mirror of
https://gitlab.alpinelinux.org/alpine/aports.git
synced 2025-10-24 05:51:44 +02:00
4309 lines
133 KiB
Diff
4309 lines
133 KiB
Diff
diff --git a/Makefile.in b/Makefile.in
|
||
index 30ebbfe..0a82c67 100644
|
||
--- a/Makefile.in
|
||
+++ b/Makefile.in
|
||
@@ -1,43 +1,73 @@
|
||
-#
|
||
+# Edit Makefile.in and run ./configure
|
||
|
||
KVERSION = @KVERSION@
|
||
KDIR = @KDIR@
|
||
+KINSTDIR = $(shell dirname @KDIR@)
|
||
IPTABLES_CFLAGS = @IPTABLES_CFLAGS@
|
||
IPTABLES_MODULES = @IPTABLES_MODULES@
|
||
+DEPMOD = depmod -a
|
||
|
||
+# https://www.kernel.org/doc/Documentation/kbuild/modules.txt
|
||
+# https://www.kernel.org/doc/Documentation/kbuild/makefiles.txt
|
||
obj-m = ipt_NETFLOW.o
|
||
|
||
-ipt_NETFLOW.ko: ipt_NETFLOW.c ipt_NETFLOW.h
|
||
+all: ipt_NETFLOW.ko libipt_NETFLOW.so libip6t_NETFLOW.so
|
||
+ipt_NETFLOW.ko: version.h ipt_NETFLOW.c ipt_NETFLOW.h Makefile
|
||
@echo Compiling for kernel $(KVERSION)
|
||
make -C $(KDIR) M=$(CURDIR) modules
|
||
-all: ipt_NETFLOW.ko libipt_NETFLOW.so
|
||
-minstall:
|
||
- make -C $(KDIR) M=$(CURDIR) modules_install
|
||
+ @touch $@
|
||
+sparse: | version.h ipt_NETFLOW.c ipt_NETFLOW.h Makefile
|
||
+ @rm -f ipt_NETFLOW.ko ipt_NETFLOW.o
|
||
+ @echo Compiling for kernel $(KVERSION)
|
||
+ make -C $(KDIR) M=$(CURDIR) modules C=1
|
||
+ @touch ipt_NETFLOW.ko
|
||
+minstall: | ipt_NETFLOW.ko
|
||
+ make -C $(KDIR) M=$(CURDIR) modules_install INSTALL_MOD_PATH=$(DESTDIR)
|
||
+ $(DEPMOD)
|
||
mclean:
|
||
make -C $(KDIR) M=$(CURDIR) clean
|
||
lclean:
|
||
-rm -f *.so *_sh.o
|
||
clean: mclean lclean
|
||
- -rm -f *.so *.o modules.order
|
||
+ -rm -f *.so *.o modules.order version.h
|
||
+
|
||
+%_sh.o: libipt_NETFLOW.c
|
||
+ gcc -O2 -Wall -Wunused $(IPTABLES_CFLAGS) -fPIC -o $@ -c libipt_NETFLOW.c
|
||
+
|
||
+%.so: %_sh.o
|
||
+ gcc -shared -o $@ $<
|
||
|
||
-libipt_NETFLOW.so: libipt_NETFLOW.c
|
||
- gcc -O2 -Wall -Wunused -I$(KDIR)/include $(IPTABLES_CFLAGS) -fPIC -o libipt_NETFLOW_sh.o -c libipt_NETFLOW.c
|
||
- gcc -shared -o libipt_NETFLOW.so libipt_NETFLOW_sh.o
|
||
+version.h: ipt_NETFLOW.c ipt_NETFLOW.h Makefile
|
||
+ @if [ -d .git ] && type git >/dev/null 2>&1; then \
|
||
+ echo "#define GITVERSION \"`git describe --dirty`\""; \
|
||
+ fi > version.h
|
||
|
||
-linstall: ipt_NETFLOW.ko libipt_NETFLOW.so
|
||
- cp -a libipt_NETFLOW.so $(IPTABLES_MODULES)
|
||
+linstall: | libipt_NETFLOW.so libip6t_NETFLOW.so
|
||
+ install -D libipt_NETFLOW.so $(DESTDIR)$(IPTABLES_MODULES)/libipt_NETFLOW.so
|
||
+ install -D libip6t_NETFLOW.so $(DESTDIR)$(IPTABLES_MODULES)/libip6t_NETFLOW.so
|
||
|
||
install: minstall linstall
|
||
|
||
+uninstall:
|
||
+ -rm -f $(DESTDIR)$(IPTABLES_MODULES)/libipt_NETFLOW.so
|
||
+ -rm -f $(DESTDIR)$(IPTABLES_MODULES)/libip6t_NETFLOW.so
|
||
+ -rm -f $(DESTDIR)$(KINSTDIR)/extra/ipt_NETFLOW.ko
|
||
+
|
||
Makefile: Makefile.in configure
|
||
./configure --make
|
||
|
||
load: all
|
||
- insmod ipt_NETFLOW.ko active_timeout=5
|
||
- iptables -A OUTPUT -d 0/0 -j NETFLOW
|
||
- iptables -A INPUT -d 0/0 -j NETFLOW
|
||
+ -insmod ipt_NETFLOW.ko active_timeout=5 protocol=9
|
||
+ -iptables -I OUTPUT -j NETFLOW
|
||
+ -iptables -I INPUT -j NETFLOW
|
||
+ -ip6tables -I OUTPUT -j NETFLOW
|
||
