L2/L3/L4 Detection

Validation checks that run before rate tracking. These drop packets that shouldn't exist on a properly configured network.

L2 — MAC filter

Evaluated before any IP parsing. Two modes:

Mode	Behaviour	Config
Blacklist	Drop frames matching configured MACs	`mac_filter_mode: 2`
Whitelist	Drop frames NOT matching configured MACs	`mac_filter_mode: 1`
Disabled	Pass all frames	`mac_filter_mode: 0`

Up to 8 MAC addresses. Pre-loaded into a 8×6 byte array in the config struct. Zero entries → fast-path skip.

MAC filter runs first

A MAC filter rejection happens before parse_packet() — no IP header parsing overhead for L2-rejected frames.

L3 — IP validation

IPv4 private/bogon ranges

Range	Description
`10.0.0.0/8`	Private (RFC 1918)
`172.16.0.0/12`	Private (RFC 1918)
`192.168.0.0/16`	Private (RFC 1918)
`127.0.0.0/8`	Loopback
`169.254.0.0/16`	Link-local
`0.0.0.0/8`	Reserved
`224.0.0.0/4`	Multicast (cannot be source)

IPv6 private/bogon ranges

Range	Description
`::1/128`	Loopback
`::/128`	Unspecified
`fe80::/10`	Link-local
`fc00::/7`	Unique local
`ff00::/8`	Multicast (cannot be source)
`::ffff:0:0/96`	IPv4-mapped

Malformed L3

IP version check (IPv4 ≠ 4, IPv6 ≠ 6)
IHL < 5 (IPv4)
IP header extends past data_end
total_len < header length
IPv6 extension header overflow (> 4 headers)

L4 — TCP/UDP/ICMP

Bogus TCP flags

Drops	Reason
SYN + FIN	Impossible combination
SYN + RST	Impossible combination
FIN + RST	Impossible combination
All 8 flags set	TCP flag stuffing
No flags set	NULL scan

::: note RFC 3168 compliance ECE and CWR flags are explicitly allowed. Packets with ECN are not dropped. :::

TCP doff validation

tcp->doff must be ≥ 5 before any payload offset calculation. Prevents underflow in l4_payload_len computation.

Malformed L4 bounds

Each L4 header type is bounds-checked independently: TCP, UDP, ICMP, ICMPv6. pkt_len is u32 to prevent overflow on high-bandwidth links.

Configuration

yaml

validation:
  filter_private: true      # Drop private/bogon source IPs
  filter_bogon: true        # Drop bogon source IPs
  filter_bogus_tcp: true    # Drop impossible TCP flag combos
  filter_malformed: true    # Drop malformed headers

Rate-Based Detection · Pipeline

L2/L3/L4 Detection ​

L2 — MAC filter ​

L3 — IP validation ​

IPv4 private/bogon ranges ​

IPv6 private/bogon ranges ​

Malformed L3 ​

L4 — TCP/UDP/ICMP ​

Bogus TCP flags ​

TCP doff validation ​

Malformed L4 bounds ​

Configuration ​

Related pages ​