decoder/l2tp: initial implementation of decoder

[poodle-amazon]

Issue: 7986

Make sure these boxes are checked accordingly before submitting your Pull Request -- thank you.

Contribution style:

• I have read the contributing guide lines at
  https://docs.suricata.io/en/latest/devguide/contributing/contribution-process.html

Our Contribution agreements:

• I have signed the Open Information Security Foundation contribution agreement at
  https://suricata.io/about/contribution-agreement/ (note: this is only required once)

Changes (if applicable):

• I have updated the User Guide (in doc/userguide/) to reflect the changes made
• I have updated the JSON schema (in etc/schema.json) to reflect all logging changes
  (including schema descriptions)
• I have created a ticket at
  https://redmine.openinfosecfoundation.org/projects/suricata/issues

Link to ticket: https://redmine.openinfosecfoundation.org/issues/7986

Describe changes:

• Rebased commit of L2TP Feature for 7986
  • Rebased from decoder/l2tp: initial implementation of decoder #14023 with requested changes and a suricata-verify commit / pull request

Provide values to any of the below to override the defaults.

• To use a Suricata-Verify or Suricata-Update pull request,
  link to the pull request in the respective _BRANCH variable.
• Leave unused overrides blank or remove.

SV_REPO=
SV_BRANCH=OISF/suricata-verify#2748
SU_REPO=
SU_BRANCH=

[github-actions]

NOTE: This PR may contain new authors.

[victorjulien]

Just a few quick comments as I checked if I could enable the CI

[victorjulien]

missing ;

[victorjulien]

would like to drop the ; here and force the caller to set it

[codecov]

Codecov Report

❌ Patch coverage is 91.71271% with 30 lines in your changes missing coverage. Please review.
✅ Project coverage is 84.17%. Comparing base (b21c93d) to head (245c382).

Additional details and impacted files

@@           Coverage Diff            @@
##             main   #14325    +/-   ##
========================================
  Coverage   84.16%   84.17%            
========================================
  Files        1012     1014     +2     
  Lines      261869   262231   +362     
========================================
+ Hits       220405   220721   +316     
- Misses      41464    41510    +46     

Flag	Coverage Δ
fuzzcorpus	63.29% <47.05%> (-0.03%)	⬇️
livemode	18.75% <21.32%> (-0.02%)	⬇️
pcap	44.68% <72.05%> (+<0.01%)	⬆️
suricata-verify	64.93% <73.33%> (+0.01%)	⬆️
unittests	59.27% <85.31%> (+0.04%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[suricata-qa]

WARNING:

field	baseline	test	%
	SURI_TLPR1_stats_chk
.decoder.invalid	123	4308	3502.44%
	IPS_AFP_stats_chk
.decoder.invalid	0	3692	-
	TREX_GENERIC_stats_chk
.decoder.invalid	0	8338	-

Pipeline = 28461

[poodle-amazon]

I've made it even more less strict to stop the excessive number invalid packets on QA and added a SV test for this (decode-l2tp-v3-15).

[github-actions]

NOTE: This PR may contain new authors.

[victorjulien]

I've made it even more less strict to stop the excessive number invalid packets on QA and added a SV test for this (decode-l2tp-v3-15).

Would have to check the pcaps, but I suspect we need to opposite? If we detect other traffic as l2tp initially, but then it fails to decode the encapsulated protocol. That would trigger lots of invalid packets potentially. This has been our experience with vxlan as well.

With Suricon next week it will probably a while before we can dig up pcaps.

@ct0br0 can we share any of the pcaps?

[suricata-qa]

WARNING:

field	baseline	test	%
	SURI_TLPR1_stats_chk
.decoder.invalid	123	173	140.65%

Pipeline = 28466

[victorjulien]

This result is a lot better already. Lets see if we can extract the pcap and review if they can be shared or that we can use them to assist in some other way.