+ -ip6tables -I INPUT -j NETFLOW
|
||
|
||
unload:
|
||
- iptables -D OUTPUT -d 0/0 -j NETFLOW
|
||
- iptables -D INPUT -d 0/0 -j NETFLOW
|
||
- rmmod ipt_NETFLOW.ko
|
||
+ -iptables -D OUTPUT -j NETFLOW
|
||
+ -iptables -D INPUT -j NETFLOW
|
||
+ -ip6tables -D OUTPUT -j NETFLOW
|
||
+ -ip6tables -D INPUT -j NETFLOW
|
||
+ -rmmod ipt_NETFLOW.ko
|
||
+
|
||
+reload: unload load
|
||
diff --git a/README b/README
|
||
index 213f02c..56a4fde 100644
|
||
--- a/README
|
||
+++ b/README
|
||
@@ -1,10 +1,17 @@
|
||
-ipt_NETFLOW linux 2.6 kernel module by <abc@telekom.ru> -- 11 Feb 2008
|
||
+ipt_NETFLOW linux 2.6.x-3.x kernel module by <abc@telekom.ru> -- 2008-2013.
|
||
+
|
||
+ High performance NetFlow v5, v9, IPFIX flow data export module for Linux
|
||
+ kernel. Supporting IPv4 and IPv6. Created to be useful for highly loaded
|
||
+ linux router. It should be used as iptables target. Also can export NAT
|
||
+ translation events using NetFlow Event Logging (NEL) for v9, IPFIX, or
|
||
+ specially crafted v5 flows.
|
||
+
|
||
|
||
============================
|
||
= OBTAINING LATEST VERSION =
|
||
============================
|
||
|
||
- $ git clone git://ipt-netflow.git.sourceforge.net/gitroot/ipt-netflow/ipt-netflow
|
||
+ $ git clone git://git.code.sf.net/p/ipt-netflow/code ipt-netflow
|
||
$ cd ipt-netflow
|
||
|
||
|
||
@@ -12,94 +19,220 @@ ipt_NETFLOW linux 2.6 kernel module by <abc@telekom.ru> -- 11 Feb 2008
|
||
= INSTALLATION =
|
||
================
|
||
|
||
-1. Besides kernel you will need iptables/netfilter source matching your
|
||
- installation or just fresh install from there: ftp://ftp.netfilter.org/pub/iptables/snapshot/
|
||
- I have this: ftp://ftp.netfilter.org/pub/iptables/snapshot/iptables-1.3.7-20070329.tar.bz2
|
||
- Unpack it somewhere and build with make.
|
||
+ Four easy steps.
|
||
+
|
||
+** 1. Prepare Kernel source
|
||
+
|
||
+ If you have package system install kernel-devel package, otherwise install
|
||
+ raw kernel source from http://kernel.org matching _exactly_ version of your
|
||
+ installed kernel.
|
||
+
|
||
+ a) What to do for Centos:
|
||
+
|
||
+ ~# yum install kernel-devel
|
||
+
|
||
+ b) What to do for Debian:
|
||
+
|
||
+ ~# apt-get install module-assistant
|
||
+ ~# m-a prepare
|
||
+
|
||
+ c) Otherwise, if you downloaded raw kernel sources don't forget to create
|
||
+ .config by copying it from your distribution's kernel. Its copy could reside
|
||
+ in /boot or sometimes in /proc, examples:
|
||
+
|
||
+ kernel-src-dir/# cp /boot/config-`uname -r` .config
|
||
+ or
|
||
+ kernel-src-dir/# zcat /proc/config.gz > .config
|
||
+
|
||
+ Assuming you unpacked kernel source into `kernel-src-dir/' directory.
|
||
+ Then run:
|
||
+
|
||
+ kernel-src-dir/# make oldconfig
|
||
+
|
||
+ After that you'll need to prepare kernel for modules build:
|
||
+
|
||
+ kernel-src-dir/# make prepare modules_prepare
|
||
+
|
||
+ Note: Don't try to `make prepare' in Centos kernel-devel package directory
|
||
+ (which is usually something like /usr/src/kernels/2.6.32-431.el6.x86_64)
|
||
+ as this is wrong and meaningless.
|
||
+
|
||
+** 2. Prepare Iptables
|
||
+
|
||
+ Before this step it also would be useful to install pkg-config if don't
|
||
+ already have.
