/* Globally configured device to use for sending resets in IDS mode. */
const char *g_reject_dev = NULL;
+uint16_t g_reject_dev_mtu = 0;
/** set to true in main if we're setting caps. We need it here if we're using
* reject rules as libnet 1.1 is not compatible with caps. */
static inline int BuildIPv4(libnet_t *c, Libnet11Packet *lpacket, const uint8_t proto)
{
- const int len = LIBNET_IPV4_H + lpacket->len +
- ((proto == IPPROTO_TCP) ? LIBNET_TCP_H : LIBNET_ICMPV4_H);
if ((libnet_build_ipv4(
- len, /* entire packet length */
+ lpacket->len, /* entire packet length */
0, /* tos */
lpacket->id, /* ID */
0, /* fragmentation flags and offset */
static inline int BuildIPv6(libnet_t *c, Libnet11Packet *lpacket, const uint8_t proto)
{
- const int len = lpacket->len +
- ((proto == IPPROTO_TCP) ? LIBNET_TCP_H : LIBNET_ICMPV6_H);
if ((libnet_build_ipv6(
lpacket->class, /* traffic class */
lpacket->flow, /* Flow label */
- len, /* payload length */
+ lpacket->len, /* payload length */
proto, /* next header */
lpacket->ttl, /* TTL */
lpacket->src6, /* source address */
abort();
}
}
+
static inline int BuildEthernet(libnet_t *c, Libnet11Packet *lpacket, uint16_t proto)
{
if ((libnet_build_ethernet(lpacket->dmac,lpacket->smac, proto , NULL, 0, c, 0)) < 0) {
if (c == NULL)
return 1;
- /* save payload len */
+ lpacket.len = LIBNET_IPV4_H + LIBNET_TCP_H;
lpacket.dsize = p->payload_len;
switch (dir) {
lpacket.id = 0;
lpacket.flow = 0;
lpacket.class = 0;
- lpacket.len = (IPV4_GET_HLEN(p) + p->payload_len);
+ const int iplen = IPV4_GET_IPLEN(p);
+ if (g_reject_dev_mtu >= ETHERNET_HEADER_LEN + LIBNET_IPV4_H + 8) {
+ lpacket.len = MIN(g_reject_dev_mtu - ETHERNET_HEADER_LEN, (LIBNET_IPV4_H + iplen));
+ } else {
+ lpacket.len = LIBNET_IPV4_H + MIN(8,iplen); // 8 bytes is the minimum we have to attach
+ }
+ lpacket.dsize = lpacket.len - (LIBNET_IPV4_H + LIBNET_ICMPV4_H);
libnet_t *c = GetCtx(p, LIBNET_RAW4);
if (c == NULL)
ICMP_HOST_ANO, /* code */
0, /* checksum */
(uint8_t *)p->ip4h, /* payload */
- lpacket.len, /* payload length */
+ lpacket.dsize, /* payload length */
c, /* libnet context */
0)) < 0) /* libnet ptag */
{
if (c == NULL)
return 1;
- /* save payload len */
+ lpacket.len = LIBNET_IPV6_H + LIBNET_TCP_H;
lpacket.dsize = p->payload_len;
switch (dir) {
lpacket.id = 0;
lpacket.flow = 0;
lpacket.class = 0;
- lpacket.len = IPV6_GET_PLEN(p) + IPV6_HEADER_LEN;
+ const int iplen = IPV6_GET_PLEN(p);
+ if (g_reject_dev_mtu >= ETHERNET_HEADER_LEN + IPV6_HEADER_LEN + 8) {
+ lpacket.len = IPV6_HEADER_LEN + MIN(g_reject_dev_mtu - ETHERNET_HEADER_LEN, iplen);
+ } else {
+ lpacket.len = IPV6_HEADER_LEN + MIN(8, iplen);
+ }
+ lpacket.dsize = lpacket.len - LIBNET_ICMPV6_H;
libnet_t *c = GetCtx(p, LIBNET_RAW6);
if (c == NULL)
ICMP6_DST_UNREACH_ADMIN, /* code */
0, /* checksum */
(uint8_t *)p->ip6h, /* payload */
- lpacket.len, /* payload length */
+ lpacket.dsize, /* payload length */
c, /* libnet context */
0)) < 0) /* libnet ptag */
{
goto cleanup;
}
- if (BuildIPv6(c, &lpacket, IPPROTO_ICMP) < 0)
+ if (BuildIPv6(c, &lpacket, IPPROTO_ICMPV6) < 0)
goto cleanup;
if (t_inject_mode == LIBNET_LINK) {
projects / thirdparty / suricata.git / commitdiff
