof_timestamp.tv_sec
         "%ld "          // eof_timestamp.tv_sec
+        "%u "           // address_space_id
+        "%u "           // tenant_id
         "%hu "          // vlan_tag
-        "%hu "          // address_space_id
-        "%hhu"          // protocol
+        "%hhu "         // protocol
+        "%hhu"          // flags
         "\n",
         cmd,
         fs->ingress_group,
@@ -122,9 +124,11 @@ void DaqMessageEventHandler::handle(DataEvent& event, Flow*)
         fs->is_qos_applied_on_src_intf,
         fs->sof_timestamp.tv_sec,
         fs->eof_timestamp.tv_sec,
-        vlan_tag,
         fs->address_space_id,
-        fs->protocol);
+        fs->tenant_id,
+        vlan_tag,
+        fs->protocol,
+        fs->flags);
 }
 
 
diff --git a/src/lua/lua_iface.h b/src/lua/lua_iface.h
index b3ffc1167..691f3970b 100644
--- a/src/lua/lua_iface.h
+++ b/src/lua/lua_iface.h
@@ -78,6 +78,7 @@ struct TypeInterface
 {
     using type = T;
     using AccessorCallback = void (*)(lua_State*, int, T&);
+    using ConstAccessorCallback = void (*)(lua_State*, int, const T&);
 
     const char* name;
     const luaL_Reg* methods;
@@ -136,7 +137,7 @@ struct TypeInterface
         return 0;
     }
 
-    int default_getter(lua_State* L, AccessorCallback acb) const
+    int default_getter(lua_State* L, ConstAccessorCallback acb) const
     {
         auto& self = this->get(L);
         lua_newtable(L);
diff --git a/src/network_inspectors/appid/appid_debug.cc b/src/network_inspectors/appid/appid_debug.cc
index 938e4f4f5..69cf138f7 100644
--- a/src/network_inspectors/appid/appid_debug.cc
+++ b/src/network_inspectors/appid/appid_debug.cc
@@ -35,7 +35,7 @@ using namespace snort;
 THREAD_LOCAL AppIdDebug* appidDebug = nullptr;
 
 void AppIdDebug::activate(const uint32_t* ip1, const uint32_t* ip2, uint16_t port1,
-    uint16_t port2, IpProtocol protocol, const int version, uint16_t address_space_id,
+    uint16_t port2, IpProtocol protocol, const int version, uint32_t address_space_id,
     const AppIdSession* session, bool log_all_sessions, int16_t group1, int16_t group2,
     bool inter_group_flow)
 {
@@ -115,7 +115,7 @@ void AppIdDebug::activate(const uint32_t* ip1, const uint32_t* ip2, uint16_t por
         snprintf(gr_buf, sizeof(gr_buf), " GR=%hd-%hd", sgroup, dgroup);
 
     snprintf(debug_session, sizeof(debug_session),
-        "%s %hu -> %s %hu %hhu AS=%hu ID=%u%s",
+        "%s %hu -> %s %hu %hhu AS=%u ID=%u%s",
         sipstr, sport, dipstr, dport, static_cast<uint8_t>(protocol),
         address_space_id, get_instance_id(), gr_buf);
 }
diff --git a/src/network_inspectors/appid/appid_debug.h b/src/network_inspectors/appid/appid_debug.h
index a1c086803..4f1fc5a0e 100644
--- a/src/network_inspectors/appid/appid_debug.h
+++ b/src/network_inspectors/appid/appid_debug.h
@@ -72,7 +72,7 @@ public:
     AppIdDebug() = default;
 
     void activate(const uint32_t* ip1, const uint32_t* ip2, uint16_t port1, uint16_t port2,
-        IpProtocol protocol, const int version, uint16_t address_space_id,
+        IpProtocol protocol, const int version, uint32_t address_space_id,
         const AppIdSession* session, bool log_all_sessions, int16_t group1 = DAQ_PKTHDR_UNKNOWN,
         int16_t group2 = DAQ_PKTHDR_UNKNOWN, bool inter_group_flow = false);
     void activate(const snort::Flow *flow, const AppIdSession* session, bool log_all_sessions);
diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc
index 652f13ebc..6a510e644 100644
--- a/src/network_inspectors/appid/appid_session.cc
+++ b/src/network_inspectors/appid/appid_session.cc
@@ -125,7 +125,7 @@ AppIdSession* AppIdSession::allocate_session(const Packet* p, IpProtocol proto,
 }
 
 AppIdSession::AppIdSession(IpProtocol proto, const SfIp* ip, uint16_t port,
-    AppIdInspector& inspector, OdpContext& odp_ctxt, uint16_t asid)
+    AppIdInspector& inspector, OdpContext& odp_ctxt, uint32_t asid)
     : FlowData(inspector_id, &inspector), config(inspector.get_ctxt().config),
         initiator_port(port), asid(asid), protocol(proto),
         api(*(new AppIdSessionApi(this, *ip))), odp_ctxt(odp_ctxt),
diff --git a/src/network_inspectors/appid/appid_session.h b/src/network_inspectors/appid/appid_session.h
index 3910c1f26..32db58ea6 100644
--- a/src/network_inspectors/appid/appid_session.h
+++ b/src/network_inspectors/appid/appid_session.h
@@ -226,7 +226,7 @@ class AppIdSession : public snort::FlowData
 {
 public:
     AppIdSession(IpProtocol, const snort::SfIp*, uint16_t port, AppIdInspector&,
-        OdpContext&, uint16_t asid = 0);
+        OdpContext&, uint32_t asid = 0);
     ~AppIdSession() override;
 