|
||
+
|
||
+ If you have package system just install iptables-devel (or iptables-dev)
|
||
+ package, otherwise install iptables source matching version of your
|
||
+ installation from ftp://ftp.netfilter.org/pub/iptables/
|
||
+
|
||
+ a) What to do for Centos:
|
||
+
|
||
+ # yum install iptables-devel
|
||
+
|
||
+ b) What to do for Debian:
|
||
+
|
||
+ # apt-get install iptables-dev pkg-config
|
||
|
||
-2. Run ./configure script and it will create Makefile
|
||
+ c) Otherwise, for raw iptables source build it and make install.
|
||
|
||
-3. make all install; depmod
|
||
- This will install kernel module and iptable specific library.
|
||
+** 3. Now, to actually build the module run:
|
||
|
||
-Troubleshooting:
|
||
- 1) Sometimes you will want to add CC=gcc-3 to make command.
|
||
- Example: make CC=gcc-3.3
|
||
+ ~/ipt-netflow# ./configure
|
||
+ ~/ipt-netflow# make all install
|
||
+ ~/ipt-netflow# depmod
|
||
|
||
- 2) Compile module with actual kernel source compiled.
|
||
- I.e. first compile kernel and boot into it, and then compile module.
|
||
+ This will install kernel module and iptables specific library.
|
||
|
||
- 3) For autoloading module after reboot: set net.netflow.destination (or load
|
||
- module, if idestination set on load) after interfaces are up. Becasue module
|
||
- needs exporting interface (usually lo) to establish export connection.
|
||
+ Troubleshooting:
|
||
|
||
-4. After this point you should be able to load module
|
||
- and use -j NETFLOW target in your iptables. See next section.
|
||
+ a) Sometimes you will want to add CC=gcc-3 to make command.
|
||
+ Example: make CC=gcc-3.3
|
||
+
|
||
+ b) Compile module with actual kernel source compiled.
|
||
+ I.e. first compile kernel and boot into it, and then compile module.
|
||
+ If you are using kernel-devel package check that its version matches
|
||
+ your kernel package.
|
||
+
|
||
+ c) If you have sources in non-standard places or configure isn't able to
|
||
+ find something run ./configure --help to see how to specify paths manually.
|
||
+
|
||
+** 4. After this point you should be able to load module and
|
||
+ use -j NETFLOW target in your iptables. See next section.
|
||
|
||
|
||
===========
|
||
= RUNNING =
|
||
===========
|
||
|
||
-1. You can load module by insmod like this:
|
||
- # insmod ipt_NETFLOW.ko destination=127.0.0.1:2055 debug=1
|
||
+1. You can load module directly by insmod like this:
|
||
+
|
||
+ # insmod ipt_NETFLOW.ko destination=127.0.0.1:2055 debug=1
|
||
|
||
Or if properly installed (make install; depmod) by this:
|
||
- # modprobe ipt_NETFLOW destination=127.0.0.1:2055
|
||
+
|
||
+ # modprobe ipt_NETFLOW destination=127.0.0.1:2055
|
||
|
||
See, you may add options in insmod/modprobe command line, or add
|
||
- them in /etc/ to modules.conf or modprobe.conf like thus:
|
||
- options ipt_NETFLOW destination=127.0.0.1:2055
|
||
+ them in /etc/modprobe.conf or /etc/modprobe.d/ipt_NETFLOW.conf
|
||
+ like thus:
|
||
+
|
||
+ options ipt_NETFLOW destination=127.0.0.1:2055 protocol=9 natevents=1
|
||
|
||
2. Statistics is in /proc/net/stat/ipt_netflow
|
||
- To view slab statistics: grep ipt_netflow /proc/slabinfo
|
||
+ To view boring slab statistics: grep ipt_netflow /proc/slabinfo
|
||
|
||
3. You can view parameters and control them via sysctl, example:
|
||
- # sysctl -w net.netflow.hashsize=32768
|
||
|
||
-4. Example of directing all traffic into module:
|
||
- # iptables -A FORWARD -j NETFLOW
|
||
- # iptables -A INPUT -j NETFLOW
|
||
- # iptables -A OUTPUT -j NETFLOW
|
||
+ # sysctl net.netflow
|
||
+ # sysctl net.netflow.hashsize=32768
|
||
+
|
||
+ Note: For after-reboot configuration I recommend to store module parameters
|
||
+ in modprobe configs instead of storing them in /etc/sysctl.conf, as it's
|
||
+ less clear when init process will apply sysctl.conf, before of after
|
||
+ module's load.
|
||
+
|
||
+4. Example of directing all IPv4 traffic into the module:
|
||
+
|
||
+ # iptables -I FORWARD -j NETFLOW
|
||
+ # iptables -I INPUT -j NETFLOW
|
||
+ # iptables -I OUTPUT -j NETFLOW
|
||
+
|
||
+ Note: It is preferable (because easier to understand) to _insert_
|
||
+ NETFLOW target at the top of the chain, otherwise not all traffic may
|
||
+ reach NETFLOW if your iptables configuration is complicated and some
|
||
+ other rule inadvertently consume the traffic (dropping or acepting before
|
||
+ NETFLOW is reached). It's always good to test your configuration.
