From: Jason Ish <jason.ish@oisf.net>
Date: Wed, 12 Mar 2025 22:13:40 +0000 (-0600)
Subject: af-packet: warn if v2 block size not large enough for defrag
X-Git-Tag: suricata-7.0.9~10
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=efc74ff9ed83840d90d2e839c36dc815525fc0c2;p=thirdparty%2Fsuricata.git

af-packet: warn if v2 block size not large enough for defrag

If using tpacket-v2, defrag and a user provided v2-block-size, warn if
the block size is not large enough to hold one fully defragmented
packet.

Ticket: #7458
(cherry picked from commit 320ef7b61721a8d32d52c40fcc09592f0907bde6)
---

diff --git a/src/runmode-af-packet.c b/src/runmode-af-packet.c
index 469970cf88..063a7ec808 100644
--- a/src/runmode-af-packet.c
+++ b/src/runmode-af-packet.c
@@ -781,6 +781,15 @@ finalize:
         SCLogWarning("%s: AF_PACKET defrag is recommended for IDS cluster_flow", iface);
     }
 
+    /* For tpacket-v2, warn if defrag is enabled and block-size is
+     * less than max defragmented packet size. */
+    if ((aconf->flags & AFP_TPACKET_V3) == 0 && (aconf->cluster_type & PACKET_FANOUT_FLAG_DEFRAG) &&
+            aconf->v2_block_size > 0 && aconf->v2_block_size < MAX_PACKET_SIZE) {
+        SCLogWarning("%s: AF_PACKET v2-block-size is not large enough for max fragmented IP packet "
+                     "size (%u)",
+                iface, MAX_PACKET_SIZE);
+    }
+
     return aconf;
 }
 
diff --git a/src/source-af-packet.h b/src/source-af-packet.h
index fabb5202e7..84cd52e03f 100644
--- a/src/source-af-packet.h
+++ b/src/source-af-packet.h
@@ -77,6 +77,9 @@ struct ebpf_timeout_config {
  * to standard frame size */
 #define AFP_BLOCK_SIZE_DEFAULT_ORDER 5
 
+/* Set max packet size to 65561: IP + Ethernet + 3 VLAN tags. */
+#define MAX_PACKET_SIZE 65561
+
 typedef struct AFPIfaceConfig_
 {
     char iface[AFP_IFACE_NAME_LENGTH];