From e3e24cfb3d6382507aaf390bf697efae9c5f6c64 Mon Sep 17 00:00:00 2001
From: Juliana Fajardini <jufajardini@oisf.net>
Date: Wed, 4 Jun 2025 14:56:25 -0300
Subject: [PATCH] decode/ipv4: add missing ip-in-ip case handling

A flow with IPv4 IP in IP traffic won't handle this tunneling case
properly.
This leads to potential malicious traffic not triggering alerts, as well
as other inaccuracies in the logs.

Bug #7725
---
 src/decode-ipv4.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/decode-ipv4.c b/src/decode-ipv4.c
index 0db3e3cae9..2420f9c6ac 100644
--- a/src/decode-ipv4.c
+++ b/src/decode-ipv4.c
@@ -595,6 +595,16 @@ int DecodeIPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
             FlowSetupPacket(p);
             break;
         }
+        case IPPROTO_IPIP: {
+            /* spawn off tunnel packet */
+            Packet *tp = PacketTunnelPktSetup(tv, dtv, p, data, data_len, DECODE_TUNNEL_IPV4);
+            if (tp != NULL) {
+                PKT_SET_SRC(tp, PKT_SRC_DECODER_IPV4);
+                PacketEnqueueNoLock(&tv->decode_pq, tp);
+            }
+            FlowSetupPacket(p);
+            break;
+        }
         case IPPROTO_IP:
             /* check PPP VJ uncompressed packets and decode tcp dummy */
             if (p->flags & PKT_PPP_VJ_UCOMP) {
-- 
2.47.2