af-packet: warn if v2 block size not large enough for defrag

If using tpacket-v2, defrag and a user provided v2-block-size, warn if
the block size is not large enough to hold one fully defragmented
packet.

Ticket: #7458

diff --git a/src/runmode-af-packet.c b/src/runmode-af-packet.c
index e54ffce73364c752475e7107bd550d1e73f0247a..2f93a9b90121c54595920775baafc9e7321b92b6 100644 (file)
--- a/src/runmode-af-packet.c
+++ b/src/runmode-af-packet.c
@@ -755,6 +755,15 @@ finalize:
         SCLogWarning("%s: AF_PACKET defrag is recommended for IDS cluster_flow", iface);
     }
 
+    /* For tpacket-v2, warn if defrag is enabled and block-size is
+     * less than max defragmented packet size. */
+    if ((aconf->flags & AFP_TPACKET_V3) == 0 && (aconf->cluster_type & PACKET_FANOUT_FLAG_DEFRAG) &&
+            aconf->v2_block_size > 0 && aconf->v2_block_size < MAX_PACKET_SIZE) {
+        SCLogWarning("%s: AF_PACKET v2-block-size is not large enough for max fragmented IP packet "
+                     "size (%u)",
+                iface, MAX_PACKET_SIZE);
+    }
+
     return aconf;
 }
 

diff --git a/src/source-af-packet.h b/src/source-af-packet.h
index c88441a69dbb834506f02017a58bac385632fbb5..61f95b54cac608a035dc6a3bcc8eb9a31b686652 100644 (file)
--- a/src/source-af-packet.h
+++ b/src/source-af-packet.h
@@ -77,6 +77,9 @@ struct ebpf_timeout_config {
  * to standard frame size */
 #define AFP_BLOCK_SIZE_DEFAULT_ORDER 5
 
+/* Set max packet size to 65561: IP + Ethernet + 3 VLAN tags. */
+#define MAX_PACKET_SIZE 65561
+
 typedef struct AFPIfaceConfig_
 {
     char iface[AFP_IFACE_NAME_LENGTH];