Add yaml option to disable vlan ids hashing

In some cases using the vlan id(s) in flow hashing is problematic. Cases of broken routers have been reported. So this option allows for disabling the use of vlan id(s) while calculating the flow hash, and in the future other hashes. Vlan tracking for flow is enabled by default.
11 years ago · 16c3487444
parent 58ed1f2411
commit 16c3487444
4 changed files with 20 additions and 1 deletions
--- a/src/decode-vlan.c
+++ b/src/decode-vlan.c
@ -77,7 +77,10 @@ void DecodeVLAN(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt,
            p, pkt, proto, GET_VLAN_PRIORITY(p->vlanh[p->vlan_idx]),
            GET_VLAN_CFI(p->vlanh[p->vlan_idx]), GET_VLAN_ID(p->vlanh[p->vlan_idx]), len);

-    p->vlan_id[p->vlan_idx] = (uint16_t)GET_VLAN_ID(p->vlanh[p->vlan_idx]);
+    /* only store the id for flow hashing if it's not disabled. */
+    if (dtv->vlan_disabled == 0)
+        p->vlan_id[p->vlan_idx] = (uint16_t)GET_VLAN_ID(p->vlanh[p->vlan_idx]);
+
    p->vlan_idx++;

    switch (proto)   {
--- a/src/decode.c
+++ b/src/decode.c
@ -432,6 +432,13 @@ DecodeThreadVars *DecodeThreadVarsAlloc()
    /* initialize UDP app layer code */
    AlpProtoFinalize2Thread(&dtv->udp_dp_ctx);

+    /** set config defaults */
+    int vlanbool = 0;
+    if ((ConfGetBool("vlan.use-for-tracking", &vlanbool)) == 1 && vlanbool == 0) {
+        dtv->vlan_disabled = 1;
+    }
+    SCLogDebug("vlan tracking is %s", dtv->vlan_disabled == 0 ? "enabled" : "disabled");
+
    return dtv;
 }

--- a/src/decode.h
+++ b/src/decode.h
@ -547,6 +547,8 @@ typedef struct DecodeThreadVars_
    /** Specific context for udp protocol detection (here atm) */
    AlpProtoDetectThreadCtx udp_dp_ctx;

+    int vlan_disabled;
+
    /** stats/counters */
    uint16_t counter_pkts;
    uint16_t counter_pkts_per_sec;
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@ -531,6 +531,13 @@ flow:
  prealloc: 10000
  emergency-recovery: 30

+# This option controls the use of vlan ids in the flow hashing. Normally this
+# should be enabled, but in some (broken) setups where both sides of a flow are
+# not tagged with the same vlan tag, we can ignore the vlan id's in the flow
+# hashing.
+vlan:
+  use-for-tracking: true
+
 # Specific timeouts for flows. Here you can specify the timeouts that the
 # active flows will wait to transit from the current state to another, on each
 # protocol. The value of "new" determine the seconds to wait after a hanshake or