Home » Mailing list archives » openbsd-misc » 2009 » July » 3

Re: pflow question/problem

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: Joerg Goltermann <jg@...>
To: Artem Teslenko <ates@...>
Cc: <misc@...>
Subject: Re: pflow question/problem
Date: Friday, July 3, 2009 - 6:50 am

Hi


Artem Teslenko wrote:


pflow(4) exports the data after the state was expired by

pf(4). You can try the attached diff which adds an additional

timer to pf and exports all pflow tagged states at least

every x seconds. After exporting the data, the current pf counters

are reset to 0.


Index: sbin/pfctl/pfctl_parser.c

===================================================================

RCS file: /cvs/src/sbin/pfctl/pfctl_parser.c,v

retrieving revision 1.244

diff -u -p -r1.244 pfctl_parser.c

--- sbin/pfctl/pfctl_parser.c	15 Apr 2009 05:07:02 -0000	1.244

+++ sbin/pfctl/pfctl_parser.c	17 Jun 2009 07:21:39 -0000

@@ -201,6 +201,7 @@ const struct pf_timeout pf_timeouts[] =

 	{ "adaptive.start",	PFTM_ADAPTIVE_START },

 	{ "adaptive.end",	PFTM_ADAPTIVE_END },

 	{ "src.track",		PFTM_SRC_NODE },

+	{ "pflowexport",	PFTM_PFLOW },

 	{ NULL,			0 }

 };


Index: share/man/man5/pf.conf.5

===================================================================

RCS file: /cvs/src/share/man/man5/pf.conf.5,v

retrieving revision 1.443

diff -u -p -r1.443 pf.conf.5

--- share/man/man5/pf.conf.5	30 May 2009 16:56:17 -0000	1.443

+++ share/man/man5/pf.conf.5	17 Jun 2009 07:21:40 -0000

@@ -324,6 +324,9 @@ States can match packets on any interfac

 Seconds before an unassembled fragment is expired.

 .It Ar interval

 Interval between purging expired states and fragments.

+.It Ar pflowexport

+Seconds before an active state will export pflow data and reset bytes

+and packets counters to zero. Default timeout is 0, unlimited lifetime.

 .It Ar src.track

 Length of time to retain a source tracking entry after the last state

 expires.

Index: sys/net/pfvar.h

===================================================================

RCS file: /cvs/src/sys/net/pfvar.h,v

retrieving revision 1.289

diff -u -p -r1.289 pfvar.h

--- sys/net/pfvar.h	8 Jun 2009 02:39:15 -0000	1.289

+++ sys/net/pfvar.h	17 Jun 2009 07:21:41 -0000

@@ -83,7 +83,7 @@ enum	{ PFTM_TCP_FIRST_PACKET, PFTM_TCP_O

 	  PFTM_OTHER_FIRST_PACKET, PFTM_OTHER_SINGLE,

 	  PFTM_OTHER_MULTIPLE, PFTM_FRAG, PFTM_INTERVAL,

 	  PFTM_ADAPTIVE_START, PFTM_ADAPTIVE_END, PFTM_SRC_NODE,

-	  PFTM_TS_DIFF, PFTM_MAX, PFTM_PURGE, PFTM_UNLINKED,

+	  PFTM_TS_DIFF, PFTM_PFLOW, PFTM_MAX, PFTM_PURGE, PFTM_UNLINKED,

 	  PFTM_UNTIL_PACKET };


 /* PFTM default values */

@@ -105,6 +105,7 @@ enum	{ PFTM_TCP_FIRST_PACKET, PFTM_TCP_O

 #define PFTM_INTERVAL_VAL		10	/* Expire interval */

 #define PFTM_SRC_NODE_VAL		0	/* Source tracking */

 #define PFTM_TS_DIFF_VAL		30	/* Allowed TS diff */

+#define PFTM_PFLOW_VAL			0	/* pflow export */


 enum	{ PF_NOPFROUTE, PF_FASTROUTE, PF_ROUTETO, PF_DUPTO, PF_REPLYTO };

 enum	{ PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS,

@@ -779,6 +780,7 @@ struct pf_state {

 	u_int32_t		 creation;

 	u_int32_t	 	 expire;

 	u_int32_t		 pfsync_time;

+	u_int32_t		 pflow_time;

 	u_int16_t		 qid;

 	u_int16_t		 pqid;

 	u_int16_t		 tag;

Index: sys/net/pf_ioctl.c

===================================================================

RCS file: /cvs/src/sys/net/pf_ioctl.c,v

retrieving revision 1.219

diff -u -p -r1.219 pf_ioctl.c

--- sys/net/pf_ioctl.c	31 May 2009 19:10:51 -0000	1.219

+++ sys/net/pf_ioctl.c	17 Jun 2009 07:21:42 -0000

@@ -219,6 +219,7 @@ pfattach(int num)

 	timeout[PFTM_TS_DIFF] = PFTM_TS_DIFF_VAL;

 	timeout[PFTM_ADAPTIVE_START] = PFSTATE_ADAPT_START;

 	timeout[PFTM_ADAPTIVE_END] = PFSTATE_ADAPT_END;

+	timeout[PFTM_PFLOW] = PFTM_PFLOW_VAL;


 	pf_normalize_init();

 	bzero(&pf_status, sizeof(pf_status));

Index: sys/net/pf.c

===================================================================

RCS file: /cvs/src/sys/net/pf.c,v

retrieving revision 1.651

diff -u -p -r1.651 pf.c

--- sys/net/pf.c	8 Jun 2009 03:56:14 -0000	1.651

+++ sys/net/pf.c	17 Jun 2009 07:21:44 -0000

@@ -1197,7 +1197,24 @@ pf_purge_expired_states(u_int32_t maxche

 				locked = 1;

 			}

 			pf_free_state(cur);

+#if NPFLOW > 0

+		} else if (( pf_default_rule.timeout[PFTM_PFLOW] > 0) &&

+			(cur->state_flags & PFSTATE_PFLOW) &&

+			(cur->pflow_time + pf_default_rule.timeout[PFTM_PFLOW]

+			<= time_second)) {

+			/* export data to pflow and reset counters */

+			if (! locked) {

+				rw_enter_write(&pf_consistency_lock);

+				locked = 1;

+			}

+			export_pflow(cur);

+			cur->pflow_time = time_second;

+			cur->bytes[0]=cur->bytes[1]=0;

+			cur->packets[0]=cur->packets[1]=0;

+		}

+#else

 		}

+#endif

 		cur = next;

 	}


@@ -3206,6 +3223,7 @@ pf_create_state(struct pf_rule *r, struc


 	s->creation = time_second;

 	s->expire = time_second;

+	s->pflow_time = time_second;


 	if (sn != NULL) {

 		s->src_node = sn;
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
pflow question/problem, Artem Teslenko, (Thu Jun 25, 7:15 am)
Re: pflow question/problem, Joerg Goltermann, (Fri Jul 3, 6:50 am)
Re: pflow question/problem, Фролов Константин..., (Tue Jul 7, 4:57 am)