From bebae2ec93aa2ee3ca2b95c031bcd62bbc3ba908 Mon Sep 17 00:00:00 2001
From: Luca Deri <deri@ntop.org>
Date: Fri, 15 Oct 2021 16:34:35 +0200
Subject: [PATCH] Traffic directions for mirrored traffic in case no gateway
 MAC address is configured are not set using local/remote hosts location.
 Fixes #5977

---
 scripts/locales/en.lua                      |  2 +-
 src/NetworkInterface.cpp                    | 25 ++++++++++++++++++++-
 src/flow_alerts/PeriodicityChangedAlert.cpp |  4 +++-
 src/flow_checks/IECUnexpectedTypeId.cpp     |  2 +-
 src/flow_checks/UnexpectedServer.cpp        |  2 +-
 5 files changed, 30 insertions(+), 5 deletions(-)

diff --git a/scripts/locales/en.lua b/scripts/locales/en.lua
index c1b9c28917..4f6dbab22e 100644
--- a/scripts/locales/en.lua
+++ b/scripts/locales/en.lua
@@ -3102,7 +3102,7 @@ local lang = {
     ["discard_probing_traffic"] = "Discard Probing Traffic",
     ["dump_flows_to_database"] = "Dump Flows to Database",
     ["gw_macs"] = "MAC Address Based Traffic Directions",
-    ["gw_macs_description"] = "This is used to compute traffic direction (ingress or egress) based on the provided MAC address(es) (comma-separated list) as in some case (when capturing traffic from a traffic mirror or pcap) it is not possible to know the traffic direction. Traffic directed to the configured MAC address(es) is considered as egress traffic.",
+    ["gw_macs_description"] = "This is used to compute traffic direction (ingress or egress) based on the provided MAC address(es) (comma-separated list) as in some case (when capturing traffic from a traffic mirror or pcap) it is not possible to know the traffic direction. Traffic directed to the configured MAC address(es) is considered as egress traffic.<br><b>Note:</b><br>In case no MAC address is configured, the traffic direction is set using local vs remote hosts traffic (-m).",
     ["gw_macs_example"] = "e.g. %{example}",
     ["hide_from_top_networks"] = "Hide from Top Networks",
     ["hide_from_top_networks_descr"] = "e.g. %{example}",
diff --git a/src/NetworkInterface.cpp b/src/NetworkInterface.cpp
index 1bcdd866aa..5e9d85eef4 100644
--- a/src/NetworkInterface.cpp
+++ b/src/NetworkInterface.cpp
@@ -1676,7 +1676,30 @@ bool NetworkInterface::processPacket(u_int32_t bridge_iface_idx,
     if(new_flow)
       flow->setIngress2EgressDirection(ingressPacket);
 #endif
+    /*
+      In case of a traffic mirror with no MAC gatewy address configured
+      the traffic direction is set based on the local (-m) host
+     */
+    if(isTrafficMirrored() && (!isGwMacConfigured())) {
+      int16_t network_id;
+      bool cli_local = flow->get_cli_ip_addr()->isLocalHost(&network_id);
+      bool srv_local = flow->get_srv_ip_addr()->isLocalHost(&network_id);
 
+      if(cli_local && (!srv_local))
+	ingressPacket = false;
+      else if((!cli_local) && srv_local)
+	ingressPacket = true;
+      else
+	; /* Leave as is */
+
+      /*
+      ntop->getTrace()->traceEvent(TRACE_NORMAL, "%s -> %s",
+				   flow->get_cli_ip_addr()->isLocalHost(&network_id) ? "L" : "R",
+				   flow->get_srv_ip_addr()->isLocalHost(&network_id) ? "L" : "R");
+      */
+    }
+
+    
     if(flow->is_swap_requested()
        /* This guarantees that at least a packet has been observed in both directions, and that
 	  we are in the dst->src direction of the flow that is being swapped
@@ -6103,7 +6126,7 @@ void NetworkInterface::lua(lua_State *vm) {
   /* Note: source MAC is now used to get traffic direction when not areTrafficDirectionsSupported() */
   lua_push_bool_table_entry(vm, "has_traffic_directions",
 			    (areTrafficDirectionsSupported() || (!Utils::isEmptyMac(ifMac)))
-			    && (!isLoopback()) && (!isTrafficMirrored() || isGwMacConfigured()));
+			    && (!isLoopback()) /* && (!isTrafficMirrored() || isGwMacConfigured())*/ );
   lua_push_bool_table_entry(vm, "has_seen_pods", hasSeenPods());
   lua_push_bool_table_entry(vm, "has_seen_containers", hasSeenContainers());
   lua_push_bool_table_entry(vm, "has_seen_external_alerts", hasSeenExternalAlerts());
diff --git a/src/flow_alerts/PeriodicityChangedAlert.cpp b/src/flow_alerts/PeriodicityChangedAlert.cpp
index 753e0c2c8e..c7ef01bedc 100644
--- a/src/flow_alerts/PeriodicityChangedAlert.cpp
+++ b/src/flow_alerts/PeriodicityChangedAlert.cpp
@@ -24,8 +24,10 @@
 /* ***************************************************** */
 
 ndpi_serializer* PeriodicityChangedAlert::getAlertJSON(ndpi_serializer* serializer) {
+#ifdef NTOPNG_PRO
   Flow *f = getFlow();
-
+#endif
+  
   if(serializer == NULL)
     return NULL;
 
diff --git a/src/flow_checks/IECUnexpectedTypeId.cpp b/src/flow_checks/IECUnexpectedTypeId.cpp
index cc7cb89839..466cbaec2a 100644
--- a/src/flow_checks/IECUnexpectedTypeId.cpp
+++ b/src/flow_checks/IECUnexpectedTypeId.cpp
@@ -50,7 +50,7 @@ bool IECUnexpectedTypeId::loadConfiguration(json_object *config) {
     char str[512];
     u_int idx = 0;
     
-    for(int i=0; i<json_object_array_length(items); i++) {
+    for(u_int i=0; i<json_object_array_length(items); i++) {
       json_object *item = json_object_array_get_idx(items, i);
       u_int32_t id      = json_object_get_int(item);
       int rx = snprintf(&str[idx], sizeof(str)-idx-1, "%s%u",
diff --git a/src/flow_checks/UnexpectedServer.cpp b/src/flow_checks/UnexpectedServer.cpp
index 2726aba516..eee465f2fc 100644
--- a/src/flow_checks/UnexpectedServer.cpp
+++ b/src/flow_checks/UnexpectedServer.cpp
@@ -79,7 +79,7 @@ bool UnexpectedServer::loadConfiguration(json_object *config) {
   */
 
   if(json_object_object_get_ex(config, "items", &whitelist_json)) {
-    for(int i = 0; i < json_object_array_length(whitelist_json); i++) {
+    for(u_int i = 0; i < json_object_array_length(whitelist_json); i++) {
       const char *server_ptr;
       
       whitelisted_server_json = json_object_array_get_idx(whitelist_json, i);