From e61c3a95ad9f6436baa735661e021da06b2c3956 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Tue, 24 Jan 2023 16:21:53 -0700
Subject: [PATCH] GH-2684: Stop violating VXLAN for forwarding failures

---
 src/packet_analysis/protocol/vxlan/VXLAN.cc       |   2 --
 .../conn.log                                      |  12 ++++++++++++
 .../tunnels/vxlan-encapsulated-igmp-v2.pcap       | Bin 0 -> 360 bytes
 .../tunnels/vxlan-unknown-internal-packet.zeek    |  10 ++++++++++
 4 files changed, 22 insertions(+), 2 deletions(-)
 create mode 100644 testing/btest/Baseline/core.tunnels.vxlan-unknown-internal-packet/conn.log
 create mode 100644 testing/btest/Traces/tunnels/vxlan-encapsulated-igmp-v2.pcap
 create mode 100644 testing/btest/core/tunnels/vxlan-unknown-internal-packet.zeek

diff --git a/src/packet_analysis/protocol/vxlan/VXLAN.cc b/src/packet_analysis/protocol/vxlan/VXLAN.cc
index 7bc7b75c3e..2c063b329d 100644
--- a/src/packet_analysis/protocol/vxlan/VXLAN.cc
+++ b/src/packet_analysis/protocol/vxlan/VXLAN.cc
@@ -58,8 +58,6 @@ bool VXLAN_Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pack
 				                                    ec->ip_hdr->ToPktHdrVal(), val_mgr->Count(vni));
 			}
 		}
-	else
-		AnalyzerViolation("VXLAN invalid inner packet", packet->session);
 
 	return fwd_ret_val;
 	}
diff --git a/testing/btest/Baseline/core.tunnels.vxlan-unknown-internal-packet/conn.log b/testing/btest/Baseline/core.tunnels.vxlan-unknown-internal-packet/conn.log
new file mode 100644
index 0000000000..200f6e79b9
--- /dev/null
+++ b/testing/btest/Baseline/core.tunnels.vxlan-unknown-internal-packet/conn.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2023-01-25-16-21-59
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1673538029.809899	CHhAvVGS1DHFjwGM9	172.30.0.1	48036	172.30.0.2	4789	udp	-	-	-	-	OTH	-	-	0	C	0	0	0	0	-
+1673538054.797831	ClEkJM2Vm5giqnMf4h	172.30.0.1	45303	172.30.0.2	4789	udp	-	-	-	-	OTH	-	-	0	C	0	0	0	0	-
+1673538167.375490	C4J4Th3PJpwUYZZ6gc	172.30.0.1	36030	172.30.0.2	4789	udp	-	-	-	-	OTH	-	-	0	C	0	0	0	0	-
+#close	2023-01-25-16-21-59
diff --git a/testing/btest/Traces/tunnels/vxlan-encapsulated-igmp-v2.pcap b/testing/btest/Traces/tunnels/vxlan-encapsulated-igmp-v2.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..1e0206ac5274811f42d2155c4bab3a3d959fd0d2
GIT binary patch
literal 360
zcmca|c+)~A1{MYcU}0bca^7klNM0Sy!;k=EgD{iR8aW0gCa0qr(w8_GTp1XGcDp(-
zI0&kX0mT_Xa=VuZZDp{F=;r{cW)PSJG$oFK;rFF=GaL?W<zR4QU{Lsy#=yYH)LMIB
z1!uqmpxhLowPFmMEFd<U)`8@99ennk{R6U3BpznphVR(y^EwoNx!D$C-<j_q`_>!;
q+E<NkUpdgeL%Ue<_)n}9WZ&s$F#CG;VY3g}f9r}t_MI-k=05-ck6h#c

literal 0
HcmV?d00001

diff --git a/testing/btest/core/tunnels/vxlan-unknown-internal-packet.zeek b/testing/btest/core/tunnels/vxlan-unknown-internal-packet.zeek
new file mode 100644
index 0000000000..af80d894b9
--- /dev/null
+++ b/testing/btest/core/tunnels/vxlan-unknown-internal-packet.zeek
@@ -0,0 +1,10 @@
+# This test validates that we can read VXLAN traffic without throwing analyzer violations
+# when the internal packets are something we can't process. In this case, the internal
+# packets are IGMP, which we don't have an analyzer for.
+
+# @TEST-EXEC: zeek -r $TRACES/tunnels/vxlan-encapsulated-igmp-v2.pcap %INPUT
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: ! test -f analyzer.log
+
+@load base/frameworks/tunnels
+@load base/protocols/conn