From 553cd0dc98770ac495a49048a72bf109075d94a7 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Wed, 20 Dec 2017 08:57:29 +0100 Subject: [PATCH] pfring: add warning for stripped vlan header case According to PF_RING upstream the vlan header should never be stripped from the packet PF_RING feeds to Suricata. But upstream also indicated keeping the check would be a good "safety check". So in addition to the check, add a warning that warns once (per thread for implementation simplicity) if the vlan hdr does appear to be stripped after all. --- src/source-pfring.c | 8 ++++++++ src/util-error.c | 1 + src/util-error.h | 3 ++- 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/src/source-pfring.c b/src/source-pfring.c index a4591337ac..6f2b90b309 100644 --- a/src/source-pfring.c +++ b/src/source-pfring.c @@ -164,6 +164,8 @@ typedef struct PfringThreadVars_ char *bpf_filter; ChecksumValidationMode checksum_mode; + + bool vlan_hdr_warned; } PfringThreadVars; /** @@ -275,6 +277,12 @@ static inline void PfringProcessPacket(void *user, struct pfring_pkthdr *h, Pack p->vlan_id[0] = h->extended_hdr.parsed_pkt.vlan_id & 0x0fff; p->vlan_idx = 1; p->vlanh[0] = NULL; + + if (!ptv->vlan_hdr_warned) { + SCLogWarning(SC_ERR_PF_RING_VLAN, "no VLAN header in the raw " + "packet. See #2355."); + ptv->vlan_hdr_warned = true; + } } switch (ptv->checksum_mode) { diff --git a/src/util-error.c b/src/util-error.c index 15410359c9..76eff21901 100644 --- a/src/util-error.c +++ b/src/util-error.c @@ -344,6 +344,7 @@ const char * SCErrorToString(SCError err) CASE_CODE (SC_ERR_REDIS_CONFIG); CASE_CODE (SC_ERR_BYPASS_NOT_SUPPORTED); CASE_CODE (SC_WARN_RENAMING_FILE); + CASE_CODE (SC_ERR_PF_RING_VLAN); } return "UNKNOWN_ERROR"; diff --git a/src/util-error.h b/src/util-error.h index 12ce9aa19b..9a349c778f 100644 --- a/src/util-error.h +++ b/src/util-error.h @@ -333,7 +333,8 @@ typedef enum { SC_ERR_NO_REDIS_ASYNC, SC_ERR_REDIS_CONFIG, SC_ERR_BYPASS_NOT_SUPPORTED, - SC_WARN_RENAMING_FILE + SC_WARN_RENAMING_FILE, + SC_ERR_PF_RING_VLAN, } SCError; const char *SCErrorToString(SCError);