From: Jeff Lucovsky Date: Fri, 4 Jun 2021 12:26:09 +0000 (-0400) Subject: decode/vntag: By default, disable vntag decoding X-Git-Tag: suricata-6.0.3~47 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=301bc0d1206481dd67bd35e0efe455ce3b5115d1;p=thirdparty%2Fsuricata.git decode/vntag: By default, disable vntag decoding This commit makes the VNTag decoder off by default. --- diff --git a/src/decode-vntag.c b/src/decode-vntag.c index b7963238bb..4a9c876546 100644 --- a/src/decode-vntag.c +++ b/src/decode-vntag.c @@ -43,20 +43,33 @@ #include "util-profiling.h" #include "host.h" +bool g_vntag_enabled = false; + +void DecodeVNTagConfig(void) +{ + int enabled = 0; + if (ConfGetBool("decoder.vntag.enabled", &enabled) == 1) { + g_vntag_enabled = (enabled == 1); + } + SCLogDebug("VNTag decode support %s", g_vntag_enabled ? "enabled" : "disabled"); +} + /** * \internal * \brief this function is used to decode 802.1Qbh packets * * \param tv pointer to the thread vars - * \param dtv pointer code thread vars + * \param dtv pointer to decode thread vars * \param p pointer to the packet struct * \param pkt pointer to the raw packet * \param len packet len - * \param pq pointer to the packet queue * */ int DecodeVNTag(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len) { + if (!g_vntag_enabled) + return TM_ECODE_FAILED; + StatsIncr(tv, dtv->counter_vntag); if (len < VNTAG_HEADER_LEN) { @@ -108,7 +121,9 @@ static int DecodeVNTagtest01(void) memset(&tv, 0, sizeof(ThreadVars)); memset(&dtv, 0, sizeof(DecodeThreadVars)); + g_vntag_enabled = true; FAIL_IF(TM_ECODE_OK == DecodeVNTag(&tv, &dtv, p, raw_vntag, sizeof(raw_vntag))); + g_vntag_enabled = false; PASS_IF(ENGINE_ISSET_EVENT(p, VNTAG_HEADER_TOO_SMALL)); } @@ -138,7 +153,10 @@ static int DecodeVNTagtest02(void) memset(&tv, 0, sizeof(ThreadVars)); memset(&dtv, 0, sizeof(DecodeThreadVars)); - PASS_IF(TM_ECODE_OK != DecodeVNTag(&tv, &dtv, p, raw_vntag, sizeof(raw_vntag))); + g_vntag_enabled = true; + int rc = DecodeVNTag(&tv, &dtv, p, raw_vntag, sizeof(raw_vntag)); + g_vntag_enabled = false; + PASS_IF(TM_ECODE_OK != rc); } /** @@ -166,7 +184,9 @@ static int DecodeVNTagtest03(void) FlowInitConfig(FLOW_QUIET); + g_vntag_enabled = true; FAIL_IF(TM_ECODE_OK != DecodeVNTag(&tv, &dtv, p, raw_vntag, sizeof(raw_vntag))); + g_vntag_enabled = false; PACKET_RECYCLE(p); FlowShutdown(); @@ -174,6 +194,18 @@ static int DecodeVNTagtest03(void) PASS; } + +/** + * \test DecodeVNTagtest04 Ensure decoder is disabled by default + * + * \retval 1 on success + * \retval 0 on failure + */ +static int DecodeVNTagtest04(void) +{ + FAIL_IF(g_vntag_enabled); + PASS; +} #endif /* UNITTESTS */ void DecodeVNTagRegisterTests(void) @@ -182,6 +214,7 @@ void DecodeVNTagRegisterTests(void) UtRegisterTest("DecodeVNTagtest01", DecodeVNTagtest01); UtRegisterTest("DecodeVNTagtest02", DecodeVNTagtest02); UtRegisterTest("DecodeVNTagtest03", DecodeVNTagtest03); + UtRegisterTest("DecodeVNTagtest04", DecodeVNTagtest04); #endif /* UNITTESTS */ } diff --git a/src/decode-vntag.h b/src/decode-vntag.h index 02392589b1..dc2a0810e9 100644 --- a/src/decode-vntag.h +++ b/src/decode-vntag.h @@ -43,6 +43,7 @@ typedef struct VNTagHdr_ { /** VNTag header length */ #define VNTAG_HEADER_LEN 6 +void DecodeVNTagConfig(void); void DecodeVNTagRegisterTests(void); #endif /* __DECODE_VNTAG_H__ */ diff --git a/src/decode.c b/src/decode.c index 70138e480f..ff3793ae61 100644 --- a/src/decode.c +++ b/src/decode.c @@ -765,6 +765,7 @@ void DecodeGlobalConfig(void) DecodeGeneveConfig(); DecodeVXLANConfig(); DecodeERSPANConfig(); + DecodeVNTagConfig(); intmax_t value = 0; if (ConfGetInt("decoder.max-layers", &value) == 1) { if (value < 0 || value > UINT8_MAX) { diff --git a/suricata.yaml.in b/suricata.yaml.in index 728d3e340f..19b24259d1 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -1355,6 +1355,10 @@ decoder: enabled: true ports: $VXLAN_PORTS # syntax: '[8472, 4789]' or '4789'. + # VNTag decode support + vntag: + enabled: false + # Geneve decoder is assigned to up to 4 UDP ports. By default only the # IANA assigned port 6081 is enabled. geneve: