OISF · catenacyber · Apr 24, 2025 · Apr 24, 2025 · May 2, 2025 · Apr 24, 2025
@@ -182,7 +182,7 @@ int DecodeVXLAN(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
     StatsIncr(tv, dtv->counter_vxlan);
 
     EthernetHdr *ethh = (EthernetHdr *)(pkt + VXLAN_HEADER_LEN);
-    int decode_tunnel_proto = DECODE_TUNNEL_UNSET;
+    bool eth_ok = false;
 
     /* Look at encapsulated Ethernet frame to get next protocol  */
     uint16_t eth_type = SCNtohs(ethh->eth_type);
@@ -191,30 +191,31 @@ int DecodeVXLAN(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
     switch (eth_type) {
         case ETHERNET_TYPE_ARP:
             SCLogDebug("VXLAN found ARP");
+            eth_ok = true;
             break;
         case ETHERNET_TYPE_IP:
             SCLogDebug("VXLAN found IPv4");
-            decode_tunnel_proto = DECODE_TUNNEL_IPV4;
+            eth_ok = true;
             break;
         case ETHERNET_TYPE_IPV6:
             SCLogDebug("VXLAN found IPv6");
-            decode_tunnel_proto = DECODE_TUNNEL_IPV6;
+            eth_ok = true;
             break;
         case ETHERNET_TYPE_VLAN:
         case ETHERNET_TYPE_8021AD:
         case ETHERNET_TYPE_8021QINQ:
             SCLogDebug("VXLAN found VLAN");
-            decode_tunnel_proto = DECODE_TUNNEL_VLAN;
+            eth_ok = true;
             break;
         default:
             SCLogDebug("VXLAN found unsupported Ethertype - expected IPv4, IPv6, VLAN, or ARP");
             ENGINE_SET_INVALID_EVENT(p, VXLAN_UNKNOWN_PAYLOAD_TYPE);
     }
 
     /* Set-up and process inner packet if it is a supported ethertype */
-    if (decode_tunnel_proto != DECODE_TUNNEL_UNSET) {
-        Packet *tp = PacketTunnelPktSetup(tv, dtv, p, pkt + VXLAN_HEADER_LEN + ETHERNET_HEADER_LEN,
-                len - (VXLAN_HEADER_LEN + ETHERNET_HEADER_LEN), decode_tunnel_proto);
+    if (eth_ok) {
+        Packet *tp = PacketTunnelPktSetup(
+                tv, dtv, p, pkt + VXLAN_HEADER_LEN, len - VXLAN_HEADER_LEN, DECODE_TUNNEL_VXLAN);
         if (tp != NULL) {
             PKT_SET_SRC(tp, PKT_SRC_DECODER_VXLAN);
             PacketEnqueueNoLock(&tv->decode_pq, tp);

@@ -206,6 +206,8 @@ static int DecodeTunnel(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const
             return DecodeERSPAN(tv, dtv, p, pkt, len);
         case DECODE_TUNNEL_ERSPANI:
             return DecodeERSPANTypeI(tv, dtv, p, pkt, len);
+        case DECODE_TUNNEL_VXLAN:
+            return DecodeEthernet(tv, dtv, p, pkt, len);
         case DECODE_TUNNEL_NSH:
             return DecodeNSH(tv, dtv, p, pkt, len);
         case DECODE_TUNNEL_ARP:
@@ -395,7 +397,7 @@ inline int PacketCopyData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
  *  \retval p the pseudo packet or NULL if out of memory
  */
 Packet *PacketTunnelPktSetup(ThreadVars *tv, DecodeThreadVars *dtv, Packet *parent,
-                             const uint8_t *pkt, uint32_t len, enum DecodeTunnelProto proto)
+        const uint8_t *pkt, uint32_t len, enum DecodeTunnelProto proto)
 {
     int ret;
 
