From 0f21d899f17c0471aa67614e6fef94cb366d9ebf Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Wed, 12 Mar 2025 12:34:31 -0600 Subject: [PATCH] af-packet: warn if defrag not suitable for mode AF_PACKET defrag should not be used for inline modes. Its possible that a packet received could be larger than can be set when defrag is enabled, so warn if disabled for inline use. Likewise, warn if defrag is disabled for IDS use, or non-inline mode. Ticket: #7458 (cherry picked from commit 808502d5cac0681e17859ed1aef9be8f508c4b13) --- src/runmode-af-packet.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/runmode-af-packet.c b/src/runmode-af-packet.c index 87469dacd3..9991f108d1 100644 --- a/src/runmode-af-packet.c +++ b/src/runmode-af-packet.c @@ -758,6 +758,19 @@ finalize: aconf->flags |= AFP_SOCK_PROTECT; aconf->flags |= AFP_NEED_PEER; } + + /* Warn if inline and defrag is enabled. */ + if (aconf->copy_mode != AFP_COPY_MODE_NONE && aconf->cluster_type & PACKET_FANOUT_FLAG_DEFRAG) { + SCLogWarning( + "%s: AF_PACKET defrag is not recommended for inline use, please disable", iface); + } + + /* Warn if not inline and defrag is disabled. */ + if (aconf->copy_mode == AFP_COPY_MODE_NONE && cluster_type == PACKET_FANOUT_HASH && + ((aconf->cluster_type & PACKET_FANOUT_FLAG_DEFRAG) == 0)) { + SCLogWarning("%s: AF_PACKET defrag is recommended for IDS cluster_flow", iface); + } + return aconf; } -- 2.47.2