decode/ipv4: add missing ip-in-ip case handling

A flow with IPv4 IP in IP traffic won't handle this tunneling case
properly.
This leads to potential malicious traffic not triggering alerts, as well
as other inaccuracies in the logs.

Bug #7725

diff --git a/src/decode-ipv4.c b/src/decode-ipv4.c
index 0db3e3cae9d3028e161c3db39f5b989f02b79ba5..2420f9c6aced3d98fb6181199ba13282524c0232 100644 (file)
--- a/src/decode-ipv4.c
+++ b/src/decode-ipv4.c
@@ -595,6 +595,16 @@ int DecodeIPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
             FlowSetupPacket(p);
             break;
         }
+        case IPPROTO_IPIP: {
+            /* spawn off tunnel packet */
+            Packet *tp = PacketTunnelPktSetup(tv, dtv, p, data, data_len, DECODE_TUNNEL_IPV4);
+            if (tp != NULL) {
+                PKT_SET_SRC(tp, PKT_SRC_DECODER_IPV4);
+                PacketEnqueueNoLock(&tv->decode_pq, tp);
+            }
+            FlowSetupPacket(p);
+            break;
+        }
         case IPPROTO_IP:
             /* check PPP VJ uncompressed packets and decode tcp dummy */
             if (p->flags & PKT_PPP_VJ_UCOMP) {