According to PF_RING upstream the vlan header should never be stripped
from the packet PF_RING feeds to Suricata. But upstream also indicated
keeping the check would be a good "safety check".
So in addition to the check, add a warning that warns once (per thread
for implementation simplicity) if the vlan hdr does appear to be stripped
after all.
char *bpf_filter;
ChecksumValidationMode checksum_mode;
+
+ bool vlan_hdr_warned;
} PfringThreadVars;
/**
p->vlan_id[0] = h->extended_hdr.parsed_pkt.vlan_id & 0x0fff;
p->vlan_idx = 1;
p->vlanh[0] = NULL;
+
+ if (!ptv->vlan_hdr_warned) {
+ SCLogWarning(SC_ERR_PF_RING_VLAN, "no VLAN header in the raw "
+ "packet. See #2355.");
+ ptv->vlan_hdr_warned = true;
+ }
}
switch (ptv->checksum_mode) {
CASE_CODE (SC_WARN_EVENT_DROPPED);
CASE_CODE (SC_ERR_NO_REDIS_ASYNC);
CASE_CODE (SC_ERR_REDIS_CONFIG);
+ CASE_CODE (SC_ERR_PF_RING_VLAN);
}
return "UNKNOWN_ERROR";
SC_WARN_LOG_CF_TOO_MANY_NODES,
SC_WARN_EVENT_DROPPED,
SC_ERR_NO_REDIS_ASYNC,
- SC_ERR_REDIS_CONFIG
+ SC_ERR_REDIS_CONFIG,
+ SC_ERR_PF_RING_VLAN,
} SCError;
const char *SCErrorToString(SCError);
projects / thirdparty / suricata.git / commitdiff