|
||
+ Use iptables -L -nvx to check pkts/bytes counters on the rules.
|
||
+
|
||
+5. If you want to account IPv6 traffic you should use protocol 9 or 10.
|
||
+ Example of directing all IPv6 traffic into the module:
|
||
|
||
+ # sysctl net.netflow.protocol=10
|
||
+ # ip6tables -I FORWARD -j NETFLOW
|
||
+ # ip6tables -I INPUT -j NETFLOW
|
||
+ # ip6tables -I OUTPUT -j NETFLOW
|
||
+
|
||
+ Note: First enable right version of protocol and after that add ip6tables
|
||
+ rules, otherwise you will get errors in dmesg.
|
||
+
|
||
+6. If you want to account NAT events (NEL):
|
||
+
|
||
+ # sysctl net.netflow.natevents=1
|
||
+
|
||
+ Note that natevents feature is completely independent from traffic accounting
|
||
+ (it's using so called conntrack events), thus you don't need to set or change
|
||
+ any iptables rules to use that. You may need to enable kernel config option
|
||
+ CONFIG_NF_CONNTRACK_EVENTS though (if it isn't already enabled).
|
||
+ For details on how they are exported for different protocol versions see
|
||
+ below.
|
||
|
||
===========
|
||
= OPTIONS =
|
||
===========
|
||
|
||
+ protocol=5
|
||
+ - what version of NetFlow protocol to use. Default is 5.
|
||
+ You can choose from 5, 9, or 10 (where 10 is IPFIX). If you plan
|
||
+ to account IPv6 traffic you should use protocol 9 or 10 (IPFIX),
|
||
+ because NetFlow v5 isn't compatible with IPv6.
|
||
+
|
||
destination=127.0.0.1:2055
|
||
- where to export netflow, to this ip address
|
||
You will see this connection in netstat like this:
|
||
udp 0 0 127.0.0.1:32772 127.0.0.1:2055 ESTABLISHED
|
||
|
||
destination=127.0.0.1:2055,192.0.0.1:2055
|
||
- - mirror flows to two (can be more) addresses,
|
||
- separate addresses with comma.
|
||
+ - mirror flows to two (can be more) addresses, separate addresses
|
||
+ with comma.
|
||
+
|
||
+ natevents=1
|
||
+ - Collect and send NAT translation events as NetFlow Event Logging (NEL)
|
||
+ for NetFlow v9/IPFIX, or as dummy flows compatible with NetFlow v5.
|
||
+ Default is 0 (don't send).
|
||
+
|
||
+ For NetFlow v5 protocol meaning of fields in dummy flows are such:
|
||
+ Src IP, Src Port is Pre-nat source address.
|
||
+ Dst IP, Dst Port is Post-nat destination address.
|
||
+ - These two fields made equal to data flows catched in FORWARD chain.
|
||
+ Nexthop, Src AS is Post-nat source address for SNAT. Or,
|
||
+ Nexthop, Dst AS is Pre-nat destination address for DNAT.
|
||
+ TCP Flags is SYN+SCK for start event, RST+FIN for stop event.
|
||
+ Pkt/Traffic size is 0 (zero), so it won't interfere with accounting.
|
||
|
||
inactive_timeout=15
|
||
- export flow after it's inactive 15 seconds. Default value is 15.
|
||
|
||
active_timeout=1800
|
||
- - export flow after it's active 1800 seconds (30 minutes). Default value is 1800.
|
||
+ - export flow after it's active 1800 seconds (30 minutes). Default valuae
|
||
+ is 1800.
|
||
+
|
||
+ refresh-rate=20
|
||
+ - for NetFlow v9 and IPFIX it's rate how frequently to re-send templates
|
||
+ (per packets). You probably don't need to change default (which is 20).
|
||
+
|
||
+ timeout-rate=30
|
||
+ - for NetFlow v9 and IPFIX it's rate when to re-send old templates (in
|
||
+ minutes). No need to change it.
|
||
|
||
debug=0
|
||
- debug level (none).
|
||
|
||
sndbuf=number
|
||
- - size of output socket buffer in bytes. Recommend you to put
|
||
+ - size of output socket buffer in bytes. I recommend you to put
|
||
higher value if you experience netflow packet drops (can be
|
||
seen in statistics as 'sock: fail' number.)
|
||
Default value is system default.
|
||
|
||
hashsize=number
|
||
- Hash table bucket size. Used for performance tuning.
|
||
- Abstractly speaking, it should be two times bigger than flows
|
||
+ Abstractly speaking, it should be minimum two times bigger than flows
|
||
you usually have, but not need to.
|
||
Default is system memory dependent small enough value.
|
||
|
||
maxflows=2000000
|
||
- - Maximum number of flows to account. It's here to prevent DOS attacks. After
|
||
- this limit reached new flows will not be accounted. Default is
|
||
+ - Maximum number of flows to account. It's here to prevent DOS attacks.
