From efc74ff9ed83840d90d2e839c36dc815525fc0c2 Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Wed, 12 Mar 2025 16:13:40 -0600 Subject: [PATCH] af-packet: warn if v2 block size not large enough for defrag If using tpacket-v2, defrag and a user provided v2-block-size, warn if the block size is not large enough to hold one fully defragmented packet. Ticket: #7458 (cherry picked from commit 320ef7b61721a8d32d52c40fcc09592f0907bde6) --- src/runmode-af-packet.c | 9 +++++++++ src/source-af-packet.h | 3 +++ 2 files changed, 12 insertions(+) diff --git a/src/runmode-af-packet.c b/src/runmode-af-packet.c index 469970cf88..063a7ec808 100644 --- a/src/runmode-af-packet.c +++ b/src/runmode-af-packet.c @@ -781,6 +781,15 @@ finalize: SCLogWarning("%s: AF_PACKET defrag is recommended for IDS cluster_flow", iface); } + /* For tpacket-v2, warn if defrag is enabled and block-size is + * less than max defragmented packet size. */ + if ((aconf->flags & AFP_TPACKET_V3) == 0 && (aconf->cluster_type & PACKET_FANOUT_FLAG_DEFRAG) && + aconf->v2_block_size > 0 && aconf->v2_block_size < MAX_PACKET_SIZE) { + SCLogWarning("%s: AF_PACKET v2-block-size is not large enough for max fragmented IP packet " + "size (%u)", + iface, MAX_PACKET_SIZE); + } + return aconf; } diff --git a/src/source-af-packet.h b/src/source-af-packet.h index fabb5202e7..84cd52e03f 100644 --- a/src/source-af-packet.h +++ b/src/source-af-packet.h @@ -77,6 +77,9 @@ struct ebpf_timeout_config { * to standard frame size */ #define AFP_BLOCK_SIZE_DEFAULT_ORDER 5 +/* Set max packet size to 65561: IP + Ethernet + 3 VLAN tags. */ +#define MAX_PACKET_SIZE 65561 + typedef struct AFPIfaceConfig_ { char iface[AFP_IFACE_NAME_LENGTH]; -- 2.47.2