detect: add track pkthdr as any l2 protocol

To indicate it's not just like `alert ip`.
2 months ago · b983ce64ef
parent 61a7f47a69
commit b983ce64ef
3 changed files with 6 additions and 4 deletions
--- a/src/detect-engine-build.c
+++ b/src/detect-engine-build.c
@ -1962,7 +1962,8 @@ int SigPrepareStage2(DetectEngineCtx *de_ctx)
        }

        /* add ethernet sigs and decoder events to the ethernet sgh */
-        if ((s->type == SIG_TYPE_PKT && SigIsEthernetAddToNonIP(s)) || s->type == SIG_TYPE_DEONLY) {
+        if ((s->type == SIG_TYPE_PKT && SigIsEthernetAddToNonIP(s)) || s->type == SIG_TYPE_DEONLY ||
+                (s->init_data->proto.flags & DETECT_PROTO_L2_ANY)) {
            // ethernet
            SCLogNotice("rule: %u: add to non-IP", s->id);
            DetectEngineAddEthernetSig(de_ctx, s);
--- a/src/detect-engine-proto.c
+++ b/src/detect-engine-proto.c
@ -65,7 +65,7 @@ struct {
    { "ipv6", 0, 0, DETECT_PROTO_IPV6 | DETECT_PROTO_ANY, },
    { "ip6", 0, 0, DETECT_PROTO_IPV6 | DETECT_PROTO_ANY, },
    { "ip", 0, 0, DETECT_PROTO_ANY, },
-    { "pkthdr", 0, 0, DETECT_PROTO_ANY, },
+    { "pkthdr", 0, 0, DETECT_PROTO_L2_ANY, },
    { "ether", 0, 0, DETECT_PROTO_ETHERNET, },
    { "arp", 0, 0, DETECT_PROTO_ARP | DETECT_PROTO_ETHERNET, },
    // clang-format on
@ -114,7 +114,7 @@ int DetectProtoParse(DetectProto *dp, const char *str)
 *  \retval 1 protocol is in the set */
 int DetectProtoContainsProto(const DetectProto *dp, int proto)
 {
-    if (dp == NULL || dp->flags & DETECT_PROTO_ANY)
+    if (dp == NULL || dp->flags & (DETECT_PROTO_ANY | DETECT_PROTO_L2_ANY))
        return 1;

    if (dp->proto[proto / 8] & (1<<(proto % 8)))
@ -132,7 +132,7 @@ int DetectProtoContainsProto(const DetectProto *dp, int proto)
 *  \retval true protocol is in the set */
 bool DetectProtoHasExplicitProto(const DetectProto *dp, const uint8_t proto)
 {
-    if (dp == NULL || dp->flags & DETECT_PROTO_ANY)
+    if (dp == NULL || dp->flags & (DETECT_PROTO_ANY | DETECT_PROTO_L2_ANY))
        return false;

    return ((dp->proto[proto / 8] & (1 << (proto % 8))));
--- a/src/detect-engine-proto.h
+++ b/src/detect-engine-proto.h
@ -32,6 +32,7 @@
 #define DETECT_PROTO_IPV6              BIT_U8(4) /**< IPv6 only */
 #define DETECT_PROTO_ETHERNET          BIT_U8(5) /**< Like ANY, but for Ethernet */
 #define DETECT_PROTO_ARP               BIT_U8(6) /**< ARP packets over for Ethernet, can have VLAN(s) in between */
+#define DETECT_PROTO_L2_ANY            BIT_U8(7) /**< Like ANY, but for any L2 proto. */
 // clang-format on

 typedef struct DetectProto_ {