af-packet: warn if v2 block size not large enough for defrag

If using tpacket-v2, defrag and a user provided v2-block-size, warn if
the block size is not large enough to hold one fully defragmented
packet.

Ticket: #7458
(cherry picked from commit 320ef7b61721a8d32d52c40fcc09592f0907bde6)

diff --git a/src/runmode-af-packet.c b/src/runmode-af-packet.c
index 469970cf88625188e0690c380814da237ae41f80..063a7ec8084f8ab31f17ff16a93a835943208513 100644 (file)
--- a/src/runmode-af-packet.c
+++ b/src/runmode-af-packet.c
@@ -781,6 +781,15 @@ finalize:
         SCLogWarning("%s: AF_PACKET defrag is recommended for IDS cluster_flow", iface);
     }
 
+    /* For tpacket-v2, warn if defrag is enabled and block-size is
+     * less than max defragmented packet size. */
+    if ((aconf->flags & AFP_TPACKET_V3) == 0 && (aconf->cluster_type & PACKET_FANOUT_FLAG_DEFRAG) &&
+            aconf->v2_block_size > 0 && aconf->v2_block_size < MAX_PACKET_SIZE) {
+        SCLogWarning("%s: AF_PACKET v2-block-size is not large enough for max fragmented IP packet "
+                     "size (%u)",
+                iface, MAX_PACKET_SIZE);
+    }
+
     return aconf;
 }
 

diff --git a/src/source-af-packet.h b/src/source-af-packet.h
index fabb5202e773aa5ee4b0d0e68af53df2c539b1a7..84cd52e03fa83b007f51667173eeedc5a23156af 100644 (file)
--- a/src/source-af-packet.h
+++ b/src/source-af-packet.h
@@ -77,6 +77,9 @@ struct ebpf_timeout_config {
  * to standard frame size */
 #define AFP_BLOCK_SIZE_DEFAULT_ORDER 5
 
+/* Set max packet size to 65561: IP + Ethernet + 3 VLAN tags. */
+#define MAX_PACKET_SIZE 65561
+
 typedef struct AFPIfaceConfig_
 {
     char iface[AFP_IFACE_NAME_LENGTH];