Re: pflow question/problem

Fri, 03 Jul 2009 03:52:42 -0700 

Hi

Artem Teslenko wrote:
> pflow interface configured for sending netflow packets to another system
> with billing software.
> Problem in next: pflow does not send any netflow packets until user
> connection not have state TIME_WAIT:TIME_WAIT

pflow(4) exports the data after the state was expired by
pf(4). You can try the attached diff which adds an additional
timer to pf and exports all pflow tagged states at least
every x seconds. After exporting the data, the current pf counters
are reset to 0.




Index: sbin/pfctl/pfctl_parser.c
===================================================================
RCS file: /cvs/src/sbin/pfctl/pfctl_parser.c,v
retrieving revision 1.244
diff -u -p -r1.244 pfctl_parser.c
--- sbin/pfctl/pfctl_parser.c   15 Apr 2009 05:07:02 -0000      1.244
+++ sbin/pfctl/pfctl_parser.c   17 Jun 2009 07:21:39 -0000
@@ -201,6 +201,7 @@ const struct pf_timeout pf_timeouts[] = 
        { "adaptive.start",     PFTM_ADAPTIVE_START },
        { "adaptive.end",       PFTM_ADAPTIVE_END },
        { "src.track",          PFTM_SRC_NODE },
+       { "pflowexport",        PFTM_PFLOW },
        { NULL,                 0 }
 };
 
Index: share/man/man5/pf.conf.5
===================================================================
RCS file: /cvs/src/share/man/man5/pf.conf.5,v
retrieving revision 1.443
diff -u -p -r1.443 pf.conf.5
--- share/man/man5/pf.conf.5    30 May 2009 16:56:17 -0000      1.443
+++ share/man/man5/pf.conf.5    17 Jun 2009 07:21:40 -0000
@@ -324,6 +324,9 @@ States can match packets on any interfac
 Seconds before an unassembled fragment is expired.
 .It Ar interval
 Interval between purging expired states and fragments.
+.It Ar pflowexport
+Seconds before an active state will export pflow data and reset bytes
+and packets counters to zero. Default timeout is 0, unlimited lifetime.
 .It Ar src.track
 Length of time to retain a source tracking entry after the last state
 expires.
Index: sys/net/pfvar.h
===================================================================
RCS file: /cvs/src/sys/net/pfvar.h,v
retrieving revision 1.289
diff -u -p -r1.289 pfvar.h
--- sys/net/pfvar.h     8 Jun 2009 02:39:15 -0000       1.289
+++ sys/net/pfvar.h     17 Jun 2009 07:21:41 -0000
@@ -83,7 +83,7 @@ enum  { PFTM_TCP_FIRST_PACKET, PFTM_TCP_O
          PFTM_OTHER_FIRST_PACKET, PFTM_OTHER_SINGLE,
          PFTM_OTHER_MULTIPLE, PFTM_FRAG, PFTM_INTERVAL,
          PFTM_ADAPTIVE_START, PFTM_ADAPTIVE_END, PFTM_SRC_NODE,
-         PFTM_TS_DIFF, PFTM_MAX, PFTM_PURGE, PFTM_UNLINKED,
+         PFTM_TS_DIFF, PFTM_PFLOW, PFTM_MAX, PFTM_PURGE, PFTM_UNLINKED,
          PFTM_UNTIL_PACKET };
 
 /* PFTM default values */
@@ -105,6 +105,7 @@ enum        { PFTM_TCP_FIRST_PACKET, PFTM_TCP_O
 #define PFTM_INTERVAL_VAL              10      /* Expire interval */
 #define PFTM_SRC_NODE_VAL              0       /* Source tracking */
 #define PFTM_TS_DIFF_VAL               30      /* Allowed TS diff */
+#define PFTM_PFLOW_VAL                 0       /* pflow export */
 
 enum   { PF_NOPFROUTE, PF_FASTROUTE, PF_ROUTETO, PF_DUPTO, PF_REPLYTO };
 enum   { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS,
@@ -779,6 +780,7 @@ struct pf_state {
        u_int32_t                creation;
        u_int32_t                expire;
        u_int32_t                pfsync_time;
+       u_int32_t                pflow_time;
        u_int16_t                qid;
        u_int16_t                pqid;
        u_int16_t                tag;
Index: sys/net/pf_ioctl.c
===================================================================
RCS file: /cvs/src/sys/net/pf_ioctl.c,v
retrieving revision 1.219
diff -u -p -r1.219 pf_ioctl.c
--- sys/net/pf_ioctl.c  31 May 2009 19:10:51 -0000      1.219
+++ sys/net/pf_ioctl.c  17 Jun 2009 07:21:42 -0000
@@ -219,6 +219,7 @@ pfattach(int num)
        timeout[PFTM_TS_DIFF] = PFTM_TS_DIFF_VAL;
        timeout[PFTM_ADAPTIVE_START] = PFSTATE_ADAPT_START;
        timeout[PFTM_ADAPTIVE_END] = PFSTATE_ADAPT_END;
+       timeout[PFTM_PFLOW] = PFTM_PFLOW_VAL;
 
        pf_normalize_init();
        bzero(&pf_status, sizeof(pf_status));
Index: sys/net/pf.c
===================================================================
RCS file: /cvs/src/sys/net/pf.c,v
retrieving revision 1.651
diff -u -p -r1.651 pf.c
--- sys/net/pf.c        8 Jun 2009 03:56:14 -0000       1.651
+++ sys/net/pf.c        17 Jun 2009 07:21:44 -0000
@@ -1197,7 +1197,24 @@ pf_purge_expired_states(u_int32_t maxche
                                locked = 1;
                        }
                        pf_free_state(cur);
+#if NPFLOW > 0
+               } else if (( pf_default_rule.timeout[PFTM_PFLOW] > 0) &&
+                       (cur->state_flags & PFSTATE_PFLOW) &&
+                       (cur->pflow_time + pf_default_rule.timeout[PFTM_PFLOW]
+                       <= time_second)) {
+                       /* export data to pflow and reset counters */
+                       if (! locked) {
+                               rw_enter_write(&pf_consistency_lock);
+                               locked = 1;
+                       }
+                       export_pflow(cur);
+                       cur->pflow_time = time_second;
+                       cur->bytes[0]=cur->bytes[1]=0;
+                       cur->packets[0]=cur->packets[1]=0;
+               }
+#else
                }
+#endif
                cur = next;
        }
 
@@ -3206,6 +3223,7 @@ pf_create_state(struct pf_rule *r, struc
 
        s->creation = time_second;
        s->expire = time_second;
+       s->pflow_time = time_second;
 
        if (sn != NULL) {
                s->src_node = sn;

Reply via email to