process_outgoing_traffic=off is ignored for IPv6

[toreanderson]

Info requested in the issue template:

• FastNetMon version: ghcr.io/pavel-odintsov/fastnetmon-community:latest (image ID 557cf1852ef7, identifies as 1.2.3 master git-fd4f232239fe6e872a6468bdd464f528490bde16).
• Operating system name and version: Rocky Linux 8.7
• My /etc/fastnetmon.conf: fastnetmon.conf.txt
• Capture engine: sFlow
• Version, vendor name, model name and firmware of agent device: Cumulus Linux 4.3.1 running on Edge-Core AS7326-56X
• I did not find any previously submitted issues about this particular problem

Description

Outbound IPv6 attacks are detected and acted on in spite of having set process_outgoing_traffic = off in fastnetmon.conf.

The FastNetMon log contains the following (anonymised):

We will log everything on console
[INFO] Logger initialized!
[INFO] Read configuration file
[INFO] We loaded 6 networks from networks file
[INFO] Totally we have 4 IPv4 subnets
[INFO] Totally we have 2 IPv6 subnets
[INFO] Total number of monitored hosts (total size of all networks): 9984
[INFO] We need 7 MB of memory for storing counters for your networks
[INFO] I will allocate 8192 records for subnet <snip> cidr mask: 19
[INFO] I will allocate 1024 records for subnet <snip> cidr mask: 22
[INFO] I will allocate 256 records for subnet <snip> cidr mask: 24
[INFO] I will allocate 512 records for subnet <snip> cidr mask: 23
[INFO] We start total zerofication of counters
[INFO] We finished zerofication
[INFO] We loaded 4 IPv4 subnets to our in-memory list of networks
[INFO] Launch API server
[INFO] API server listening on 127.0.0.1:50052
[INFO] Run banlist cleanup thread, we will awake every 60 seconds
[INFO] sflow: plugin started
[INFO] sflow: We parsed 1 ports for sflow
[INFO] sflow: We will listen on 1 ports
[INFO] sflow: plugin will listen on 0.0.0.0:6346 udp port
[INFO] Default sFlow receive buffer size: 212992 bytes
[INFO] We have detected IPv6 attack for 2001:0db8::0001/128 with packets per second threshold host group: global
[INFO] We run attack block code with following params in: 22352 pps 22 mbps out: 150257 pps 1565 mbps and we decided it's outgoing attack
[INFO] Enabled packet capture for IPv6 2001:0db8::0001
[INFO] We've filled circullar buffer for ip 2001:0db8::0001/128 with 1000 elements in raw_packets_circular_buffer and 1000 elements in parsed_packets_circular_buffer
[INFO] We've collected packets for 2001:0db8::0001/128 in 75.0735 seconds
[INFO] We've got new completely filled bucket with packets for IPv6 2001:0db8::0001/128
[INFO] IPv6 address 2001:0db8::0001/128 was banned
[INFO] Call script for ban client: 2001:0db8::0001
[INFO] Script for ban client is finished: 2001:0db8::0001
[INFO] Subprocess exit code: 0

As you can see, FastNetMon has, quote «decided it's outgoing attack». The notify_about_attack.sh was called with the arguments 2001:0db8::0001 outgoing 150257 ban.

If I run fastnetmon_client --ipv6, I can see that it does process outgoing traffic:

Outgoing traffic                        253235 pps   2580 mbps

However, it does not print out any top-N list of IPv6 addresses below this line. It does show this top-N list if I set process_outgoing_traffic = on.

fastnetmon_client (without --ipv4) behaves differently, it simply says there is no outgoing traffic whatsoever:

Outgoing traffic             0 pps      0 mbps      0 flows

There are also no notifications (ban/unban actions) about outbound IPv4 attacks (but if I enable process_outgoing_traffic = on, there are plenty of them since the thresholds are set unrealistically low for testing purposes).

[pavel-odintsov]

Hello, Tore!

Sorry about delay with answer.

Yes, I can confirm that process_outgoing_traffic and process_incoming_traffic do not work with IPv6 but should work fine with IPv6.

[pavel-odintsov]

I've applied fix which should enable this logic for IPv6. Please try installing new version using: https://fastnetmon.com/install/