Skip to content
This repository was archived by the owner on Apr 8, 2025. It is now read-only.

[NetFlow/IPFIX] T1613: Fixes in flow-accounting #4

Merged
c-po merged 1 commit into from
Aug 27, 2019
Merged

[NetFlow/IPFIX] T1613: Fixes in flow-accounting #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
128 changes: 96 additions & 32 deletions scripts/vyatta-netflow.pl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,14 +63,28 @@
sub acct_get_table_chain {
my %chain_table = ();
if ($table_chain_entry eq "early") {
%chain_table = ("VYATTA_CT_PREROUTING_HOOK" => "raw");
%chain_table = (
"ipv4" => {
"VYATTA_CT_PREROUTING_HOOK" => "raw",
},
"ipv6" => {
"VYATTA_CT_PREROUTING_HOOK" => "raw",
},
);
} else {
%chain_table = (
"VYATTA_POST_FW_IN_HOOK" => "filter",
"VYATTA_POST_FW_FWD_HOOK" => "filter"
"ipv4" => {
"VYATTA_POST_FW_IN_HOOK" => "filter",
"VYATTA_POST_FW_FWD_HOOK" => "filter",
},
"ipv6" => {
"VYATTA_POST_FW_IN_HOOK" => "filter",
"VYATTA_POST_FW_FWD_HOOK" => "filter",
},
);
}
return (\%chain_table);

return %chain_table;
}

sub acct_conf_globals {
Expand Down Expand Up @@ -173,7 +187,7 @@ sub acct_get_netflow {
$output .= "nfprobe_receiver: $server_port\n";
$output .= "nfprobe_version: $version\n" if defined $version;
$output .= "nfprobe_source_ip: $source_ip\n" if defined $source_ip;
$output .= "nfprobe_engine: $engine_id:0\n" if $version ne '9';;
$output .= "nfprobe_engine: $engine_id:0\n" if $version == '5';
$output .= "nfprobe_timeouts: $timeout_str\n"
if $timeout_str ne '';
$output .= "nfprobe_maxflows: $maxflows\n" if defined $maxflows;
Expand Down Expand Up @@ -332,46 +346,96 @@ sub acct_get_config {
sub acct_add_nflog_target {
my ($intf) = @_;

my ($table_chain) = acct_get_table_chain();
while (my ($chain, $table) = each(%$table_chain)) {
my $cmd = "iptables -t $table -I $chain 1 -i $intf -j NFLOG" ." --nflog-group 2";
if (defined $nflog_range) {
$cmd .= " --nflog-range $nflog_range";
my %table_chain = acct_get_table_chain();
foreach my $ip_proto ( keys %table_chain ) {
my $iptables_cmd;
if ( $ip_proto eq "ipv4" ) {
$iptables_cmd = "iptables";
}
if (defined $nflog_threshold) {
$cmd .= " --nflog-threshold $nflog_threshold";
elsif ( $ip_proto eq "ipv6" ) {
$iptables_cmd = "ip6tables";
}
my $ret = system($cmd);
if ($ret >> 8) {
die "Error: [$cmd] failed - $?\n";
else {
die "Wrong or not provided IP protocol in acct_get_table_chain()!";
}

for my $chain ( keys %{ $table_chain{$ip_proto} } ) {
my $cmd = "$iptables_cmd -t $table_chain{$ip_proto}{$chain} -I $chain 1 -i $intf -j NFLOG" ." --nflog-group 2";
if (defined $nflog_range) {
$cmd .= " --nflog-range $nflog_range";
}
if (defined $nflog_threshold) {
$cmd .= " --nflog-threshold $nflog_threshold";
}
my $ret = system($cmd);
if ($ret >> 8) {
die "Error: [$cmd] failed - $?\n";
}
}
}
}

# get iptables rule dict for chain in table
sub iptables_chain_get {
my ($proto, $table, $chain_name) = @_;
# define hash with rules, iptables command and empty parser pattern
my (%rules, $iptables_command, $rule_pattern);

# tune variables for IP protocol (regex and command)
if ( $proto eq "ipv4" ) {
$iptables_command = "iptables -t $table -L $chain_name -n -v -x --line-numbers";
$rule_pattern = '^(?P<num>\d+) +(?P<pkts>\d+) +(?P<bytes>\d+) +(?P<target>[\w\-]+) +(?P<prot>\w+) +(?P<opt>[\w\-]+) +(?P<in>[\w\.\*\-]+) +(?P<out>[\w\.\*\-]+) +(?P<source>[\w\.\:\/]+) +(?P<destination>[\w\.\:\/]+) +(?P<details>.*)$';
}
if ( $proto eq "ipv6" ) {
$iptables_command = "ip6tables -t $table -L $chain_name -n -v -x --line-numbers";
$rule_pattern = '^(?P<num>\d+) +(?P<pkts>\d+) +(?P<bytes>\d+) +(?P<target>[\w\-]+) +(?P<prot>\w+) +(?P<in>[\w\.\*\-]+) +(?P<out>[\w\.\*\-]+) +(?P<source>[\w\.\:\/]+) +(?P<destination>[\w\.\:\/]+) +(?P<details>.*)$';
}

