From: Victor Julien <victor@inliniac.net>
Date: Sat, 13 Jun 2020 15:20:14 +0000 (+0200)
Subject: reject: support single vlan layer
X-Git-Tag: suricata-6.0.0-beta1~307
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=14e1a342ac17d143cb21f379d998a9b90bb277ab;p=thirdparty%2Fsuricata.git

reject: support single vlan layer

Support sending RST/ICMP errors for packet with a single VLAN header.
---

diff --git a/src/respond-reject-libnet11.c b/src/respond-reject-libnet11.c
index 245b7a397e..33b203c4a0 100644
--- a/src/respond-reject-libnet11.c
+++ b/src/respond-reject-libnet11.c
@@ -261,6 +261,22 @@ static inline int BuildEthernet(libnet_t *c, Libnet11Packet *lpacket, uint16_t p
     return 0;
 }
 
+static inline int BuildEthernetVLAN(libnet_t *c, Libnet11Packet *lpacket, uint16_t proto, uint16_t vlan_id)
+{
+    if (libnet_build_802_1q(
+                lpacket->dmac, lpacket->smac, ETHERTYPE_VLAN,
+                0x000, 0x000, vlan_id, proto,
+                NULL,                                   /* payload */
+                0,                                      /* payload size */
+                c,                                      /* libnet handle */
+                0) < 0)
+    {
+        SCLogError(SC_ERR_LIBNET_BUILD_FAILED,"libnet_build_802_1q %s", libnet_geterror(c));
+        return -1;
+    }
+    return 0;
+}
+
 int RejectSendLibnet11IPv4TCP(ThreadVars *tv, Packet *p, void *data, int dir)
 {
     Libnet11Packet lpacket;
@@ -305,8 +321,14 @@ int RejectSendLibnet11IPv4TCP(ThreadVars *tv, Packet *p, void *data, int dir)
 
     if (t_inject_mode == LIBNET_LINK) {
         SetupEthernet(p, &lpacket, dir);
-        if (BuildEthernet(c, &lpacket, ETHERNET_TYPE_IP) < 0)
-            goto cleanup;
+
+        if (p->vlan_idx == 1) {
+            if (BuildEthernetVLAN(c, &lpacket, ETHERNET_TYPE_IP, p->vlan_id[0]) < 0)
+                goto cleanup;
+        } else {
+            if (BuildEthernet(c, &lpacket, ETHERNET_TYPE_IP) < 0)
+                goto cleanup;
+        }
     }
 
     result = libnet_write(c);
@@ -379,8 +401,14 @@ int RejectSendLibnet11IPv4ICMP(ThreadVars *tv, Packet *p, void *data, int dir)
 
     if (t_inject_mode == LIBNET_LINK) {
         SetupEthernet(p, &lpacket, dir);
-        if (BuildEthernet(c, &lpacket, ETHERNET_TYPE_IP) < 0)
-            goto cleanup;
+
+        if (p->vlan_idx == 1) {
+            if (BuildEthernetVLAN(c, &lpacket, ETHERNET_TYPE_IP, p->vlan_id[0]) < 0)
+                goto cleanup;
+        } else {
+            if (BuildEthernet(c, &lpacket, ETHERNET_TYPE_IP) < 0)
+                goto cleanup;
+        }
     }
 
     result = libnet_write(c);
@@ -437,8 +465,13 @@ int RejectSendLibnet11IPv6TCP(ThreadVars *tv, Packet *p, void *data, int dir)
 
     if (t_inject_mode == LIBNET_LINK) {
         SetupEthernet(p, &lpacket, dir);
-        if (BuildEthernet(c, &lpacket, ETHERNET_TYPE_IPV6) < 0)
-            goto cleanup;
+        if (p->vlan_idx == 1) {
+            if (BuildEthernetVLAN(c, &lpacket, ETHERNET_TYPE_IPV6, p->vlan_id[0]) < 0)
+                goto cleanup;
+        } else {
+            if (BuildEthernet(c, &lpacket, ETHERNET_TYPE_IPV6) < 0)
+                goto cleanup;
+        }
     }
 
     result = libnet_write(c);
@@ -512,8 +545,13 @@ int RejectSendLibnet11IPv6ICMP(ThreadVars *tv, Packet *p, void *data, int dir)
 
     if (t_inject_mode == LIBNET_LINK) {
         SetupEthernet(p, &lpacket, dir);
-        if (BuildEthernet(c, &lpacket, ETHERNET_TYPE_IPV6) < 0)
-            goto cleanup;
+        if (p->vlan_idx == 1) {
+            if (BuildEthernetVLAN(c, &lpacket, ETHERNET_TYPE_IPV6, p->vlan_id[0]) < 0)
+                goto cleanup;
+        } else {
+            if (BuildEthernet(c, &lpacket, ETHERNET_TYPE_IPV6) < 0)
+                goto cleanup;
+        }
     }
 
     result = libnet_write(c);