     static AppIdSession* allocate_session(const snort::Packet*, IpProtocol,
@@ -241,7 +241,7 @@ public:
     std::unordered_map<unsigned, AppIdFlowData*> flow_data;
     uint64_t flags = 0;
     uint16_t initiator_port = 0;
-    uint16_t asid = 0;
+    uint32_t asid = 0;
 
     uint16_t session_packet_count = 0;
     uint16_t init_pkts_without_reply = 0;
diff --git a/src/network_inspectors/appid/detector_plugins/test/detector_plugins_mock.h b/src/network_inspectors/appid/detector_plugins/test/detector_plugins_mock.h
index 0a6356a00..184f5a8cd 100644
--- a/src/network_inspectors/appid/detector_plugins/test/detector_plugins_mock.h
+++ b/src/network_inspectors/appid/detector_plugins/test/detector_plugins_mock.h
@@ -157,7 +157,7 @@ AppIdConfig stub_config;
 AppIdContext stub_ctxt(stub_config);
 OdpContext stub_odp_ctxt(stub_config, nullptr);
 AppIdSession::AppIdSession(IpProtocol, const SfIp* ip, uint16_t, AppIdInspector& inspector,
-    OdpContext& odpctxt, uint16_t) : snort::FlowData(inspector_id, (snort::Inspector*)&inspector),
+    OdpContext& odpctxt, uint32_t) : snort::FlowData(inspector_id, (snort::Inspector*)&inspector),
         config(stub_config), api(*(new AppIdSessionApi(this, *ip))), odp_ctxt(odpctxt)
 {
     this->set_session_flags(APPID_SESSION_DISCOVER_APP);
diff --git a/src/network_inspectors/appid/service_state.cc b/src/network_inspectors/appid/service_state.cc
index dafe1f3e9..3d43a0c26 100644
--- a/src/network_inspectors/appid/service_state.cc
+++ b/src/network_inspectors/appid/service_state.cc
@@ -213,21 +213,21 @@ void AppIdServiceState::clean()
 }
 
 ServiceDiscoveryState* AppIdServiceState::add(const SfIp* ip, IpProtocol proto, uint16_t port,
-    int16_t group, uint16_t asid, bool decrypted, bool do_touch)
+    int16_t group, uint32_t asid, bool decrypted, bool do_touch)
 {
     return service_state_cache->add( AppIdServiceStateKey(ip, proto, port, group,
         asid, decrypted), do_touch );
 }
 
 ServiceDiscoveryState* AppIdServiceState::get(const SfIp* ip, IpProtocol proto, uint16_t port,
-    int16_t group, uint16_t asid, bool decrypted, bool do_touch)
+    int16_t group, uint32_t asid, bool decrypted, bool do_touch)
 {
     return service_state_cache->get( AppIdServiceStateKey(ip, proto, port, group,
         asid, decrypted), do_touch);
 }
 
 void AppIdServiceState::remove(const SfIp* ip, IpProtocol proto, uint16_t port,
-    int16_t group, uint16_t asid, bool decrypted)
+    int16_t group, uint32_t asid, bool decrypted)
 {
     AppIdServiceStateKey ssk(ip, proto, port, group, asid, decrypted);
     Map_t::iterator it = service_state_cache->find(ssk);
@@ -243,7 +243,7 @@ void AppIdServiceState::remove(const SfIp* ip, IpProtocol proto, uint16_t port,
 }
 
 void AppIdServiceState::check_reset(AppIdSession& asd, const SfIp* ip, uint16_t port,
-    int16_t group, uint16_t asid)
+    int16_t group, uint32_t asid)
 {
     ServiceDiscoveryState* sds = AppIdServiceState::get(ip, IpProtocol::TCP, port,
         group, asid, asd.is_decrypted());
diff --git a/src/network_inspectors/appid/service_state.h b/src/network_inspectors/appid/service_state.h
index 3dc07645d..9105026d4 100644
--- a/src/network_inspectors/appid/service_state.h
+++ b/src/network_inspectors/appid/service_state.h
@@ -149,13 +149,13 @@ public:
     static bool initialize(size_t memcap);
     static void clean();
     static ServiceDiscoveryState* add(const snort::SfIp*, IpProtocol, uint16_t port,
-        int16_t group, uint16_t asid, bool decrypted, bool do_touch = false);
+        int16_t group, uint32_t asid, bool decrypted, bool do_touch = false);
     static ServiceDiscoveryState* get(const snort::SfIp*, IpProtocol, uint16_t port,
-        int16_t group, uint16_t asid, bool decrypted, bool do_touch = false);
+        int16_t group, uint32_t asid, bool decrypted, bool do_touch = false);
     static void remove(const snort::SfIp*, IpProtocol, uint16_t port,
-        int16_t group, uint16_t asid, bool decrypted);
+        int16_t group, uint32_t asid, bool decrypted);
     static void check_reset(AppIdSession& asd, const snort::SfIp* ip, uint16_t port,
-        int16_t group, uint16_t asid);
+        int16_t group, uint32_t asid);
     static bool prune(size_t max_memory = 0, size_t num_items = -1u);
 };
 