@@ -426,13 +428,14 @@ Packet *PacketTunnelPktSetup(ThreadVars *tv, DecodeThreadVars *dtv, Packet *pare
     /* set the root ptr to the lowest layer */
     if (parent->root != NULL) {
         p->root = parent->root;
-        BUG_ON(parent->ttype != PacketTunnelChild);
+        BUG_ON(!PacketIsTunnelChild(parent));
     } else {
         p->root = parent;
         parent->ttype = PacketTunnelRoot;
     }
     /* tell new packet it's part of a tunnel */
     p->ttype = PacketTunnelChild;
+    p->tproto = (uint8_t)proto;
 
     ret = DecodeTunnel(tv, dtv, p, GET_PKT_DATA(p),
                        GET_PKT_LEN(p), proto);
@@ -487,7 +490,7 @@ Packet *PacketDefragPktSetup(Packet *parent, const uint8_t *pkt, uint32_t len, u
     /* set the root ptr to the lowest layer */
     if (parent->root != NULL) {
         p->root = parent->root;
-        BUG_ON(parent->ttype != PacketTunnelChild);
+        BUG_ON(!PacketIsTunnelChild(parent));
     } else {
         p->root = parent;
         // we set parent->ttype later

@@ -481,6 +481,21 @@ struct PacketL4 {
     } vars;
 };
 
+enum DecodeTunnelProto {
+    DECODE_TUNNEL_ETHERNET,
+    DECODE_TUNNEL_ERSPANII,
+    DECODE_TUNNEL_ERSPANI,
+    DECODE_TUNNEL_VXLAN,
+    DECODE_TUNNEL_VLAN,
+    DECODE_TUNNEL_IPV4,
+    DECODE_TUNNEL_IPV6,
+    DECODE_TUNNEL_IPV6_TEREDO, /**< separate protocol for stricter error handling */
+    DECODE_TUNNEL_PPP,
+    DECODE_TUNNEL_NSH,
+    DECODE_TUNNEL_ARP,
+    DECODE_TUNNEL_UNSET
+};
+
 /* sizes of the members:
  * src: 17 bytes
  * dst: 17 bytes
@@ -550,7 +565,10 @@ typedef struct Packet_
     uint32_t flow_hash;
 
     /* tunnel type: none, root or child */
-    enum PacketTunnelType ttype;
+    uint8_t ttype; // enum PacketTunnelType
+
+    /* tunnel protocol */
+    uint8_t tproto; // enum DecodeTunnelProto
 
     SCTime_t ts;
 
@@ -1099,20 +1117,6 @@ static inline void PacketTunnelSetVerdicted(Packet *p)
     p->tunnel_verdicted = true;
 }
 
-enum DecodeTunnelProto {
-    DECODE_TUNNEL_ETHERNET,
-    DECODE_TUNNEL_ERSPANII,
-    DECODE_TUNNEL_ERSPANI,
-    DECODE_TUNNEL_VLAN,
-    DECODE_TUNNEL_IPV4,
-    DECODE_TUNNEL_IPV6,
-    DECODE_TUNNEL_IPV6_TEREDO, /**< separate protocol for stricter error handling */
-    DECODE_TUNNEL_PPP,
-    DECODE_TUNNEL_NSH,
-    DECODE_TUNNEL_ARP,
-    DECODE_TUNNEL_UNSET
-};
-
 Packet *PacketTunnelPktSetup(ThreadVars *tv, DecodeThreadVars *dtv, Packet *parent,
                              const uint8_t *pkt, uint32_t len, enum DecodeTunnelProto proto);
 Packet *PacketDefragPktSetup(Packet *parent, const uint8_t *pkt, uint32_t len, uint8_t proto);

@@ -258,7 +258,7 @@ static bool PcapLogCondition(ThreadVars *tv, void *thread_data, const Packet *p)
         return false;
     }
 
