Skip to content

decoder/l2tp: initial implementation of decoder #14023

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 7 commits into
base: main
Choose a base branch
from
Draft

decoder/l2tp: initial implementation of decoder #14023

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
5149224
decoder/l2tp: initial implementation of decoder
poodle-amazon Oct 14, 2025
e944112
Fix up formatting w/git clang-format HEAD~
poodle-amazon Oct 14, 2025
90ea0fa
Remove some commented out debug code
poodle-amazon Oct 14, 2025
b99c4e9
Revert clang-format on the JSON Schema
poodle-amazon Oct 14, 2025
0863bea
Fix sorting of l2tp in schema.json for properties.stats.properties.de…
poodle-amazon Oct 14, 2025
cc0a282
fix style on the header file / indentation on the yaml
poodle-amazon Oct 14, 2025
db7449a
Tighten Decoding of L2TP Tunnels
poodle-amazon Oct 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions doc/userguide/configuration/suricata-yaml.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2993,6 +2993,17 @@ see :doc:`../performance/packet-profiling`.
Decoder
-------

L2TP
~~~~~

The L2TP decoder can be disabled. It is enabled by default and uses UDP port 1701.

::
decoder:
l2tp:
enabled: true
ports: $L2TP_PORTS # syntax: '[1701, 2193]'

Teredo
~~~~~~

Expand Down
30 changes: 30 additions & 0 deletions etc/schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6709,6 +6709,28 @@
}
}
},
"l2tp": {
"type": "object",
"additionalProperties": false,
"properties": {
"pkt_too_small": {
"type": "integer",
"description": "Number of L2TPv3 packets with the header length too small"
},
"invalid_version": {
"type": "integer",
"description": "Number of L2TP packets with an invalid version"
},
"unknown_payload_type": {
"type": "integer",
"description": "Number of L2TPv3 packets with an unknown inner L2 type"
},
"invalid_ip_proto": {
"type": "integer",
"description": "Number of L2TP packets with an invalid IP Protocol"
}
}
},
"ltnull": {
"type": "object",
"additionalProperties": false,
Expand Down Expand Up @@ -6962,6 +6984,14 @@
"type": "integer",
"description": "Number of IPv6 in IPv6 packets decoded"
},
"l2tp": {
"type": "integer",
"description": "Number of L2TPv3 packets decoded"
},
"l2tp_unsupported": {
"type": "integer",
"description": "Number of L2TPv1/2 packets decoded"
},
"max_mac_addrs_dst": {
"type": "integer",
"description": "Maximum amount of destination MAC addresses seen per flow (only if ethernet header logging enabled)"
Expand Down
2 changes: 2 additions & 0 deletions src/Makefile.am
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@ noinst_HEADERS = \
decode-icmpv6.h \
decode-ipv4.h \
decode-ipv6.h \
decode-l2tp.h \
decode-mpls.h \
decode-nsh.h \
decode-ppp.h \
Expand Down Expand Up @@ -674,6 +675,7 @@ libsuricata_c_a_SOURCES = \
decode-icmpv6.c \
decode-ipv4.c \
decode-ipv6.c \
decode-l2tp.c \
decode-mpls.c \
decode-nsh.c \
decode-null.c \
Expand Down
18 changes: 18 additions & 0 deletions src/decode-events.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -934,5 +934,23 @@ const struct DecodeEvents_ DEvents[] = {
ARP_UNSUPPORTED_OPCODE,
},

/* L2TP EVENTS */
{
"decoder.l2tp.pkt_too_small",
L2TP_PKT_TOO_SMALL,
},
{
"decoder.l2tp.invalid_version",
L2TP_INVALID_VER,
},
{
"decoder.l2tp.unknown_payload_type",
L2TP_UNKNOWN_PAYLOAD_TYPE,
},
{
"decoder.l2tp.invalid_ip_proto",
L2TP_INVALID_IP_PROTO,
},

{ NULL, 0 },
};
6 changes: 6 additions & 0 deletions src/decode-events.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -318,6 +318,12 @@ enum {
ARP_INVALID_PROTOCOL_SIZE, /**< arp proto size is not 4 */
ARP_UNSUPPORTED_OPCODE, /**< arp opcode is not listed */

/* L2TP EVENTS */
L2TP_PKT_TOO_SMALL, /**< l2tp packet smaller than minimum size */
L2TP_INVALID_VER, /**< l2tp packet version is not 1,2 or 3 */
L2TP_UNKNOWN_PAYLOAD_TYPE, /**< l2tp packet is missing a trailing ethernet header */
L2TP_INVALID_IP_PROTO, /**< l2tp packet IPPROTO is not L2TP or UDP */

/* should always be last! */
DECODE_EVENT_MAX,
};
Expand Down
3 changes: 3 additions & 0 deletions src/decode-ipv4.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -580,6 +580,9 @@ int DecodeIPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
case IPPROTO_ESP:
DecodeESP(tv, dtv, p, data, data_len);
break;
case IPPROTO_L2TP:
DecodeL2TP(tv, dtv, p, data, data_len);
break;
case IPPROTO_IPV6: {
/* spawn off tunnel packet */
Packet *tp = PacketTunnelPktSetup(tv, dtv, p, data, data_len, DECODE_TUNNEL_IPV6);
Expand Down
4 changes: 4 additions & 0 deletions src/decode-ipv6.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -605,6 +605,10 @@ int DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *
IPV6_SET_L4PROTO(p, IPPROTO_GRE);
DecodeGRE(tv, dtv, p, data, data_len);
break;
case IPPROTO_L2TP:
IPV6_SET_L4PROTO(p, IPPROTO_L2TP);
DecodeL2TP(tv, dtv, p, data, data_len);
break;
case IPPROTO_FRAGMENT:
case IPPROTO_HOPOPTS:
case IPPROTO_ROUTING:
Expand Down
Loading
Loading