From: Victor Julien Date: Wed, 20 Dec 2017 07:57:29 +0000 (+0100) Subject: pfring: add warning for stripped vlan header case X-Git-Tag: suricata-4.1.0-beta1~422 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=553cd0dc98770ac495a49048a72bf109075d94a7;p=thirdparty%2Fsuricata.git pfring: add warning for stripped vlan header case According to PF_RING upstream the vlan header should never be stripped from the packet PF_RING feeds to Suricata. But upstream also indicated keeping the check would be a good "safety check". So in addition to the check, add a warning that warns once (per thread for implementation simplicity) if the vlan hdr does appear to be stripped after all. --- diff --git a/src/source-pfring.c b/src/source-pfring.c index a4591337ac..6f2b90b309 100644 --- a/src/source-pfring.c +++ b/src/source-pfring.c @@ -164,6 +164,8 @@ typedef struct PfringThreadVars_ char *bpf_filter; ChecksumValidationMode checksum_mode; + + bool vlan_hdr_warned; } PfringThreadVars; /** @@ -275,6 +277,12 @@ static inline void PfringProcessPacket(void *user, struct pfring_pkthdr *h, Pack p->vlan_id[0] = h->extended_hdr.parsed_pkt.vlan_id & 0x0fff; p->vlan_idx = 1; p->vlanh[0] = NULL; + + if (!ptv->vlan_hdr_warned) { + SCLogWarning(SC_ERR_PF_RING_VLAN, "no VLAN header in the raw " + "packet. See #2355."); + ptv->vlan_hdr_warned = true; + } } switch (ptv->checksum_mode) { diff --git a/src/util-error.c b/src/util-error.c index 15410359c9..76eff21901 100644 --- a/src/util-error.c +++ b/src/util-error.c @@ -344,6 +344,7 @@ const char * SCErrorToString(SCError err) CASE_CODE (SC_ERR_REDIS_CONFIG); CASE_CODE (SC_ERR_BYPASS_NOT_SUPPORTED); CASE_CODE (SC_WARN_RENAMING_FILE); + CASE_CODE (SC_ERR_PF_RING_VLAN); } return "UNKNOWN_ERROR"; diff --git a/src/util-error.h b/src/util-error.h index 12ce9aa19b..9a349c778f 100644 --- a/src/util-error.h +++ b/src/util-error.h @@ -333,7 +333,8 @@ typedef enum { SC_ERR_NO_REDIS_ASYNC, SC_ERR_REDIS_CONFIG, SC_ERR_BYPASS_NOT_SUPPORTED, - SC_WARN_RENAMING_FILE + SC_WARN_RENAMING_FILE, + SC_ERR_PF_RING_VLAN, } SCError; const char *SCErrorToString(SCError);