-    if (p->ttype == PacketTunnelChild) {
+    if (PacketIsTunnelChild(p)) {
         return false;
     }
     return true;
@@ -390,7 +390,7 @@ static int PcapLogOpenHandles(PcapLogData *pl, const Packet *p)
     PCAPLOG_PROFILE_START;
 
     int datalink = p->datalink;
-    if (p->ttype == PacketTunnelChild) {
+    if (PacketIsTunnelChild(p)) {
         Packet *real_p = p->root;
         datalink = real_p->datalink;
     }
@@ -626,7 +626,7 @@ static int PcapLog(ThreadVars *tv, void *thread_data, const Packet *p)
     pl->pkt_cnt++;
     pl->h->ts.tv_sec = SCTIME_SECS(p->ts);
     pl->h->ts.tv_usec = SCTIME_USECS(p->ts);
-    if (p->ttype == PacketTunnelChild) {
+    if (PacketIsTunnelChild(p)) {
         rp = p->root;
         pl->h->caplen = GET_PKT_LEN(rp);
         pl->h->len = GET_PKT_LEN(rp);
@@ -700,7 +700,7 @@ static int PcapLog(ThreadVars *tv, void *thread_data, const Packet *p)
             /* PcapLogDumpSegment has written over the PcapLogData variables so need to update */
             pl->h->ts.tv_sec = SCTIME_SECS(p->ts);
             pl->h->ts.tv_usec = SCTIME_USECS(p->ts);
-            if (p->ttype == PacketTunnelChild) {
+            if (PacketIsTunnelChild(p)) {
                 rp = p->root;
                 pl->h->caplen = GET_PKT_LEN(rp);
                 pl->h->len = GET_PKT_LEN(rp);
@@ -713,7 +713,7 @@ static int PcapLog(ThreadVars *tv, void *thread_data, const Packet *p)
         }
     }
 
-    if (p->ttype == PacketTunnelChild) {
+    if (PacketIsTunnelChild(p)) {
         rp = p->root;
         ret = PcapWrite(tv, td, GET_PKT_DATA(rp), len);
     } else {

@@ -2282,7 +2282,6 @@ static int AFPBypassCallback(Packet *p)
         keys[0]->port16[1] = p->dp;
         keys[0]->vlan0 = p->vlan_id[0];
         keys[0]->vlan1 = p->vlan_id[1];
-        keys[0]->vlan2 = p->vlan_id[2];
 
         if (p->proto == IPPROTO_TCP) {
             keys[0]->ip_proto = 1;
@@ -2308,7 +2307,6 @@ static int AFPBypassCallback(Packet *p)
         keys[1]->port16[1] = p->sp;
         keys[1]->vlan0 = p->vlan_id[0];
         keys[1]->vlan1 = p->vlan_id[1];
-        keys[1]->vlan2 = p->vlan_id[2];
 
         keys[1]->ip_proto = keys[0]->ip_proto;
         if (AFPInsertHalfFlow(p->afp_v.v4_map_fd, keys[1],
@@ -2343,7 +2341,6 @@ static int AFPBypassCallback(Packet *p)
         keys[0]->port16[1] = p->dp;
         keys[0]->vlan0 = p->vlan_id[0];
         keys[0]->vlan1 = p->vlan_id[1];
-        keys[0]->vlan2 = p->vlan_id[2];
 
         if (p->proto == IPPROTO_TCP) {
             keys[0]->ip_proto = 1;
@@ -2371,7 +2368,6 @@ static int AFPBypassCallback(Packet *p)
         keys[1]->port16[1] = p->sp;
         keys[1]->vlan0 = p->vlan_id[0];
         keys[1]->vlan1 = p->vlan_id[1];
-        keys[1]->vlan2 = p->vlan_id[2];
 