@@ -164,8 +164,8 @@ PADDING_GUARD_BEGIN
 struct AppIdServiceStateKey
 {
     AppIdServiceStateKey(const snort::SfIp* ip,
-        IpProtocol proto, uint16_t port, int16_t group, uint16_t asid, bool decrypted) :
-        ip(*ip), port(port), group(group), asid(asid), decrypted(decrypted), proto(proto)
+        IpProtocol proto, uint16_t port, int16_t group, uint32_t asid, bool decrypted) :
+        ip(*ip), port(port), asid(asid), group(group), decrypted(decrypted), proto(proto)
     { }
 
     bool operator<(const AppIdServiceStateKey& right) const
@@ -175,8 +175,8 @@ struct AppIdServiceStateKey
 
     snort::SfIp ip;
     uint16_t port;
+    uint32_t asid;
     int16_t group;
-    uint16_t asid;
     bool decrypted;
     IpProtocol proto;
 };
diff --git a/src/network_inspectors/appid/test/appid_debug_test.cc b/src/network_inspectors/appid/test/appid_debug_test.cc
index 346f85be5..768d1c8b4 100644
--- a/src/network_inspectors/appid/test/appid_debug_test.cc
+++ b/src/network_inspectors/appid/test/appid_debug_test.cc
@@ -61,7 +61,7 @@ AppIdConfig stub_config;
 AppIdContext stub_ctxt(stub_config);
 OdpContext stub_odp_ctxt(stub_config, nullptr);
 AppIdSession::AppIdSession(IpProtocol, const SfIp* ip, uint16_t, AppIdInspector&,
-    OdpContext&, uint16_t) : FlowData(0), config(stub_config),
+    OdpContext&, uint32_t) : FlowData(0), config(stub_config),
     api(*(new AppIdSessionApi(this, *ip))), odp_ctxt(stub_odp_ctxt) { }
 AppIdSession::~AppIdSession() = default;
 
@@ -123,7 +123,7 @@ TEST(appid_debug, basic_test)
     uint16_t sport = 48620;
     uint16_t dport = 80;
     IpProtocol protocol = IpProtocol::TCP;
-    uint16_t address_space_id = 0;
+    uint32_t address_space_id = 0;
     // The session...
     session.initiator_port = sport;
     // activate()
@@ -157,7 +157,7 @@ TEST(appid_debug, reverse_direction_activate_test)
     uint16_t sport = 80;
     uint16_t dport = 48620;
     IpProtocol protocol = IpProtocol::TCP;
-    uint16_t address_space_id = 0;
+    uint32_t address_space_id = 0;
     // The session...
     session.initiator_port = dport;    // session initiator is now dst
     // activate()
@@ -193,7 +193,7 @@ TEST(appid_debug, ipv6_test)
     uint16_t sport = 1234;
     uint16_t dport = 443;
     IpProtocol protocol = IpProtocol::UDP;    // also threw in UDP and address space ID for kicks
-    uint16_t address_space_id = 100;
+    uint32_t address_space_id = 100;
     // The session...
     session.initiator_port = sport;
     // activate()
@@ -229,7 +229,7 @@ TEST(appid_debug, no_initiator_port_test)
     uint16_t sport = 48620;
     uint16_t dport = 80;
     IpProtocol protocol = IpProtocol::TCP;
-    uint16_t address_space_id = 0;
+    uint32_t address_space_id = 0;
     // The session...
     session.initiator_port = 0;    // no initiator port yet (uses IPs)
     // activate()
@@ -263,7 +263,7 @@ TEST(appid_debug, no_initiator_port_reversed_test)
     uint16_t sport = 80;
     uint16_t dport = 48620;
     IpProtocol protocol = IpProtocol::TCP;
-    uint16_t address_space_id = 0;
+    uint32_t address_space_id = 0;
     // The session...
     session.initiator_port = 0;    // no initiator port yet (uses IPs)... and reversed packet dir from above
     // activate()
@@ -292,7 +292,7 @@ TEST(appid_debug, null_session_test)
     uint16_t sport = 0;
     uint16_t dport = 0;
     IpProtocol protocol = IpProtocol::PROTO_NOT_SET;
-    uint16_t address_space_id = 0;
+    uint32_t address_space_id = 0;
     // activate()
     appidDebug->activate(sip.get_ip6_ptr(), dip.get_ip6_ptr(), sport, dport,
         protocol, 4, address_space_id, nullptr, false);    // null session
@@ -332,7 +332,7 @@ TEST(appid_debug, no_match_test)
     uint16_t sport = 48620;
     uint16_t dport = 80;
     IpProtocol protocol = IpProtocol::UDP;    // but this packet is UDP instead
-    uint16_t address_space_id = 0;
+    uint32_t address_space_id = 0;
     // The session...
     session.initiator_port = sport;
     // activate()
@@ -362,7 +362,7 @@ TEST(appid_debug, all_constraints_test)
     uint16_t sport = 48620;
     uint16_t dport = 80;
     IpProtocol protocol = IpProtocol::TCP;
-    uint16_t address_space_id = 0;
+    uint32_t address_space_id = 0;
     // The session...
     session.initiator_port = sport;
     // activate()
@@ -396,7 +396,7 @@ TEST(appid_debug, just_proto_test)
     uint16_t sport = 48620;
     uint16_t dport = 80;
     IpProtocol protocol = IpProtocol::TCP;
-    uint16_t address_space_id = 0;
+    uint32_t address_space_id = 0;
     // The session...
     session.initiator_port = sport;
     // activate()
@@ -430,7 +430,7 @@ TEST(appid_debug, just_ip_test)
     uint16_t sport = 48620;
     uint16_t dport = 80;
     IpProtocol protocol = IpProtocol::TCP;
-    uint16_t address_space_id = 0;
+    uint32_t address_space_id = 0;
     // The session...
     session.initiator_port = sport;
     // activate()
@@ -464,7 +464,7 @@ TEST(appid_debug, just_port_test)
     uint16_t sport = 48620;
     uint16_t dport = 80;
     IpProtocol protocol = IpProtocol::TCP;
-    uint16_t address_space_id = 0;
+    uint32_t address_space_id = 0;
     // The session...
     session.initiator_port = sport;
     // activate()
diff --git a/src/network_inspectors/appid/test/appid_discovery_test.cc b/src/network_inspectors/appid/test/appid_discovery_test.cc
index 7589d037e..281f14383 100644
--- a/src/network_inspectors/appid/test/appid_discovery_test.cc
+++ b/src/network_inspectors/appid/test/appid_discovery_test.cc
@@ -47,7 +47,7 @@ namespace snort
 {
 // Stubs for appid api
 AppIdApi appid_api;
-const char* AppIdApi::get_application_name(AppId, OdpContext&) { return NULL; } 
+const char* AppIdApi::get_application_name(AppId, OdpContext&) { return NULL; }
 
