[iptables module] Accept TOS to not provide 0x HEX format

[lucabelluccini]

What does this PR do?

It might happen that some appliances send a TOS value without the 0x prefix for HEX values.

Some users hit this problem with NFLOG and ulogd2 extension.

As I am not an expert on this domain, I let you review this change.

Why is it important?

It can allow parsing logs for IPTables and be slightly more flexible on the TOS format.

Checklist

• My code follows the style guidelines of this project
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

TODO, need to add:

Jun 28 04:35:30 Abc-A1 [SOMETHING-1234-A] IN=abc.123 OUT=abc.123 MAC=0a:ea:10:00:f0:06:10:e1:21:31:61:20:01:00:41:00:00:01 SRC=10.251.1.1 DST=10.251.1.1 LEN=32 TOS=00 PREC=0x00 TTL=63 ID=12345 PROTO=UDP SPT=9000 DPT=9000 LEN=12 MARK=0 
Jun 28 04:30:32 Abc-A1 [SOMETHING-1234-A] IN=abc.123 OUT=abc.123 MAC=0a:ea:10:00:f0:06:10:e1:21:31:61:20:01:00:41:00:00:01 SRC=10.251.1.1 DST=10.251.1.1 LEN=84 TOS=00 PREC=0x00 TTL=63 ID=6789 PROTO=ICMP TYPE=8 CODE=0 ID=98765 SEQ=30123 MARK=0 

Related issues

None

Use cases

[elasticmachine]

Pinging @elastic/integrations (Team:Integrations)

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2022-10-20T04:05:28.757+0000

• Duration: 77 min 33 sec

Test stats 🧪

Test	Results
Failed	0
Passed	2283
Skipped	166
Total	2449

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[adriansr]

Looks good so far.

It's going to need sample logs added to the test files, ideally if you can find ones with a TOS value that confirms this is still hexadecimal.

Also a changelog entry.

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @lucabelluccini? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)
  To fixup this pull request, you need to add the backport labels for the needed
  branches, such as:
• backport-v8./d.0 is the label to automatically backport to the 8./d branch. /d is the digit

[efd6]

@lucabelluccini Are you able to find a real example that we can use in tests that does not include the 0x prefix and has a non-zero value? Ideally this would be a value that is definitively a hex number (i.e. with at least one digit not in [0-9]) or definitively a decimal number (i.e. three digits long) so that we can ensure that we are keeping the semantics correct.

[efd6]

OK. I have a confirmation on this. The ulogd v2 code clearly emits a two-digit hex value without a 0x prefix.

	buf_cur += sprintf(buf_cur,"LEN=%u TOS=%02X PREC=0x%02X TTL=%u ID=%u ", 
			   ikey_get_u16(&res[KEY_IP_TOTLEN]),
			   ikey_get_u8(&res[KEY_IP_TOS]) & IPTOS_TOS_MASK, 
			   ikey_get_u8(&res[KEY_IP_TOS]) & IPTOS_PREC_MASK,
			   ikey_get_u8(&res[KEY_IP_TTL]),
			   ikey_get_u16(&res[KEY_IP_ID]));

So I think we are good. I'll add the test examples that are included in the PR message.

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b iptables-enhance-tos-field upstream/iptables-enhance-tos-field
git merge upstream/main
git push upstream iptables-enhance-tos-field

[lucabelluccini]

Hello @efd6 - I opened this following an example provided by a user.
I asked them details about the source but I never got an answer.

[efd6]

@lucabelluccini No worries, I'm happy with the answer now. I think we are good now.