pfring: add warning for stripped vlan header case

According to PF_RING upstream the vlan header should never be stripped from the packet PF_RING feeds to Suricata. But upstream also indicated keeping the check would be a good "safety check". So in addition to the check, add a warning that warns once (per thread for implementation simplicity) if the vlan hdr does appear to be stripped after all.
8 years ago · 553cd0dc98
parent 189b521239
commit 553cd0dc98
3 changed files with 11 additions and 1 deletions
--- a/src/source-pfring.c
+++ b/src/source-pfring.c
@ -164,6 +164,8 @@ typedef struct PfringThreadVars_
    char *bpf_filter;

     ChecksumValidationMode checksum_mode;
+
+    bool vlan_hdr_warned;
 } PfringThreadVars;

 /**
@ -275,6 +277,12 @@ static inline void PfringProcessPacket(void *user, struct pfring_pkthdr *h, Pack
        p->vlan_id[0] = h->extended_hdr.parsed_pkt.vlan_id & 0x0fff;
        p->vlan_idx = 1;
        p->vlanh[0] = NULL;
+
+        if (!ptv->vlan_hdr_warned) {
+            SCLogWarning(SC_ERR_PF_RING_VLAN, "no VLAN header in the raw "
+                    "packet. See #2355.");
+            ptv->vlan_hdr_warned = true;
+        }
    }

    switch (ptv->checksum_mode) {
--- a/src/util-error.c
+++ b/src/util-error.c
@ -344,6 +344,7 @@ const char * SCErrorToString(SCError err)
        CASE_CODE (SC_ERR_REDIS_CONFIG);
        CASE_CODE (SC_ERR_BYPASS_NOT_SUPPORTED);
        CASE_CODE (SC_WARN_RENAMING_FILE);
+        CASE_CODE (SC_ERR_PF_RING_VLAN);
    }

    return "UNKNOWN_ERROR";
--- a/src/util-error.h
+++ b/src/util-error.h
@ -333,7 +333,8 @@ typedef enum {
    SC_ERR_NO_REDIS_ASYNC,
    SC_ERR_REDIS_CONFIG,
    SC_ERR_BYPASS_NOT_SUPPORTED,
-    SC_WARN_RENAMING_FILE
+    SC_WARN_RENAMING_FILE,
+    SC_ERR_PF_RING_VLAN,
 } SCError;

 const char *SCErrorToString(SCError);