|
||
+ After this limit reached new flows will not be accounted. Default is
|
||
2000000, zero is unlimited.
|
||
|
||
aggregation=string..
|
||
@@ -130,14 +263,15 @@ Troubleshooting:
|
||
= HOW TO READ STAT =
|
||
====================
|
||
|
||
- Statistics is your friend to fine tune and understand netflow module performance.
|
||
+ Statistics is your friend to fine tune and understand netflow module
|
||
+ performance.
|
||
|
||
To see stat:
|
||
# cat /proc/net/stat/ipt_netflow
|
||
|
||
How to interpret the data:
|
||
|
||
-> Flows: active 5187 (peak 83905 reached 0d0h1m ago, maxflows 2000000), mem 283K
|
||
+> Flows: active 5187 (peak 83905 reached 0d0h1m ago, maxflows 2000000), mem 283K, worker delay 100/1000.
|
||
|
||
active X: currently active flows in memory cache.
|
||
- for optimum CPU performance it is recommended to set hash table size to
|
||
@@ -146,8 +280,9 @@ Troubleshooting:
|
||
mem XK: how much kilobytes of memory currently taken by active flows.
|
||
- one active flow taking 56 bytes of memory.
|
||
- there is system limit on cache size too.
|
||
+ worker delay X/HZ: how frequently exporter scan flows table per second.
|
||
|
||
-> Hash: size 8192 (mem 32K), metric 1.0, 1.0, 1.0, 1.0. MemTraf: 1420 pkt, 364 K (pdu 0, 0).
|
||
+> Hash: size 8192 (mem 32K), metric 1.00, [1.00, 1.00, 1.00]. MemTraf: 1420 pkt, 364 K (pdu 0, 0).
|
||
|
||
Hash: size X: current hash size/limit.
|
||
- you can control this by sysctl net.netflow.hashsize variable.
|
||
@@ -156,18 +291,22 @@ Troubleshooting:
|
||
- optimal value is twice of average of active flows.
|
||
mem XK: how much memory occupied by hash table.
|
||
- hash table is fixed size by nature, taking 4 bytes per entry.
|
||
- metric X, X, X, X: how optimal is your hash table being used.
|
||
+ metric X, [X, X, X]: how optimal is your hash table being used.
|
||
- lesser value mean more optimal hash table use, min is 1.0.
|
||
- - this is moving average (EWMA) of hash table access divided
|
||
- by match rate (searches / matches) for 4sec, and 1, 5, 15 minutes.
|
||
- Sort of hash table load average.
|
||
+ - last three numbers in squares is moving average (EWMA) of hash table
|
||
+ access divided by match rate (searches / matches) for 4sec, and 1, 5, and
|
||
+ 15 minutes. Sort of hash table load average. First value is instantaneous.
|
||
+ You can try to increase hashsize if averages more than 1 (increase
|
||
+ certainly if >= 2).
|
||
MemTraf: X pkt, X K: how much traffic accounted for flows that are in memory.
|
||
- these flows that are residing in internal hash table.
|
||
pdu X, X: how much traffic in flows preparing to be exported.
|
||
- it is included already in aforementioned MemTraf total.
|
||
|
||
-> Timeout: active 1800, inactive 15. Maxflows 2000000
|
||
+> Protocol version 10 (ipfix), refresh-rate 20, timeout-rate 30, (templates 2, active 2). Timeouts: active 5, inactive 15. Maxflows 2000000
|
||
|
||
+ Protocol version currently in use. Refresh-rate and timeout-rate
|
||
+ for v9 and IPFIX. Total templates generated and currently active.
|
||
Timeout: active X: how much seconds to wait before exporting active flow.
|
||
- same as sysctl net.netflow.active_timeout variable.
|
||
inactive X: how much seconds to wait before exporting inactive flow.
|
||
@@ -180,20 +319,22 @@ Troubleshooting:
|
||
|
||
- Module throughput values for 1 second, 1 minute, and 5 minutes.
|
||
|
||
-> cpu# stat: <search found new, trunc frag alloc maxflows>, sock: <ok fail cberr, bytes>, traffic: <pkt, bytes>, drop: <pkt, bytes>
|
||
-> cpu0 stat: 980540 10473 180600, 0 0 0 0, sock: 4983 928 0, 7124 K, traffic: 188765, 14 MB, drop: 27863, 1142 K
|
||
+> cpu# stat: <search found new [metric], trunc frag alloc maxflows>, sock: <ok fail cberr, bytes>, traffic: <pkt, bytes>, drop: <pkt, bytes>
|
||
+> cpu0 stat: 980540 10473 180600 [1.03], 0 0 0 0, sock: 4983 928 0, 7124 K, traffic: 188765, 14 MB, drop: 27863, 1142 K
|
||
|
||
cpu#: this is Total and per CPU statistics for:
|
||
stat: <search found new, trunc frag alloc maxflows>: internal stat for:
|
||
search found new: hash table searched, found, and not found counters.