 // Stubs for packet tracer
 THREAD_LOCAL PacketTracer* s_pkt_trace = nullptr;
@@ -279,7 +279,7 @@ HostPortVal* HostPortCache::find(const SfIp*, uint16_t, IpProtocol, const OdpCon
     return nullptr;
 }
 void AppIdServiceState::check_reset(AppIdSession&, const SfIp*, uint16_t,
-    int16_t, uint16_t) {}
+    int16_t, uint32_t) {}
 bool do_tp_discovery(ThirdPartyAppIdContext& , AppIdSession&, IpProtocol,
     Packet*, AppidSessionDirection&, AppidChangeBits&)
 {
diff --git a/src/network_inspectors/appid/test/appid_http_session_test.cc b/src/network_inspectors/appid/test/appid_http_session_test.cc
index bfaf60e74..0dbd4c34b 100644
--- a/src/network_inspectors/appid/test/appid_http_session_test.cc
+++ b/src/network_inspectors/appid/test/appid_http_session_test.cc
@@ -111,7 +111,7 @@ static Flow flow;
 
 // AppIdSession mock functions
 AppIdSession::AppIdSession(IpProtocol, const SfIp* ip, uint16_t, AppIdInspector& inspector,
-    OdpContext&, uint16_t) : FlowData(inspector_id, &inspector), config(stub_config),
+    OdpContext&, uint32_t) : FlowData(inspector_id, &inspector), config(stub_config),
         api(*(new AppIdSessionApi(this, *ip))), odp_ctxt(stub_odp_ctxt)
 {}
 
@@ -149,7 +149,7 @@ void AppIdModule::reset_stats() {}
 
 // AppIdDebug mock functions
 void AppIdDebug::activate(const uint32_t*, const uint32_t*, uint16_t,
-    uint16_t, IpProtocol, const int, uint16_t, const AppIdSession*, bool,
+    uint16_t, IpProtocol, const int, uint32_t, const AppIdSession*, bool,
     int16_t, int16_t, bool)
 {
 }
diff --git a/src/network_inspectors/appid/test/appid_mock_definitions.h b/src/network_inspectors/appid/test/appid_mock_definitions.h
index 40df9c3a8..054df4f5f 100644
--- a/src/network_inspectors/appid/test/appid_mock_definitions.h
+++ b/src/network_inspectors/appid/test/appid_mock_definitions.h
@@ -117,13 +117,13 @@ bool AppInfoManager::configured()
 
 // Stubs for service_state.h
 ServiceDiscoveryState* AppIdServiceState::get(SfIp const*, IpProtocol,
-    unsigned short, int16_t, uint16_t, bool, bool)
+    unsigned short, int16_t, uint32_t, bool, bool)
 {
   return nullptr;
 }
 
 ServiceDiscoveryState* AppIdServiceState::add(SfIp const*, IpProtocol,
-    unsigned short, int16_t, uint16_t, bool, bool)
+    unsigned short, int16_t, uint32_t, bool, bool)
 {
   return nullptr;
 }
diff --git a/src/network_inspectors/appid/test/appid_mock_session.h b/src/network_inspectors/appid/test/appid_mock_session.h
index 35551b7f3..61a409834 100644
--- a/src/network_inspectors/appid/test/appid_mock_session.h
+++ b/src/network_inspectors/appid/test/appid_mock_session.h
@@ -81,7 +81,7 @@ static AppIdContext stub_ctxt(stub_config);
 static OdpContext stub_odp_ctxt(stub_config, nullptr);
 OdpContext* AppIdContext::odp_ctxt = &stub_odp_ctxt;
 AppIdSession::AppIdSession(IpProtocol proto, const SfIp* ip, uint16_t, AppIdInspector& inspector,
-    OdpContext&, uint16_t) : FlowData(inspector_id, &inspector), config(stub_config),
+    OdpContext&, uint32_t) : FlowData(inspector_id, &inspector), config(stub_config),
     protocol(proto), api(*(new AppIdSessionApi(this, *ip))), odp_ctxt(stub_odp_ctxt)
 {
     this->set_session_flags(APPID_SESSION_DISCOVER_APP | APPID_SESSION_SPECIAL_MONITORED);
diff --git a/src/network_inspectors/appid/test/service_state_test.cc b/src/network_inspectors/appid/test/service_state_test.cc
index 8114b1868..507d58391 100644
--- a/src/network_inspectors/appid/test/service_state_test.cc
+++ b/src/network_inspectors/appid/test/service_state_test.cc
@@ -88,7 +88,7 @@ AppIdConfig stub_config;
 AppIdContext stub_ctxt(stub_config);
 OdpContext stub_odp_ctxt(stub_config, nullptr);
 AppIdSession::AppIdSession(IpProtocol, const SfIp* ip, uint16_t, AppIdInspector&,
-    OdpContext&, uint16_t) : FlowData(0), config(stub_config),
+    OdpContext&, uint32_t) : FlowData(0), config(stub_config),
     api(*(new AppIdSessionApi(this, *ip))), odp_ctxt(stub_odp_ctxt) { }
 AppIdSession::~AppIdSession() = default;
 AppIdDiscovery::~AppIdDiscovery() = default;
diff --git a/src/network_inspectors/binder/bind_module.cc b/src/network_inspectors/binder/bind_module.cc
index b7455990b..af79d5952 100644
--- a/src/network_inspectors/binder/bind_module.cc
+++ b/src/network_inspectors/binder/bind_module.cc
@@ -348,7 +348,7 @@ bool BinderModule::set(const char* fqn, Value& v, SnortConfig*)
     }
     else if ( v.is("addr_spaces") )
     {
-        if (!parse_int_set<uint16_t>(v, binding.when.addr_spaces))
+        if (!parse_int_set<uint32_t>(v, binding.when.addr_spaces))
             return false;
         binding.when.add_criteria(BindWhen::Criteria::BWC_ADDR_SPACES);
     }
diff --git a/src/network_inspectors/binder/binder.cc b/src/network_inspectors/binder/binder.cc
index 15f1b6a94..65359c6e7 100644
--- a/src/network_inspectors/binder/binder.cc
+++ b/src/network_inspectors/binder/binder.cc
@@ -263,7 +263,7 @@ static std::string to_string(const BindWhen& bw)
 
