af-packet: delay setting default-packet-size for af-packet

AF_PACKET needs more information about its configuration before we can
set the default packet size, so on startup, leave unset in suricata.c
if in AF_PACKET mode.

If defrag is enabled, use a default packet size of 9k for tpacket-v2.
This can still lead to truncation events, then the user can increase
their 'default-packet-size'.

Tpacket-v3 does not need an increased packet size as it will handle
any size of packet that is smaller than the configured block size
which now has a default of 128k.

9k for the snap is somewhat arbitrary but is large enough for the
common 9000 jumbo frame plus some extra headers including tpacket
headers.

Ticket: #7458

src/source-af-packet.c

@@ -1582,10 +1582,16 @@ sockaddr_ll) + ETH_HLEN) - ETH_HLEN);
     int snaplen = default_packet_size;
 
     if (snaplen == 0) {
-        snaplen = GetIfaceMaxPacketSize(ptv->livedev);
-        if (snaplen <= 0) {
-            SCLogWarning("%s: unable to get MTU, setting snaplen default of 1514", ptv->iface);
-            snaplen = 1514;
+        if (ptv->cluster_type & PACKET_FANOUT_FLAG_DEFRAG) {
+            SCLogConfig("%s: defrag enabled, setting snaplen to %d", ptv->iface,
+                    DEFAULT_TPACKET_DEFRAG_SNAPLEN);
+            snaplen = DEFAULT_TPACKET_DEFRAG_SNAPLEN;
+        } else {
+            snaplen = GetIfaceMaxPacketSize(ptv->livedev);
+            if (snaplen <= 0) {
+                SCLogWarning("%s: unable to get MTU, setting snaplen default of 1514", ptv->iface);
+                snaplen = 1514;
+            }
         }
     }
 
@@ -1636,10 +1642,16 @@ sockaddr_ll) + ETH_HLEN) - ETH_HLEN);
     int snaplen = default_packet_size;
 
     if (snaplen == 0) {
-        snaplen = GetIfaceMaxPacketSize(ptv->livedev);
-        if (snaplen <= 0) {
-            SCLogWarning("%s: unable to get MTU, setting snaplen default of 1514", ptv->iface);
-            snaplen = 1514;
+        if (ptv->cluster_type & PACKET_FANOUT_FLAG_DEFRAG) {
+            SCLogConfig("%s: defrag enabled, setting snaplen to %d", ptv->iface,
+                    DEFAULT_TPACKET_DEFRAG_SNAPLEN);
+            snaplen = DEFAULT_TPACKET_DEFRAG_SNAPLEN;
+        } else {
+            snaplen = GetIfaceMaxPacketSize(ptv->livedev);
+            if (snaplen <= 0) {
+                SCLogWarning("%s: unable to get MTU, setting snaplen default of 1514", ptv->iface);
+                snaplen = 1514;
+            }
         }
     }
 

src/source-af-packet.h

@@ -80,6 +80,11 @@ struct ebpf_timeout_config {
 /* Set max packet size to 65561: IP + Ethernet + 3 VLAN tags. */
 #define MAX_PACKET_SIZE 65561
 
+/* Default snaplen to use when defrag enabled. 9k is somewhat
+ * arbitrary but is large enough for the common 9000 jumbo frame plus
+ * some extra headers including tpacket headers. */
+#define DEFAULT_TPACKET_DEFRAG_SNAPLEN 9216
+
 typedef struct AFPIfaceConfig_
 {
     char iface[AFP_IFACE_NAME_LENGTH];

src/suricata.c

@@ -2443,6 +2443,11 @@ static int ConfigGetCaptureValue(SCInstance *suri)
         int nlive;
         int strip_trailing_plus = 0;
         switch (suri->run_mode) {
+            case RUNMODE_AFP_DEV:
+                /* For AF_PACKET we delay setting the
+                 * default-packet-size until we know more about the
+                 * configuration. */
+                break;
 #ifdef WINDIVERT
             case RUNMODE_WINDIVERT: {
                 /* by default, WinDivert collects from all devices */
@@ -2464,7 +2469,6 @@ static int ConfigGetCaptureValue(SCInstance *suri)
                 /* fall through */
             case RUNMODE_PLUGIN:
             case RUNMODE_PCAP_DEV:
-            case RUNMODE_AFP_DEV:
             case RUNMODE_AFXDP_DEV:
                 nlive = LiveGetDeviceCount();
                 for (lthread = 0; lthread < nlive; lthread++) {