|
||
- trunc: how much truncated packets is ignored
|
||
+ [metric]: average hash metric since module load.
|
||
+ trunc: how much truncated packets are ignored
|
||
- these are that possible don't have valid IP header.
|
||
- accounted in drop packets counter but not in drop bytes.
|
||
frag: how much fragmented packets have seen.
|
||
- kernel always defragments INPUT/OUTPUT chains for us.
|
||
- these packets are not ignored but not reassembled either, so:
|
||
- - if there is no enough data in fragment (ex. tcp ports) it is considered zero.
|
||
- alloc: how much cache memory allocations is failed.
|
||
+ - if there is no enough data in fragment (ex. tcp ports) it is considered
|
||
+ zero.
|
||
+ alloc: how much cache memory allocations are failed.
|
||
- packets ignored and accounted in drop stat.
|
||
- probably increase system memory if this ever happen.
|
||
maxflows: how much packets ignored on maxflows (maximum active flows reached).
|
||
@@ -203,7 +344,8 @@ Troubleshooting:
|
||
sock: <ok fail cberr, bytes>: table of exporting stats for:
|
||
ok: how much Netflow PDUs are exported (i.e. UDP packets sent by module).
|
||
fail: how much socket errors (i.e. packets failed to be sent).
|
||
- - packets dropped and their internal statistics cumulatively accounted in drop stat.
|
||
+ - packets dropped and their internal statistics cumulatively accounted in
|
||
+ drop stat.
|
||
cberr: how much connection refused ICMP errors we got from export target.
|
||
- probably you not launched collector software on destination,
|
||
- or specified wrong destination address.
|
||
@@ -225,20 +367,34 @@ Troubleshooting:
|
||
packet is for new flow but maxflows is already reached,
|
||
all flows in export packets that got socket error.
|
||
|
||
-> sock0: 10.0.0.2:2055, sndbuf 106496, filled 0, peak 106848; err: sndbuf reached 928, other 0
|
||
+> Natevents disabled, count start 0, stop 0.
|
||
+
|
||
+ - Natevents mode disabled or enabled, and how much start or stop events
|
||
+ are reported.
|
||
+
|
||
+> sock0: 10.0.0.2:2055 unconnected (1 attempts).
|
||
+
|
||
+ If socket is unconnected (for example if module loaded before interfaces is
|
||
+ up) it shows now much connection attempts was failed. It will try to connect
|
||
+ until success.
|
||
+
|
||
+> sock0: 10.0.0.2:2055, sndbuf 106496, filled 0, peak 106848; err: sndbuf reached 928, connect 0, other 0
|
||
|
||
sockX: per destination stats for:
|
||
X.X.X.X:Y: destination ip address and port.
|
||
- controlled by sysctl net.netflow.destination variable.
|
||
sndbuf X: how much data socket can hold in buffers.
|
||
- controlled by sysctl net.netflow.sndbuf variable.
|
||
- - if you have packet drops due to sndbuf reached (error -11) increase this value.
|
||
+ - if you have packet drops due to sndbuf reached (error -11) increase this
|
||
+ value.
|
||
filled X: how much data in socket buffers right now.
|
||
peak X: peak value of how much data in socket buffers was.
|
||
- you will be interested to keep it below sndbuf value.
|
||
err: how much packets are dropped due to errors.
|
||
- all flows from them will be accounted in drop stat.
|
||
- sndbuf reached X: how much packets dropped due to sndbuf being too small (error -11).
|
||
+ sndbuf reached X: how much packets dropped due to sndbuf being too small
|
||
+ (error -11).
|
||
+ connect X: how much connection attempts was failed.
|
||
other X: dropped due to other possible errors.
|
||
|
||
> aggr0: ...
|
||
diff --git a/README.promisc b/README.promisc
|
||
index 60ca922..31d774f 100644
|
||
--- a/README.promisc
|
||
+++ b/README.promisc
|
||
@@ -2,9 +2,14 @@ Hello,
|
||
|
||
If you wish to account with netflow module traffic mirrored on switch you may follow this example:
|
||
|
||
-**************
|
||
-* Solution 1 *
|
||
-**************
|
||
+
|
||
+ Solution 1: General kernel patch.
|
||
+ Solution 2: Alternative w/o kernel patch.
|
||
+
|
||
+
|
||
+ **************
|
||
+ * Solution 1 *
|
||
+ **************
|
||
|
||
1. Patch your kernel with `raw_promisc.patch' to enable raw table to see promisc traffic.
|
||
|
||
@@ -33,17 +38,7 @@ If you wish to account with netflow module traffic mirrored on switch you may fo
|
||
# /sbin/vconfig add eth1 47
|
||
# /sbin/ifconfig eth1.47 up
|
||
|
||
-5. Recompile ipt_netflow module with #define RAW_PROMISC_HACK uncommented:
|
||
-
|
||
- Find this line in ipt_NETFLOW.c (should be line 7):
|
||
-
|
||
-//#define RAW_PROMISC_HACK
|
||
-
|
||
- And remove two slashes at beginning of the line, so it become like this:
|
||
-
|
||
-#define RAW_PROMISC_HACK
|
||
-
|
||
- Re-compile module:
|
||
+5. Compile module:
|
||
|
||
# make clean all install
|
||
|
||
@@ -55,13 +50,14 @@ If you wish to account with netflow module traffic mirrored on switch you may fo
|
||
|
||
# /sbin/iptables -A PREROUTING -t raw -i eth1.47 -j NETFLOW
|
||
|
||
-
|
||
Voila.