     if (bw.has_criteria(BindWhen::Criteria::BWC_ADDR_SPACES))
     {
-        auto addr_spaces = to_string<uint16_t>(bw.addr_spaces);
+        auto addr_spaces = to_string<uint32_t>(bw.addr_spaces);
         when += " addr_spaces = " + addr_spaces + ",";
     }
 
diff --git a/src/network_inspectors/binder/binding.cc b/src/network_inspectors/binder/binding.cc
index 282bde171..996b98ab7 100644
--- a/src/network_inspectors/binder/binding.cc
+++ b/src/network_inspectors/binder/binding.cc
@@ -571,7 +571,7 @@ inline bool Binding::check_tenant(const Packet* p) const
     if (!when.has_criteria(BindWhen::Criteria::BWC_TENANTS))
         return true;
 
-    return when.tenants.count(p->pkth->address_space_id) != 0;
+    return when.tenants.count(p->pkth->tenant_id) != 0;
 }
 
 inline bool Binding::check_service(const Flow& flow) const
diff --git a/src/network_inspectors/binder/binding.h b/src/network_inspectors/binder/binding.h
index 04e62a0e0..df26b2f63 100644
--- a/src/network_inspectors/binder/binding.h
+++ b/src/network_inspectors/binder/binding.h
@@ -58,7 +58,7 @@ struct BindWhen
     std::unordered_set<int16_t> src_groups;
     std::unordered_set<int16_t> dst_groups;
 
-    std::unordered_set<uint16_t> addr_spaces;
+    std::unordered_set<uint32_t> addr_spaces;
 
     std::unordered_set<uint32_t> tenants;
 
diff --git a/src/network_inspectors/packet_tracer/packet_tracer.cc b/src/network_inspectors/packet_tracer/packet_tracer.cc
index e128e38ce..17aeae604 100644
--- a/src/network_inspectors/packet_tracer/packet_tracer.cc
+++ b/src/network_inspectors/packet_tracer/packet_tracer.cc
@@ -331,14 +331,14 @@ void PacketTracer::add_ip_header_info(const Packet& p)
     if (shell_enabled)
     {
         PacketTracer::log("\n");
-        snprintf(debug_session, sizeof(debug_session), "%s %hu -> %s %hu %hhu AS=%hu ID=%u%s ",
+        snprintf(debug_session, sizeof(debug_session), "%s %hu -> %s %hu %hhu AS=%u ID=%u%s ",
             sipstr, sport, dipstr, dport, static_cast<uint8_t>(proto),
             p.pkth->address_space_id, get_instance_id(), gr_buf);
     }
     else
     {
         add_eth_header_info(p);
-        PacketTracer::log("%s:%hu -> %s:%hu proto %u AS=%hu ID=%u%s\n",
+        PacketTracer::log("%s:%hu -> %s:%hu proto %u AS=%u ID=%u%s\n",
             sipstr, sport, dipstr, dport, static_cast<uint8_t>(proto),
             p.pkth->address_space_id, get_instance_id(), gr_buf);
     }
@@ -403,7 +403,7 @@ void PacketTracer::add_eth_header_info(const Packet& p)
 
             snprintf(debug_session, sizeof(debug_session),
                 "%02X:%02X:%02X:%02X:%02X:%02X -> %02X:%02X:%02X:%02X:%02X:%02X %04X"
-                " AS=%hu ID=%u%s ",
+                " AS=%u ID=%u%s ",
                 eh->ether_src[0], eh->ether_src[1], eh->ether_src[2],
                 eh->ether_src[3], eh->ether_src[4], eh->ether_src[5],
                 eh->ether_dst[0], eh->ether_dst[1], eh->ether_dst[2],
diff --git a/src/network_inspectors/port_scan/ps_detect.cc b/src/network_inspectors/port_scan/ps_detect.cc
index 105788ef9..45c1ce13d 100644
--- a/src/network_inspectors/port_scan/ps_detect.cc
+++ b/src/network_inspectors/port_scan/ps_detect.cc
@@ -54,9 +54,10 @@ struct PS_HASH_KEY
 {
     int protocol;
     SfIp scanner;
-    SfIp scanned;
     int16_t group;
-    uint16_t asid;
+    SfIp scanned;
+    uint16_t pad;
+    uint32_t asid;
 };
 PADDING_GUARD_END
 
@@ -326,6 +327,7 @@ bool PortScan::ps_tracker_lookup(
 
     ps_pkt->proto = key.protocol;
     key.asid = p->pkth->address_space_id;
+    key.pad = 0;
 
     /*
     **  Let's lookup the host that is being scanned, taking into account
diff --git a/src/piglet_plugins/pp_codec_data_iface.cc b/src/piglet_plugins/pp_codec_data_iface.cc
index 5393f090a..41c971cf4 100644
--- a/src/piglet_plugins/pp_codec_data_iface.cc
+++ b/src/piglet_plugins/pp_codec_data_iface.cc
@@ -44,7 +44,7 @@ static void set_fields(lua_State* L, int tindex, CodecData& self)
     table.get_field("ip6_csum_proto", reinterpret_cast<uint8_t&>(self.ip6_csum_proto));
 }
 
