af-packet: warn if defrag not suitable for mode

AF_PACKET defrag should not be used for inline modes. Its possible that
a packet received could be larger than can be set when defrag is
enabled, so warn if disabled for inline use.

Likewise, warn if defrag is disabled for IDS use, or non-inline mode.

Ticket: #7458

diff --git a/src/runmode-af-packet.c b/src/runmode-af-packet.c
index 204465187f63ecb0bda0f6abe3ff9d635e1a767a..df91b509c00ee91ac82bbf49afb36b03d0ea4a69 100644 (file)
--- a/src/runmode-af-packet.c
+++ b/src/runmode-af-packet.c
@@ -732,6 +732,19 @@ finalize:
         aconf->flags |= AFP_SOCK_PROTECT;
         aconf->flags |= AFP_NEED_PEER;
     }
+
+    /* Warn if inline and defrag is enabled. */
+    if (aconf->copy_mode != AFP_COPY_MODE_NONE && aconf->cluster_type & PACKET_FANOUT_FLAG_DEFRAG) {
+        SCLogWarning(
+                "%s: AF_PACKET defrag is not recommended for inline use, please disable", iface);
+    }
+
+    /* Warn if not inline and defrag is disabled. */
+    if (aconf->copy_mode == AFP_COPY_MODE_NONE && cluster_type == PACKET_FANOUT_HASH &&
+            ((aconf->cluster_type & PACKET_FANOUT_FLAG_DEFRAG) == 0)) {
+        SCLogWarning("%s: AF_PACKET defrag is recommended for IDS cluster_flow", iface);
+    }
+
     return aconf;
 }