decode/ipv6: set packet flow in ip-in-ip

author Juliana Fajardini <jufajardini@oisf.net>

Wed, 11 Jun 2025 20:54:22 +0000 (17:54 -0300)

committer Victor Julien <victor@inliniac.net>

Mon, 18 Aug 2025 13:29:54 +0000 (15:29 +0200)
author Juliana Fajardini <jufajardini@oisf.net>
Wed, 11 Jun 2025 20:54:22 +0000 (17:54 -0300)
committer Victor Julien <victor@inliniac.net>
Mon, 18 Aug 2025 13:29:54 +0000 (15:29 +0200)
diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst

index 50d54ec97fa5b2229546a3f8874f7bda577d9fb4..a3102cb9028f4ddc9bde329e73fbc6fdf9045851 100644 (file)
--- a/doc/userguide/configuration/suricata-yaml.rst
+++ b/doc/userguide/configuration/suricata-yaml.rst
@@ -2811,6 +2811,25 @@ The stats counter `decoder.ipv4_in_ipv4` is associated with this setting.
     #     enabled: true
     #     track-parent-flow: true   # disabled by default
  
+IPv6
+^^^^
+
+By default, for IPv4 over IPv6 tunneling, the parent flow is not set up, as this
+can lead to discrepancies in alerts and flows detected. To enable this setting,
+change::
+
+    decoder:
+      ipv6:
+        ipip-ipv4:
+          track-parent-flow: true
+
+The same is true for IPv6 over IPv6. To enable parent flow setting in this case::
+
+    decoder:
+      ipv6:
+        ipip-ipv6:
+          track-parent-flow: true
+
  Advanced Options
  ----------------
  
diff --git a/src/decode-ipv6.c b/src/decode-ipv6.c

index 4becd063380a0e4980bc97ae9b703e887d850347..c0ce8836d84ea44c2d858ae34bdea4d15e91ad26 100644 (file)
--- a/src/decode-ipv6.c
+++ b/src/decode-ipv6.c
@@ -34,9 +34,39 @@
  #include "decode-ipv6.h"
  #include "decode.h"
  #include "defrag.h"
+#include "flow-hash.h"
  #include "util-print.h"
  #include "util-validate.h"
  
+static bool g_ipv4_in_ipv6_parent_flow_enabled = false;
+static bool g_ipv6_in_ipv6_parent_flow_enabled = false;
+
+void DecodeIPV4InIPV6Config(void)
+{
+    int enabled = 0;
+
+    if (ConfGetBool("decoder.ipv6.ipip-ipv4.track-parent-flow", &enabled) == 1) {
+        if (enabled) {
+            g_ipv4_in_ipv6_parent_flow_enabled = true;
+        } else {
+            g_ipv4_in_ipv6_parent_flow_enabled = false;
+        }
+    }
+}
+
+void DecodeIPV6InIPV6Config(void)
+{
+    int enabled = 0;
+
+    if (ConfGetBool("decoder.ipv6.ipip-ipv6.track-parent-flow", &enabled) == 1) {
+        if (enabled) {
+            g_ipv6_in_ipv6_parent_flow_enabled = true;
+        } else {
+            g_ipv6_in_ipv6_parent_flow_enabled = false;
+        }
+    }
+}
+
  /**
   * \brief Function to decode IPv4 in IPv6 packets
   *
@@ -54,7 +84,9 @@ static void DecodeIPv4inIPv6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, c
              PKT_SET_SRC(tp, PKT_SRC_DECODER_IPV6);
              PacketEnqueueNoLock(&tv->decode_pq,tp);
              StatsIncr(tv, dtv->counter_ipv4inipv6);
-            return;
+        }
+        if (g_ipv4_in_ipv6_parent_flow_enabled) {
+            FlowSetupPacket(p);
          }
      } else {
          ENGINE_SET_EVENT(p, IPV4_IN_IPV6_WRONG_IP_VER);
@@ -81,6 +113,9 @@ static int DecodeIP6inIP6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
              PacketEnqueueNoLock(&tv->decode_pq,tp);
              StatsIncr(tv, dtv->counter_ipv6inipv6);
          }
+        if (g_ipv6_in_ipv6_parent_flow_enabled) {
+            FlowSetupPacket(p);
+        }
      } else {
          ENGINE_SET_EVENT(p, IPV6_IN_IPV6_WRONG_IP_VER);
      }
diff --git a/src/decode-ipv6.h b/src/decode-ipv6.h

index 651939ae567f5c913c426cc61f43f70a4ccf1795..11c15512dedcc28028fed26874c44df7dfdf7295 100644 (file)
--- a/src/decode-ipv6.h
+++ b/src/decode-ipv6.h
@@ -240,6 +240,8 @@ typedef struct IPV6ExtHdrs_
  #define IPV6_EXTHDR_SET_RH(p)       (p)->ip6eh.rh_set = true
  #define IPV6_EXTHDR_ISSET_RH(p)     (p)->ip6eh.rh_set
  
+void DecodeIPV4InIPV6Config(void);
+void DecodeIPV6InIPV6Config(void);
  void DecodeIPV6RegisterTests(void);
  
  #endif /* __DECODE_IPV6_H__ */
diff --git a/src/decode.c b/src/decode.c

index ab09abf85e3164092486d12fdcd9622e98caf6e8..cbc57db17a3b3f3f20b91a7d3fb8a9e6794a58e0 100644 (file)
--- a/src/decode.c
+++ b/src/decode.c
@@ -921,6 +921,8 @@ void CaptureStatsSetup(ThreadVars *tv)
  void DecodeGlobalConfig(void)
  {
      DecodeIPV4IpInIpConfig();
+    DecodeIPV4InIPV6Config();
+    DecodeIPV6InIPV6Config();
      DecodeTeredoConfig();
      DecodeGeneveConfig();
      DecodeVXLANConfig();
diff --git a/suricata.yaml.in b/suricata.yaml.in

index c7a2f1f156d5e8810360cec84a899a4b53d71cad..5019f27c4935eb43eede00f368b014d621f2b0e5 100644 (file)
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -1679,6 +1679,15 @@ decoder:
    #   ipip:
    #     enabled: true
    #     track-parent-flow: true   # disabled by default
+  # Set parent flow for packets seen in IP-in-IP tunneling for ipv4 or ipv6
+  # over ipv6.
+  # Disabled by default, as these will impact number of alerts seen, as well as
+  # number of flows.
+  # ipv6:
+  #   ipip-ipv4:
+  #     track-parent-flow: true   # disabled by default
+  #   ipip-ipv6:
+  #     track-parent-flow: true   # disabled by default
  
  ##
  ## Performance tuning and profiling
author	Juliana Fajardini <jufajardini@oisf.net>
	Wed, 11 Jun 2025 20:54:22 +0000 (17:54 -0300)
committer	Victor Julien <victor@inliniac.net>
	Mon, 18 Aug 2025 13:29:54 +0000 (15:29 +0200)
doc/userguide/configuration/suricata-yaml.rst		patch \| blob \| blame \| history
src/decode-ipv6.c		patch \| blob \| blame \| history
src/decode-ipv6.h		patch \| blob \| blame \| history
src/decode.c		patch \| blob \| blame \| history
suricata.yaml.in		patch \| blob \| blame \| history