From 778a04cf041dc143b55d598a9348266acf1f46b4 Mon Sep 17 00:00:00 2001
From: Jeff Lucovsky <jeff@lucovsky.org>
Date: Tue, 3 Mar 2020 08:50:37 -0500
Subject: [PATCH] decode/erspan: ERSPAN TypeI configurable

For the backport, ERSPAN TypeI decode is

1. Disabled by default
2. Configurable: `decoder.erspan_typeI.enabled`

(cherry picked from commit ae6beedd13df60b129de702eabc0a7364fd973d5)
(cherry picked from commit 33b56b31b50a96e5022ca86ba1b7185efb832355)
---
 src/decode-erspan.c | 14 ++++++++++++++
 src/decode-erspan.h |  1 +
 src/decode.c        |  1 +
 suricata.yaml.in    |  4 ++++
 4 files changed, 20 insertions(+)

diff --git a/src/decode-erspan.c b/src/decode-erspan.c
index fb7cb69dad..1f5a88d94b 100644
--- a/src/decode-erspan.c
+++ b/src/decode-erspan.c
@@ -43,12 +43,26 @@
  * \brief Functions to decode ERSPAN Type I and II packets
  */
 
+bool g_erspan_typeI_enabled = false;
+
+void DecodeERSPANConfig(void)
+{
+    int enabled = 0;
+    if (ConfGetBool("decoder.erspan.typeI.enabled", &enabled) == 1) {
+        g_erspan_typeI_enabled = (enabled == 1);
+    }
+    SCLogDebug("ERSPAN Type I decode support %s", g_erspan_typeI_enabled ? "enabled" : "disabled");
+}
+
 /**
  * \brief ERSPAN Type I
  */
 int DecodeERSPANTypeI(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
                       uint8_t *pkt, uint32_t len, PacketQueue *pq)
 {
+    if (unlikely(!g_erspan_typeI_enabled))
+        return TM_ECODE_FAILED;
+
     StatsIncr(tv, dtv->counter_erspan);
 
     return DecodeEthernet(tv, dtv, p, pkt, len, pq);
diff --git a/src/decode-erspan.h b/src/decode-erspan.h
index 2f81d1e4a3..5b4af04ea8 100644
--- a/src/decode-erspan.h
+++ b/src/decode-erspan.h
@@ -34,4 +34,5 @@ typedef struct ErspanHdr_ {
     uint32_t padding;
 } __attribute__((__packed__)) ErspanHdr;
 
+void DecodeERSPANConfig(void);
 #endif /* __DECODE_ERSPAN_H__ */
diff --git a/src/decode.c b/src/decode.c
index f897c96241..da19c2d79b 100644
--- a/src/decode.c
+++ b/src/decode.c
@@ -698,6 +698,7 @@ void DecodeGlobalConfig(void)
 {
     DecodeTeredoConfig();
     DecodeVXLANConfig();
+    DecodeERSPANConfig();
 }
 
 /**
diff --git a/suricata.yaml.in b/suricata.yaml.in
index e4d8d05fa6..2a2aec00cd 100644
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -1408,6 +1408,10 @@ decoder:
   vxlan:
     enabled: false
     ports: $VXLAN_PORTS # syntax: '8472, 4789'
+  # ERSPAN Type I decode support
+  erspan:
+    typeI:
+      enabled: false
 
 
 ##
-- 
2.47.2