         keys[1]->ip_proto = keys[0]->ip_proto;
         if (AFPInsertHalfFlow(p->afp_v.v6_map_fd, keys[1],
@@ -2439,7 +2435,6 @@ static int AFPXDPBypassCallback(Packet *p)
         keys[0]->port16[1] = htons(p->dp);
         keys[0]->vlan0 = p->vlan_id[0];
         keys[0]->vlan1 = p->vlan_id[1];
-        keys[0]->vlan2 = p->vlan_id[2];
         if (p->proto == IPPROTO_TCP) {
             keys[0]->ip_proto = 1;
         } else {
@@ -2464,7 +2459,6 @@ static int AFPXDPBypassCallback(Packet *p)
         keys[1]->port16[1] = htons(p->sp);
         keys[1]->vlan0 = p->vlan_id[0];
         keys[1]->vlan1 = p->vlan_id[1];
-        keys[1]->vlan2 = p->vlan_id[2];
         keys[1]->ip_proto = keys[0]->ip_proto;
         if (AFPInsertHalfFlow(p->afp_v.v4_map_fd, keys[1],
                               p->afp_v.nr_cpus) == 0) {
@@ -2497,7 +2491,6 @@ static int AFPXDPBypassCallback(Packet *p)
         keys[0]->port16[1] = htons(p->dp);
         keys[0]->vlan0 = p->vlan_id[0];
         keys[0]->vlan1 = p->vlan_id[1];
-        keys[0]->vlan2 = p->vlan_id[2];
         if (p->proto == IPPROTO_TCP) {
             keys[0]->ip_proto = 1;
         } else {
@@ -2524,7 +2517,6 @@ static int AFPXDPBypassCallback(Packet *p)
         keys[1]->port16[1] = htons(p->sp);
         keys[1]->vlan0 = p->vlan_id[0];
         keys[1]->vlan1 = p->vlan_id[1];
-        keys[1]->vlan2 = p->vlan_id[2];
         keys[1]->ip_proto = keys[0]->ip_proto;
         if (AFPInsertHalfFlow(p->afp_v.v6_map_fd, keys[1],
                               p->afp_v.nr_cpus) == 0) {

@@ -413,6 +413,18 @@ int EBPFLoadFile(const char *iface, const char *path, const char * section,
             SCLogError("Too many BPF maps in eBPF files");
             break;
         }
+        if (strcmp(bpf_map__name(map), "flow_table_v4") == 0) {
+            if (bpf_map__key_size(map) != sizeof(struct flowv4_keys)) {
+                SCLogError("Incompatible flow_table_v4");
+                break;
+            }
+        }
+        if (strcmp(bpf_map__name(map), "flow_table_v6") == 0) {
+            if (bpf_map__key_size(map) != sizeof(struct flowv6_keys)) {
+                SCLogError("Incompatible flow_table_v6");
+                break;
+            }
+        }
         SCLogDebug("Got a map '%s' with fd '%d'", bpf_map__name(map), bpf_map__fd(map));
         bpf_map_data->array[bpf_map_data->last].fd = bpf_map__fd(map);
         bpf_map_data->array[bpf_map_data->last].name = SCStrdup(bpf_map__name(map));
@@ -749,7 +761,6 @@ static int EBPFForEachFlowV4Table(ThreadVars *th_v, LiveDevice *dev, const char
         flow_key.dst.addr_data32[3] = 0;
         flow_key.vlan_id[0] = next_key.vlan0;
         flow_key.vlan_id[1] = next_key.vlan1;
-        flow_key.vlan_id[2] = next_key.vlan2;
         if (next_key.ip_proto == 1) {
             flow_key.proto = IPPROTO_TCP;
         } else {
@@ -868,7 +879,6 @@ static int EBPFForEachFlowV6Table(ThreadVars *th_v,
         }
         flow_key.vlan_id[0] = next_key.vlan0;
         flow_key.vlan_id[1] = next_key.vlan1;
-        flow_key.vlan_id[2] = next_key.vlan2;
         if (next_key.ip_proto == 1) {
             flow_key.proto = IPPROTO_TCP;
         } else {

@@ -45,7 +45,6 @@ struct flowv4_keys {
     __u8 ip_proto:1;
     __u16 vlan0:15;
     __u16 vlan1;
-    __u16 vlan2;
 };
 
 struct flowv6_keys {
@@ -58,7 +57,6 @@ struct flowv6_keys {
     __u8 ip_proto:1;
     __u16 vlan0:15;
     __u16 vlan1;
-    __u16 vlan2;
 };
 
 struct pair {