|
||
|
||
+ps. For Debian Squeeze instructions look at raw_promisc_debian_squeeze6.patch
|
||
|
||
-**************
|
||
-* Solution 2 *
|
||
-**************
|
||
+
|
||
+ **************
|
||
+ * Solution 2 *
|
||
+ **************
|
||
|
||
By Anonymous.
|
||
|
||
@@ -81,4 +77,3 @@ Sometimes you may need to run:
|
||
|
||
for this scheme to work.
|
||
|
||
-
|
||
diff --git a/configure b/configure
|
||
index 677dd7f..3f10e2a 100755
|
||
--- a/configure
|
||
+++ b/configure
|
||
@@ -3,7 +3,7 @@
|
||
PATH=$PATH:/bin:/usr/bin:/usr/sbin:/sbin:/usr/local/sbin
|
||
|
||
error() {
|
||
- echo "! Error: $@"
|
||
+ echo -e "! Error: $@"
|
||
exit 1
|
||
}
|
||
|
||
@@ -56,19 +56,20 @@ get_lib_from_lib() {
|
||
}
|
||
|
||
iptables_inc() {
|
||
- echo -n "Iptables include path: "
|
||
+ echo -n "Iptables include flags: "
|
||
if [ "$IPTINC" ]; then
|
||
- echo "$IPTINC (user specified)"
|
||
IPTINC="-I$IPTINC"
|
||
+ echo "$IPTINC (user specified)"
|
||
+ elif [ "$PKGVER" ]; then
|
||
+ IPTINC="$PKGINC"
|
||
+ echo "$IPTINC (pkg-config)"
|
||
+ elif [ "$NOIPTSRC" ]; then
|
||
+ IPTINC=
|
||
+ echo "none (default)"
|
||
else
|
||
- if [ "$PKGINC" ]; then
|
||
- IPTINC="$PKGINC"
|
||
- echo "$IPTINC (pkg-config)"
|
||
- else
|
||
- IPTINC="$IPTSRC/include"
|
||
- echo "$IPTINC (from source)"
|
||
- IPTINC="-I$IPTINC"
|
||
- fi
|
||
+ IPTINC="$IPTSRC/include"
|
||
+ IPTINC="-I$IPTINC"
|
||
+ echo "$IPTINC (from source)"
|
||
fi
|
||
}
|
||
|
||
@@ -109,7 +110,16 @@ try_dir2() {
|
||
test -d "$1" && try_dir `dirname $1` && return 0
|
||
}
|
||
|
||
-iptables_ver() {
|
||
+check_pkg_config() {
|
||
+ test "$PKGWARN" && return 1
|
||
+ if ! which pkg-config >/dev/null 2>&1; then
|
||
+ echo "! You don't have pkg-config, it may be useful to install it."
|
||
+ PKGWARN=1
|
||
+ return 1
|
||
+ fi
|
||
+ return 0
|
||
+}
|
||
+iptables_find_version() {
|
||
echo -n "Iptables binary version: "
|
||
if [ "$IPTVER" ]; then
|
||
echo "$IPTVER (user specified)"
|
||
@@ -121,6 +131,7 @@ iptables_ver() {
|
||
else
|
||
echo "no iptables binary found"
|
||
fi
|
||
+ check_pkg_config
|
||
PKGVER=`pkg-config --modversion xtables 2>/dev/null`
|
||
if [ "$PKGVER" ]; then
|
||
IPTVER="$PKGVER"
|
||
@@ -131,44 +142,90 @@ iptables_ver() {
|
||
fi
|
||
}
|
||
|
||
-iptables_dir() {
|
||
- test "$IPTINC" && return 1
|
||
- test "$PKGINC" && return 1
|
||
-
|
||
- VER="iptables-$IPTVER"
|
||
- if [ "$IPTSRC" ]; then
|
||
- echo "User specified source directory: $IPTSRC"
|
||
- try_dir $IPTSRC || error "Specified directory is not iptables source.."
|
||
+compile_libitp_test() {
|
||
+ echo -n "Checking for presence of $@... "
|
||
+ echo "
|
||
+#define __EXPORTED_HEADERS__
|
||
+#include <$*>" > test.c
|
||
+ gcc -c test.c >/dev/null 2>&1
|
||
+ RET=$?
|
||
+ if [ $RET = 0 ]; then
|
||
+ echo Yes;
|
||
else
|
||
- echo "Searching for $VER sources.."
