From: Max Fillinger <maximilian.fillinger@fox-it.com>
Date: Mon, 8 Jul 2019 16:21:42 +0000 (+0200)
Subject: af-packet: Always fill in vlan_id
X-Git-Tag: suricata-5.0.0-rc1~204
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F4016%2Fhead;p=thirdparty%2Fsuricata.git

af-packet: Always fill in vlan_id

The vlan tag will be filled in either from the extended header (for
kernel version >= 3.0) or from the packet itself.

Related to https://redmine.openinfosecfoundation.org/issues/3076
---

diff --git a/src/source-af-packet.c b/src/source-af-packet.c
index f9d374897d..2c65ccbcf5 100644
--- a/src/source-af-packet.c
+++ b/src/source-af-packet.c
@@ -948,7 +948,7 @@ static int AFPReadFromRing(AFPThreadVars *ptv)
         }
 
         /* get vlan id from header */
-        if ((!(ptv->flags & AFP_VLAN_DISABLED)) &&
+        if ((ptv->flags & AFP_VLAN_IN_HEADER) &&
             (h.h2->tp_status & TP_STATUS_VLAN_VALID || h.h2->tp_vlan_tci)) {
             p->vlan_id[0] = h.h2->tp_vlan_tci & 0x0fff;
             p->vlan_idx = 1;
@@ -1071,7 +1071,7 @@ static inline int AFPParsePacketV3(AFPThreadVars *ptv, struct tpacket_block_desc
     p->livedev = ptv->livedev;
     p->datalink = ptv->datalink;
 
-    if ((!(ptv->flags & AFP_VLAN_DISABLED)) &&
+    if ((ptv->flags & AFP_VLAN_IN_HEADER) &&
             (ppd->tp_status & TP_STATUS_VLAN_VALID || ppd->hv1.tp_vlan_tci)) {
         p->vlan_id[0] = ppd->hv1.tp_vlan_tci & 0x0fff;
         p->vlan_idx = 1;
@@ -2807,19 +2807,11 @@ TmEcode ReceiveAFPThreadInit(ThreadVars *tv, const void *initdata, void **data)
 
     afpconfig->DerefFunc(afpconfig);
 
-    /* A bit strange to have this here but we only have vlan information
-     * during reading so we need to know if we want to keep vlan during
-     * the capture phase */
-    int vlanbool = 0;
-    if ((ConfGetBool("vlan.use-for-tracking", &vlanbool)) == 1 && vlanbool == 0) {
-        ptv->flags |= AFP_VLAN_DISABLED;
-    }
-
     /* If kernel is older than 3.0, VLAN is not stripped so we don't
      * get the info from packet extended header but we will use a standard
      * parsing of packet data (See Linux commit bcc6d47903612c3861201cc3a866fb604f26b8b2) */
-    if (! SCKernelVersionIsAtLeast(3, 0)) {
-        ptv->flags |= AFP_VLAN_DISABLED;
+    if (SCKernelVersionIsAtLeast(3, 0)) {
+        ptv->flags |= AFP_VLAN_IN_HEADER;
     }
 
     SCReturnInt(TM_ECODE_OK);
diff --git a/src/source-af-packet.h b/src/source-af-packet.h
index e32d8756e4..af3b36b204 100644
--- a/src/source-af-packet.h
+++ b/src/source-af-packet.h
@@ -60,7 +60,7 @@ struct ebpf_timeout_config {
 #define AFP_SOCK_PROTECT (1<<2)
 #define AFP_EMERGENCY_MODE (1<<3)
 #define AFP_TPACKET_V3 (1<<4)
-#define AFP_VLAN_DISABLED (1<<5)
+#define AFP_VLAN_IN_HEADER (1<<5)
 #define AFP_MMAP_LOCKED (1<<6)
 #define AFP_BYPASS   (1<<7)
 #define AFP_XDPBYPASS   (1<<8)