-static void get_fields(lua_State* L, int tindex, CodecData& self)
+static void get_fields(lua_State* L, int tindex, const CodecData& self)
 {
     Lua::Table table(L, tindex);
 
diff --git a/src/piglet_plugins/pp_daq_pkthdr_iface.cc b/src/piglet_plugins/pp_daq_pkthdr_iface.cc
index a5fba5087..d9fb9c9e8 100644
--- a/src/piglet_plugins/pp_daq_pkthdr_iface.cc
+++ b/src/piglet_plugins/pp_daq_pkthdr_iface.cc
@@ -42,11 +42,12 @@ static void set_fields(lua_State* L, int tindex, DAQ_PktHdr_t& self)
     table.get_field("opaque", self.opaque);
     table.get_field("flow_id", self.flow_id);
     table.get_field("address_space_id", self.address_space_id);
+    table.get_field("tenant_id", self.tenant_id);
 
     // FIXIT-L do we want to be able to set the priv_ptr field?
 }
 
-static void get_fields(lua_State* L, int tindex, DAQ_PktHdr_t& self)
+static void get_fields(lua_State* L, int tindex, const DAQ_PktHdr_t& self)
 {
     Lua::Table table(L, tindex);
 
@@ -59,6 +60,7 @@ static void get_fields(lua_State* L, int tindex, DAQ_PktHdr_t& self)
     table.set_field("opaque", self.opaque);
     table.set_field("flow_id", self.flow_id);
     table.set_field("address_space_id", self.address_space_id);
+    table.set_field("tenant_id", self.tenant_id);
 }
 
 static const luaL_Reg methods[] =
diff --git a/src/piglet_plugins/pp_decode_data_iface.cc b/src/piglet_plugins/pp_decode_data_iface.cc
index 253ccdc42..ea8e18e9a 100644
--- a/src/piglet_plugins/pp_decode_data_iface.cc
+++ b/src/piglet_plugins/pp_decode_data_iface.cc
@@ -44,7 +44,7 @@ static void set_fields(lua_State* L, int tindex, DecodeData& self)
     self.type = static_cast<PktType>(pkt_type);
 }
 
-static void get_fields(lua_State* L, int tindex, DecodeData& self)
+static void get_fields(lua_State* L, int tindex, const DecodeData& self)
 {
     Lua::Table table(L, tindex);
 
diff --git a/src/piglet_plugins/pp_packet_iface.cc b/src/piglet_plugins/pp_packet_iface.cc
index 439c8fb8a..9ae98f048 100644
--- a/src/piglet_plugins/pp_packet_iface.cc
+++ b/src/piglet_plugins/pp_packet_iface.cc
@@ -48,7 +48,7 @@ static void set_fields(lua_State* L, int tindex, Packet& self)
     table.set_field("user_network_policy_id", self.user_network_policy_id);
 }
 
-static void get_fields(lua_State* L, int tindex, Packet& self)
+static void get_fields(lua_State* L, int tindex, const Packet& self)
 {
     Lua::Table table(L, tindex);
 
diff --git a/src/policy_selectors/address_space_selector/address_space_selector.cc b/src/policy_selectors/address_space_selector/address_space_selector.cc
index c3c654d73..906ea5f31 100644
--- a/src/policy_selectors/address_space_selector/address_space_selector.cc
+++ b/src/policy_selectors/address_space_selector/address_space_selector.cc
@@ -136,15 +136,11 @@ bool AddressSpaceSelector::select_default_policies(uint32_t key, const SnortConf
 
 bool AddressSpaceSelector::select_default_policies(const _daq_pkt_hdr& pkthdr,
     const SnortConfig* sc)
-{
-    return select_default_policies(static_cast<uint32_t>(pkthdr.address_space_id), sc);
-}
+{ return select_default_policies(static_cast<uint32_t>(pkthdr.address_space_id), sc); }
 
 bool AddressSpaceSelector::select_default_policies(const _daq_flow_stats& stats,
     const SnortConfig* sc)
-{
-    return select_default_policies(static_cast<uint32_t>(stats.address_space_id), sc);
-}
+{ return select_default_policies(static_cast<uint32_t>(stats.address_space_id), sc); }
 
 //-------------------------------------------------------------------------
 // api stuff
diff --git a/src/policy_selectors/tenant_selector/tenant_selector.cc b/src/policy_selectors/tenant_selector/tenant_selector.cc
index ce3646a71..41c6e74a3 100644
--- a/src/policy_selectors/tenant_selector/tenant_selector.cc
+++ b/src/policy_selectors/tenant_selector/tenant_selector.cc
@@ -135,16 +135,10 @@ bool TenantSelector::select_default_policies(uint32_t key, const SnortConfig* sc
 }
 
 bool TenantSelector::select_default_policies(const _daq_pkt_hdr& pkthdr, const SnortConfig* sc)
-{
-    // FIXIT-H replace address_space_id with tenant_id when it is added to the pkthdr
-    return select_default_policies(static_cast<uint32_t>(pkthdr.address_space_id), sc);
-}
+{ return select_default_policies(static_cast<uint32_t>(pkthdr.tenant_id), sc); }
 
 bool TenantSelector::select_default_policies(const _daq_flow_stats& stats, const SnortConfig* sc)
-{
-    // FIXIT-H replace address_space_id with tenant_id when it is added to the pkthdr
-    return select_default_policies(static_cast<uint32_t>(stats.address_space_id), sc);
-}
+{ return select_default_policies(static_cast<uint32_t>(stats.tenant_id), sc); }
 
