decode/vntag: By default, disable vntag decoding

author Jeff Lucovsky <jeff@lucovsky.org>

Fri, 4 Jun 2021 12:26:09 +0000 (08:26 -0400)

committer Jeff Lucovsky <jeff@lucovsky.org>

Fri, 4 Jun 2021 12:26:09 +0000 (08:26 -0400)
author Jeff Lucovsky <jeff@lucovsky.org>
Fri, 4 Jun 2021 12:26:09 +0000 (08:26 -0400)
committer Jeff Lucovsky <jeff@lucovsky.org>
Fri, 4 Jun 2021 12:26:09 +0000 (08:26 -0400)
diff --git a/src/decode-vntag.c b/src/decode-vntag.c

index b7963238bbba81a422514a098c9ff119e175eeb7..4a9c876546ba6574f87f75a7f047606dda75323f 100644 (file)
--- a/src/decode-vntag.c
+++ b/src/decode-vntag.c
@@ -43,20 +43,33 @@
  #include "util-profiling.h"
  #include "host.h"
  
+bool g_vntag_enabled = false;
+
+void DecodeVNTagConfig(void)
+{
+    int enabled = 0;
+    if (ConfGetBool("decoder.vntag.enabled", &enabled) == 1) {
+        g_vntag_enabled = (enabled == 1);
+    }
+    SCLogDebug("VNTag decode support %s", g_vntag_enabled ? "enabled" : "disabled");
+}
+
  /**
   * \internal
   * \brief this function is used to decode 802.1Qbh packets
   *
   * \param tv pointer to the thread vars
- * \param dtv pointer code thread vars
+ * \param dtv pointer to decode thread vars
   * \param p pointer to the packet struct
   * \param pkt pointer to the raw packet
   * \param len packet len
- * \param pq pointer to the packet queue
   *
   */
  int DecodeVNTag(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
  {
+    if (!g_vntag_enabled)
+        return TM_ECODE_FAILED;
+
      StatsIncr(tv, dtv->counter_vntag);
  
      if (len < VNTAG_HEADER_LEN) {
@@ -108,7 +121,9 @@ static int DecodeVNTagtest01(void)
      memset(&tv, 0, sizeof(ThreadVars));
      memset(&dtv, 0, sizeof(DecodeThreadVars));
  
+    g_vntag_enabled = true;
      FAIL_IF(TM_ECODE_OK == DecodeVNTag(&tv, &dtv, p, raw_vntag, sizeof(raw_vntag)));
+    g_vntag_enabled = false;
  
      PASS_IF(ENGINE_ISSET_EVENT(p, VNTAG_HEADER_TOO_SMALL));
  }
@@ -138,7 +153,10 @@ static int DecodeVNTagtest02(void)
      memset(&tv, 0, sizeof(ThreadVars));
      memset(&dtv, 0, sizeof(DecodeThreadVars));
  
-    PASS_IF(TM_ECODE_OK != DecodeVNTag(&tv, &dtv, p, raw_vntag, sizeof(raw_vntag)));
+    g_vntag_enabled = true;
+    int rc = DecodeVNTag(&tv, &dtv, p, raw_vntag, sizeof(raw_vntag));
+    g_vntag_enabled = false;
+    PASS_IF(TM_ECODE_OK != rc);
  }
  
  /**
@@ -166,7 +184,9 @@ static int DecodeVNTagtest03(void)
  
      FlowInitConfig(FLOW_QUIET);
  
+    g_vntag_enabled = true;
      FAIL_IF(TM_ECODE_OK != DecodeVNTag(&tv, &dtv, p, raw_vntag, sizeof(raw_vntag)));
+    g_vntag_enabled = false;
  
      PACKET_RECYCLE(p);
      FlowShutdown();
@@ -174,6 +194,18 @@ static int DecodeVNTagtest03(void)
  
      PASS;
  }
+
+/**
+ * \test DecodeVNTagtest04 Ensure decoder is disabled by default
+ *
+ *  \retval 1 on success
+ *  \retval 0 on failure
+ */
+static int DecodeVNTagtest04(void)
+{
+    FAIL_IF(g_vntag_enabled);
+    PASS;
+}
  #endif /* UNITTESTS */
  
  void DecodeVNTagRegisterTests(void)
@@ -182,6 +214,7 @@ void DecodeVNTagRegisterTests(void)
      UtRegisterTest("DecodeVNTagtest01", DecodeVNTagtest01);
      UtRegisterTest("DecodeVNTagtest02", DecodeVNTagtest02);
      UtRegisterTest("DecodeVNTagtest03", DecodeVNTagtest03);
+    UtRegisterTest("DecodeVNTagtest04", DecodeVNTagtest04);
  #endif /* UNITTESTS */
  }
  
diff --git a/src/decode-vntag.h b/src/decode-vntag.h

index 02392589b1a0b302e13a2e8345cdf312b1ef893d..dc2a0810e950a71b1ffd0513ebb07892019f19ed 100644 (file)
--- a/src/decode-vntag.h
+++ b/src/decode-vntag.h
@@ -43,6 +43,7 @@ typedef struct VNTagHdr_ {
  /** VNTag header length */
  #define VNTAG_HEADER_LEN 6
  
+void DecodeVNTagConfig(void);
  void DecodeVNTagRegisterTests(void);
  
  #endif /* __DECODE_VNTAG_H__ */
diff --git a/src/decode.c b/src/decode.c

index 70138e480fe2ffc1282540856426fecd0716998f..ff3793ae61779f5c1c1b9a2f949a3f2909bfbb82 100644 (file)
--- a/src/decode.c
+++ b/src/decode.c
@@ -765,6 +765,7 @@ void DecodeGlobalConfig(void)
      DecodeGeneveConfig();
      DecodeVXLANConfig();
      DecodeERSPANConfig();
+    DecodeVNTagConfig();
      intmax_t value = 0;
      if (ConfGetInt("decoder.max-layers", &value) == 1) {
          if (value < 0 || value > UINT8_MAX) {
diff --git a/suricata.yaml.in b/suricata.yaml.in

index 728d3e340f8e239bd655f2b13983f35f9eda81d8..19b24259d17bd2f08573a00e2017ecc1b3198c27 100644 (file)
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -1355,6 +1355,10 @@ decoder:
      enabled: true
      ports: $VXLAN_PORTS # syntax: '[8472, 4789]' or '4789'.
  
+  # VNTag decode support
+  vntag:
+    enabled: false
+
    # Geneve decoder is assigned to up to 4 UDP ports. By default only the
    # IANA assigned port 6081 is enabled.
    geneve:
author	Jeff Lucovsky <jeff@lucovsky.org>
	Fri, 4 Jun 2021 12:26:09 +0000 (08:26 -0400)
committer	Jeff Lucovsky <jeff@lucovsky.org>
	Fri, 4 Jun 2021 12:26:09 +0000 (08:26 -0400)
src/decode-vntag.c		patch \| blob \| blame \| history
src/decode-vntag.h		patch \| blob \| blame \| history
src/decode.c		patch \| blob \| blame \| history
suricata.yaml.in		patch \| blob \| blame \| history