# run iptables, save output
my @iptables_out = `$iptables_command`;

# parse each line and add information to hash
foreach my $current_rule (@iptables_out) {
$rules{$+{num}} = { %+ } if ( $current_rule =~ /$rule_pattern/ );
}

# return hash with rule numbers as keys and information as values
return %rules;
}

sub acct_rm_nflog_target {
my ($intf) = @_;

my ($table_chain) = acct_get_table_chain();
while (my ($chain, $table) = each(%$table_chain)) {
my $cmd = "iptables -t $table -vnL $chain --line";
my @lines = `$cmd 2> /dev/null | egrep ^[0-9]`;
if (scalar(@lines) < 1) {
die "Error: failed to find NFLOG entry for $chain => $table\n";
my %table_chain = acct_get_table_chain();
foreach my $ip_proto ( keys %table_chain ) {
my $iptables_cmd;
if ( $ip_proto eq "ipv4" ) {
$iptables_cmd = "iptables";
}
elsif ( $ip_proto eq "ipv6" ) {
$iptables_cmd = "ip6tables";
}
my $found_target = 'false';
foreach my $line (@lines) {
my ($num, undef, undef, $target, undef, undef, $in) = split /\s+/, $line;
if (defined $in and $in eq $intf) {
$cmd = "iptables -t $table -D $chain $num";
my $ret = system($cmd);
if ($ret >> 8) {
die "Error: failed to delete target - $?\n";
else {
die "Wrong or not provided IP protocol in acct_get_table_chain()!";
}

for my $chain ( keys %{ $table_chain{$ip_proto} } ) {
my %rules_list = iptables_chain_get($ip_proto, $table_chain{$ip_proto}{$chain}, $chain);

my $found_target;
foreach my $rule ( keys %rules_list ) {
if ( $rules_list{$rule}{"target"} eq "NFLOG" and $rules_list{$rule}{"in"} eq $intf ) {
my $cmd = "$iptables_cmd -t $table_chain{$ip_proto}{$chain} -D $chain $rule";
my $ret = system($cmd);
if ($ret >> 8) {
die "Error: failed to delete target - $?\n";
}
$found_target = 'true';
last;
}
$found_target = 'true';
last;
}
die "Error: failed to find target\n" if not $found_target;
}
die "Error: failed to find target\n" if $found_target eq 'false';
}
}

Expand Down
18 changes: 9 additions & 9 deletions scripts/vyatta-show-acct.pl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,16 +72,16 @@ sub display_lines {
}
my $count = 0;
my ($tot_flows, $tot_pkts, $tot_bytes) = (0, 0, 0);
my $regex_pattern = '^(?P<tag>\d+) +(?P<src_mac>([0-9a-fA-F][0-9a-fA-F]:){5}([0-9a-fA-F][0-9a-fA-F])) +(?P<dst_mac>([0-9a-fA-F][0-9a-fA-F]:){5}([0-9a-fA-F][0-9a-fA-F])) +(?P<vlan>\d+) +(?P<src_ip>[\w\.\:\/]+) +(?P<dst_ip>[\w\.\:\/]+) +(?P<src_port>\d+) +(?P<dst_port>\d+) +(?P<protocol>[\d\w-]+) +(?P<tos>\d+) +(?P<packets>\d+) +(?P<flows>\d+) +(?P<bytes>\d+)$';
foreach my $line (@lines) {
my ($tag, $src_mac, $dst_mac, $vlan, $src_ip, $dst_ip, $sport, $dport, $proto, $tos, $pkts, $flows, $bytes)= split(/\s+/, $line);
next if !defined $src_ip or $src_ip !~ m/\d+\.\d+\.\d+\.\d+/;
next if defined $ifindx and $ifindx ne $tag;
$count++;
$tot_flows += $flows;
$tot_pkts += $pkts;
$tot_bytes += $bytes;
if ($topN != 0) {
printf($format, $src_ip, $dst_ip, $sport, $dport, $proto, $pkts, $bytes, $flows);
if ($line =~ /$regex_pattern/ and $ifindx eq $+{"tag"}) {
$count++;
$tot_flows += $+{"flows"};
$tot_pkts += $+{"packets"};
$tot_bytes += $+{"bytes"};
if ($topN != 0) {
printf($format, $+{"src_ip"}, $+{"dst_ip"}, $+{"src_port"}, $+{"dst_port"}, $+{"protocol"}, $+{"packets"}, $+{"bytes"}, $+{"flows"});
}
}
last if $topN != 0 and $count >= $topN;
}
Expand Down
10 changes: 5 additions & 5 deletions templates-cfg/system/flow-accounting/netflow/version/node.def
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,10 @@ type: txt

help: NetFlow version to export

syntax:expression: $VAR(@) in "1", "5", "9" ; "Version must be 1, 5, or 9."
syntax:expression: $VAR(@) in "5", "9", "10" ; "Version must be 5, 9, or 10."

default: "5"
default: "9"

val_help: 1 ; NetFlow version 1
val_help: 5 ; NetFlow version 5 (default)
val_help: 9 ; NetFlow version 9
val_help: 5 ; NetFlow version 5
val_help: 9 ; NetFlow version 9 (default)
val_help: 10 ; IPFIX