 //-------------------------------------------------------------------------
 // api stuff
diff --git a/src/protocols/packet_manager.cc b/src/protocols/packet_manager.cc
index a2ccb191f..3a629a6b3 100644
--- a/src/protocols/packet_manager.cc
+++ b/src/protocols/packet_manager.cc
@@ -684,6 +684,7 @@ static void init_daq_pkthdr(
     pkth->egress_group = phdr->egress_group;
     pkth->flags = phdr->flags;
     pkth->address_space_id = phdr->address_space_id;
+    pkth->tenant_id = phdr->tenant_id;
     pkth->opaque = opaque;
 }
 
diff --git a/src/service_inspectors/dce_rpc/dce_smb2.cc b/src/service_inspectors/dce_rpc/dce_smb2.cc
index 92352d916..41ef5129e 100644
--- a/src/service_inspectors/dce_rpc/dce_smb2.cc
+++ b/src/service_inspectors/dce_rpc/dce_smb2.cc
@@ -92,7 +92,7 @@ uint32_t get_smb2_flow_key(const FlowKey* flow_key)
     key.ip_protocol = flow_key->ip_protocol;
     key.pkt_type = (uint8_t)flow_key->pkt_type;
     key.version = flow_key->version;
-    key.padding = 0;
+    key.padding = key.padding16 = 0;
 
     Smb2KeyHash hasher;
     return hasher(key);
@@ -151,7 +151,6 @@ Smb2SessionKey Dce2Smb2SessionData::get_session_key(uint64_t session_id)
     key.cgroup = flow->client_group;
     key.sgroup = flow->server_group;
     key.asid = flow->key->addressSpaceId;
-    key.padding = 0;
     return key;
 }
 
@@ -538,11 +537,11 @@ void Dce2Smb2SessionData::process()
             SMB_DEBUG(dce_smb_trace, DEFAULT_TRACE_OPTION_ID, TRACE_DEBUG_LEVEL,
                 p, "Encrypted header is received \n");
             session = find_session(sid);
-            if (session) 
+            if (session)
             {
                bool flag = session->get_encryption_flag();
-               if (!flag) 
-                   session->set_encryption_flag(true); 
+               if (!flag)
+                   session->set_encryption_flag(true);
             }
         }
         uint32_t next_command_offset;
diff --git a/src/service_inspectors/dce_rpc/dce_smb2.h b/src/service_inspectors/dce_rpc/dce_smb2.h
index b1580de17..4c78cc141 100644
--- a/src/service_inspectors/dce_rpc/dce_smb2.h
+++ b/src/service_inspectors/dce_rpc/dce_smb2.h
@@ -345,10 +345,9 @@ struct Smb2SessionKey
     uint32_t cip[4];
     uint32_t sip[4];
     uint64_t sid;
+    uint32_t asid;
     int16_t cgroup;
     int16_t sgroup;
-    uint16_t asid;
-    uint16_t padding;
 
     bool operator==(const Smb2SessionKey& other) const
     {
@@ -372,12 +371,13 @@ struct Smb2FlowKey
     uint32_t ip_l[4];   // Low IP
     uint32_t ip_h[4];   // High IP
     uint32_t mplsLabel;
+    uint32_t addressSpaceId;
     uint16_t port_l;    // Low Port - 0 if ICMP
     uint16_t port_h;    // High Port - 0 if ICMP
     int16_t group_l;
     int16_t group_h;
     uint16_t vlan_tag;
-    uint16_t addressSpaceId;
+    uint16_t padding16;
     uint8_t ip_protocol;
     uint8_t pkt_type;
     uint8_t version;
@@ -427,7 +427,7 @@ private:
         a += d[3]; b += d[4];  c += d[5];  mix(a, b, c);
         a += d[6]; b += d[7];  c += d[8];  mix(a, b, c);
         a += d[9]; b += d[10]; c += d[11]; mix(a, b, c);
-        a += d[12]; finalize(a, b, c);
+        a += d[12]; b += d[13]; finalize(a, b, c);
         return c;
     }
 
diff --git a/src/stream/icmp/icmp_session.cc b/src/stream/icmp/icmp_session.cc
index f66d3c121..5ac0f6e8f 100644
--- a/src/stream/icmp/icmp_session.cc
+++ b/src/stream/icmp/icmp_session.cc
@@ -147,9 +147,9 @@ static int ProcessIcmpUnreach(Packet* p)
     skey.init_vlan(sc, vlan);
     skey.init_address_space(sc, 0);
     skey.init_mpls(sc, 0);
+    skey.padding = skey.flags.padding_bits = 0;
     skey.flags.group_used = p->is_inter_group_flow();
     skey.init_groups(p->pkth->ingress_group, p->pkth->egress_group, reversed);
-    skey.flags.ubits = 0;
 
     switch (p->type())
     {
diff --git a/src/stream/stream.cc b/src/stream/stream.cc
index 45abb8bfb..8cc3f4fc5 100644
--- a/src/stream/stream.cc
+++ b/src/stream/stream.cc
@@ -92,7 +92,7 @@ Flow* Stream::get_flow(
     PktType type, IpProtocol proto,
     const SfIp* srcIP, uint16_t srcPort,
     const SfIp* dstIP, uint16_t dstPort,
-    uint16_t vlan, uint32_t mplsId, uint16_t addressSpaceId,
+    uint16_t vlan, uint32_t mplsId, uint32_t addressSpaceId,
     int16_t ingress_group, int16_t egress_group)
 {
     FlowKey key;
@@ -158,7 +158,7 @@ FlowData* Stream::get_flow_data(
     const SfIp* srcIP, uint16_t srcPort,
     const SfIp* dstIP, uint16_t dstPort,
     uint16_t vlan, uint32_t mplsId,
-    uint16_t addressSpaceID, unsigned flowdata_id,
+    uint32_t addressSpaceID, unsigned flowdata_id,
     int16_t ingress_group, int16_t egress_group)
 {
     Flow* flow = get_flow(
@@ -847,7 +847,7 @@ bool Stream::get_held_pkt_seq(Flow* flow, uint32_t& seq)
 
