flow: optionally use pkt recursion for hash

[coledishington]

If a Suricata inline IPS device is routing traffic over a non-encrypted tunnel, like IPv6 tunnels, packets in a flow will be dropped and not be matched. e.g.

The following example is a Suricata inline IPS with an IPv6 tunnel: request: IPv4]ICMP] -> |IPS| -> IPv6]IPv4]ICMP]
reply: <- |IPS| <- IPv6]IPv4]ICMP]
Both the IPv4 request and IPv6 reply will be seen by Suricata on
ingress. The flows will not be matched due to flow recursion level.

Optionally use pkt recursion level in flow hash. Excluding recursion level in flow hash allows matching of packet flows and defrag on an inline IPS Suricata scenario where the IPS device is a tunnel terminator.

Feature: 6260

Make sure these boxes are checked accordingly before submitting your Pull Request -- thank you.

Contribution style:

• [✓] I have read the contributing guide lines at
  https://docs.suricata.io/en/latest/devguide/contributing/contribution-process.html

Our Contribution agreements:

• [✓] I have signed the Open Information Security Foundation contribution agreement at
  https://suricata.io/about/contribution-agreement/ (note: this is only required once)

Changes (if applicable):

• [✓] I have updated the User Guide (in doc/userguide/) to reflect the changes made
• [✓] I have created a ticket at
  https://redmine.openinfosecfoundation.org/projects/suricata/issues

Link to ticket: https://redmine.openinfosecfoundation.org/issues/6260

Describe changes:
Add config (decoder.recursion-level.use-for-tracking) to control the use of packet recursion level in flow matching. This is to support scenarios where Suricata inline IPS device is routing traffic over a non-encrypted tunnel, like IPv6 tunnels, packets in a flow will be dropped and not be matched. e.g.

The following example is a Suricata inline IPS with an IPv6 tunnel:
request: IPv4]ICMP] -> |IPS| -> IPv6]IPv4]ICMP]
reply: <- |IPS| <- IPv6]IPv4]ICMP]

Both the IPv4 request and IPv6 reply will be seen by Suricata on ingress. The flows will not be matched due to flow recursion level.

This should also solve the issue discussed on https://forum.suricata.io/t/suricata-on-ipip-tunneled-packets/4850/2

Provide values to any of the below to override the defaults.

OISF/suricata-verify#2081

SV_BRANCH=pr/2081

[codecov]

Codecov Report

Attention: Patch coverage is 72.72727% with 6 lines in your changes missing coverage. Please review.

Project coverage is 82.62%. Comparing base (6ae5ae7) to head (5fca614).

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #11908      +/-   ##
==========================================
+ Coverage   82.60%   82.62%   +0.02%     
==========================================
  Files         912      912              
  Lines      249342   249350       +8     
==========================================
+ Hits       205968   206035      +67     
+ Misses      43374    43315      -59     

Flag	Coverage Δ
fuzzcorpus	60.68% <63.63%> (+0.04%)	⬆️
livemode	18.72% <18.18%> (+<0.01%)	⬆️
pcap	44.09% <68.18%> (+0.02%)	⬆️
suricata-verify	62.01% <72.72%> (-0.01%)	⬇️
unittests	58.93% <27.27%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

[coledishington]

Fixed clang formatting issues in #11913