From 3fa0430b443a5034f2339b9f99fe199cdb623fbe Mon Sep 17 00:00:00 2001 From: jlgonzalez Date: Fri, 29 Nov 2024 09:01:53 +0100 Subject: [PATCH 1/2] fix(inputs.netflow): handle decode of multiple flags in TCP and IP headers Golang switch block does not do automatic fallthrough so it must be explicitly added to handle multiple cases --- plugins/inputs/netflow/sflow_v5.go | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/plugins/inputs/netflow/sflow_v5.go b/plugins/inputs/netflow/sflow_v5.go index 6e43680f3a597..944665223655b 100644 --- a/plugins/inputs/netflow/sflow_v5.go +++ b/plugins/inputs/netflow/sflow_v5.go @@ -394,8 +394,10 @@ func (d *sflowv5Decoder) decodeRawHeaderSample(record *sflow.SampledHeader) (map switch { case l.Flags&layers.IPv4EvilBit > 0: flags[7] = byte('E') + fallthrough case l.Flags&layers.IPv4DontFragment > 0: flags[6] = byte('D') + fallthrough case l.Flags&layers.IPv4MoreFragments > 0: flags[5] = byte('M') } @@ -421,18 +423,25 @@ func (d *sflowv5Decoder) decodeRawHeaderSample(record *sflow.SampledHeader) (map switch { case l.FIN: flags[7] = byte('F') + fallthrough case l.SYN: flags[6] = byte('S') + fallthrough case l.RST: flags[5] = byte('R') + fallthrough case l.PSH: flags[4] = byte('P') + fallthrough case l.ACK: flags[3] = byte('A') + fallthrough case l.URG: flags[2] = byte('U') + fallthrough case l.ECE: flags[1] = byte('E') + fallthrough case l.CWR: flags[0] = byte('C') } From 702957c5474a8b54f4c18fa0b32fe856729261bb Mon Sep 17 00:00:00 2001 From: jlgonzalez Date: Fri, 29 Nov 2024 11:13:31 +0100 Subject: [PATCH 2/2] fix(inputs.netflow): change TCP and IP flags processing from using switch statements to if statements fallthrough usage is not valid because next condition is not evaluated --- plugins/inputs/netflow/sflow_v5.go | 42 ++++++++++++++---------------- 1 file changed, 20 insertions(+), 22 deletions(-) diff --git a/plugins/inputs/netflow/sflow_v5.go b/plugins/inputs/netflow/sflow_v5.go index 944665223655b..7ac616bf54ebd 100644 --- a/plugins/inputs/netflow/sflow_v5.go +++ b/plugins/inputs/netflow/sflow_v5.go @@ -391,14 +391,13 @@ func (d *sflowv5Decoder) decodeRawHeaderSample(record *sflow.SampledHeader) (map fields["dst"] = l.DstIP.String() flags := []byte("........") - switch { - case l.Flags&layers.IPv4EvilBit > 0: + if l.Flags&layers.IPv4EvilBit > 0 { flags[7] = byte('E') - fallthrough - case l.Flags&layers.IPv4DontFragment > 0: + } + if l.Flags&layers.IPv4DontFragment > 0 { flags[6] = byte('D') - fallthrough - case l.Flags&layers.IPv4MoreFragments > 0: + } + if l.Flags&layers.IPv4MoreFragments > 0 { flags[5] = byte('M') } fields["fragment_flags"] = string(flags) @@ -420,29 +419,28 @@ func (d *sflowv5Decoder) decodeRawHeaderSample(record *sflow.SampledHeader) (map fields["tcp_window_size"] = l.Window fields["tcp_urgent_ptr"] = l.Urgent flags := []byte("........") - switch { - case l.FIN: + if l.FIN { flags[7] = byte('F') - fallthrough - case l.SYN: + } + if l.SYN { flags[6] = byte('S') - fallthrough - case l.RST: + } + if l.RST { flags[5] = byte('R') - fallthrough - case l.PSH: + } + if l.PSH { flags[4] = byte('P') - fallthrough - case l.ACK: + } + if l.ACK { flags[3] = byte('A') - fallthrough - case l.URG: + } + if l.URG { flags[2] = byte('U') - fallthrough - case l.ECE: + } + if l.ECE { flags[1] = byte('E') - fallthrough - case l.CWR: + } + if l.CWR { flags[0] = byte('C') } fields["tcp_flags"] = string(flags)