     TcpStreamSession* tcp_session = (TcpStreamSession*)flow->session;
 
-    if (tcp_session->held_packet_dir == SSN_DIR_NONE) 
+    if (tcp_session->held_packet_dir == SSN_DIR_NONE)
         return false;
 
     if (tcp_session->held_packet_dir == SSN_DIR_FROM_CLIENT)
diff --git a/src/stream/stream.h b/src/stream/stream.h
index 064f369f8..09e1d3417 100644
--- a/src/stream/stream.h
+++ b/src/stream/stream.h
@@ -180,7 +180,7 @@ public:
     static FlowData* get_flow_data(
         PktType type, IpProtocol proto,
         const snort::SfIp* a1, uint16_t p1, const snort::SfIp* a2, uint16_t p2,
-        uint16_t vlanId, uint32_t mplsId, uint16_t addrSpaceId, unsigned flowdata_id,
+        uint16_t vlanId, uint32_t mplsId, uint32_t addrSpaceId, unsigned flowdata_id,
         int16_t ingress_group = DAQ_PKTHDR_UNKNOWN, int16_t egress_group = DAQ_PKTHDR_UNKNOWN);
 
     static FlowData* get_flow_data(
@@ -196,7 +196,7 @@ public:
     static Flow* get_flow(
         PktType type, IpProtocol proto,
         const snort::SfIp* a1, uint16_t p1, const snort::SfIp* a2, uint16_t p2,
-        uint16_t vlanId, uint32_t mplsId, uint16_t addrSpaceId,
+        uint16_t vlanId, uint32_t mplsId, uint32_t addrSpaceId,
         int16_t ingress_group = DAQ_PKTHDR_UNKNOWN, int16_t egress_group = DAQ_PKTHDR_UNKNOWN);
 
     static Flow* get_flow(
diff --git a/src/stream/tcp/tcp_reassembler.cc b/src/stream/tcp/tcp_reassembler.cc
index 5edef6175..ab8211881 100644
--- a/src/stream/tcp/tcp_reassembler.cc
+++ b/src/stream/tcp/tcp_reassembler.cc
@@ -538,7 +538,7 @@ Packet* TcpReassembler::initialize_pdu(
 
     EncodeFlags enc_flags = 0;
     DAQ_PktHdr_t pkth;
-    trs.sos.session->get_packet_header_foo(&pkth, pkt_flags);
+    trs.sos.session->get_packet_header_foo(&pkth, p->pkth, pkt_flags);
     PacketManager::format_tcp(enc_flags, p, pdu, PSEUDO_PKT_TCP, &pkth, pkth.opaque);
     prep_pdu(trs, trs.sos.session->flow, p, pkt_flags, pdu);
     assert(pdu->pkth == pdu->context->pkth);
diff --git a/src/stream/tcp/tcp_stream_session.cc b/src/stream/tcp/tcp_stream_session.cc
index da6c6f3e6..9a6f276cb 100644
--- a/src/stream/tcp/tcp_stream_session.cc
+++ b/src/stream/tcp/tcp_stream_session.cc
@@ -310,7 +310,7 @@ void TcpStreamSession::set_packet_header_foo(const TcpSegmentDescriptor& tsd)
     address_space_id = p->pkth->address_space_id;
 }
 
-void TcpStreamSession::get_packet_header_foo(DAQ_PktHdr_t* pkth, uint32_t dir)
+void TcpStreamSession::get_packet_header_foo(DAQ_PktHdr_t* pkth, const DAQ_PktHdr_t* orig, uint32_t dir)
 {
     if ( (dir & PKT_FROM_CLIENT) || (egress_index == DAQ_PKTHDR_UNKNOWN &&
          egress_group == DAQ_PKTHDR_UNKNOWN) )
@@ -330,6 +330,7 @@ void TcpStreamSession::get_packet_header_foo(DAQ_PktHdr_t* pkth, uint32_t dir)
     pkth->opaque = 0;
     pkth->flags = daq_flags;
     pkth->address_space_id = address_space_id;
+    pkth->tenant_id = orig->tenant_id;
 }
 
 void TcpStreamSession::reset()
diff --git a/src/stream/tcp/tcp_stream_session.h b/src/stream/tcp/tcp_stream_session.h
index d65ccd12b..b6e43d2d4 100644
--- a/src/stream/tcp/tcp_stream_session.h
+++ b/src/stream/tcp/tcp_stream_session.h
@@ -65,7 +65,7 @@ public:
     void start_proxy();
 
     void set_packet_header_foo(const TcpSegmentDescriptor&);
-    void get_packet_header_foo(DAQ_PktHdr_t*, uint32_t dir);
+    void get_packet_header_foo(DAQ_PktHdr_t*, const DAQ_PktHdr_t* orig, uint32_t dir);
     bool can_set_no_ack();
     bool set_no_ack(bool);
     bool no_ack_mode_enabled() { return no_ack; }
@@ -118,7 +118,7 @@ public:
     int32_t egress_index = DAQ_PKTHDR_UNKNOWN;
     int16_t egress_group = DAQ_PKTHDR_UNKNOWN;
     uint32_t daq_flags = 0;
-    uint16_t address_space_id = 0;
+    uint32_t address_space_id = 0;
     bool generate_3whs_alert = true;
     TcpStreamConfig* tcp_config = nullptr;
     TcpEventLogger tel;