|
||
- try_dir "./$VER" && return 0
|
||
- try_dir "../$VER" && return 0
|
||
- try_dir "/usr/src/$VER" && return 0
|
||
- try_dirg "iptables" && return 0
|
||
- try_dirg "../iptables" && return 0
|
||
- try_dirg "/usr/src/iptables" && return 0
|
||
- try_dir2 `locate $VER/extensions | head -1` && return 0
|
||
- error "Can not find iptables source directory, try setting it with --ipt-src="
|
||
+ echo No;
|
||
fi
|
||
+ rm -f test.c test.o
|
||
+ return $RET
|
||
}
|
||
|
||
-iptables_pkg_config() {
|
||
+iptables_try_pkgconfig() {
|
||
if [ ! "$PKGVER" ]; then
|
||
+ check_pkg_config
|
||
+ PKGVER=`pkg-config --modversion xtables 2>/dev/null`
|
||
+ TRYPKGVER=`pkg-config --modversion xtables 2>/dev/null`
|
||
echo -n "pkg-config for version $IPTVER exists: "
|
||
- PKGVER=`pkg-config --exact-version=$IPTVER --modversion xtables 2>/dev/null`
|
||
+ pkg-config --exact-version=$IPTVER xtables 2>/dev/null
|
||
if [ $? = 0 ]; then
|
||
echo "Yes"
|
||
+ PKGVER=$TRYPKGVER
|
||
else
|
||
- echo "No (reported: $PKGVER)"
|
||
- unset PKGVER
|
||
+ if [ "$TRYPKGVER" ]; then
|
||
+ echo "No (reported: $TRYPKGVER)"
|
||
+ else
|
||
+ echo "No"
|
||
+ fi
|
||
fi
|
||
fi
|
||
if [ "$PKGVER" ]; then
|
||
+ check_pkg_config
|
||
+ PKGVER=`pkg-config --modversion xtables 2>/dev/null`
|
||
PKGINC=`pkg-config --cflags xtables`
|
||
PKGLIB=`pkg-config --variable=xtlibdir xtables`
|
||
- IPTCFLAGS="-DXTABLES"
|
||
else
|
||
- IPTCFLAGS="-DIPTABLES_VERSION=\\\\\"$IPTVER\\\\\""
|
||
+ # Newer versions of iptables should not have -I/kernel/include!
|
||
+ # So I assume that newer version will have correct pkg-config set up
|
||
+ # and if not, then it's older who need it.
|
||
+ IPTCFLAGS="-I$KDIR/include -DIPTABLES_VERSION=\\\\\"$IPTVER\\\\\""
|
||
+ fi
|
||
+ if compile_libitp_test xtables.h; then
|
||
+ IPTCFLAGS="-DXTABLES $IPTCFLAGS"
|
||
+ elif ! compile_libitp_test iptables.h; then
|
||
+ echo "! Iptables headers not found. You may need to specify --ipt-inc=..."
|
||
+ if [ -s /etc/debian_version ]; then
|
||
+ echo "! "
|
||
+ echo "! Under Debian simply run this:"
|
||
+ echo "! root# apt-get install iptables-dev pkg-config"
|
||
+ elif [ -s /etc/redhat-release ]; then
|
||
+ echo "! "
|
||
+ arch=.`uname -m`
|
||
+ echo "! Under Centos simply run this:"
|
||
+ echo "! root# yum install iptables-devel$arch pkgconfig"
|
||
+ fi
|
||
+ exit 1
|
||
+ fi
|
||
+
|
||
+}
|
||
+
|
||
+iptables_find_src() {
|
||
+ test "$IPTINC" && return 1
|
||
+ test "$PKGVER" && return 1
|
||
+
|
||
+ VER="iptables-$IPTVER"
|
||
+ if [ "$IPTSRC" ]; then
|
||
+ echo "User specified source directory: $IPTSRC"
|
||
+ try_dir $IPTSRC || error "Specified directory is not iptables source.."
|
||
+ else
|
||
+ echo "Searching for $VER sources.."
|
||
+ try_dir "./$VER" && return 0
|
||
+ try_dir "../$VER" && return 0
|
||
+ try_dir "/usr/src/$VER" && return 0
|
||
+ try_dirg "iptables" && return 0
|
||
+ try_dirg "../iptables" && return 0
|
||
+ try_dirg "/usr/src/iptables" && return 0
|
||
+ try_dir2 `locate $VER/extensions 2>/dev/null | head -1` && return 0
|
||
+ echo "! Can not find iptables source directory, you may try setting it with --ipt-src="
|
||
+ echo "! This is not fatal error, yet. Will be just using default include dir."
|
||
+ NOIPTSRC=1
|
||
fi
|
||
}
|
||
|
||
@@ -206,18 +263,110 @@ do
|
||
esac
|
||
done
|
||
|
||
-test "$KVERSION" || KVERSION=`uname -r`
|
||
-echo Kernel version: $KVERSION
|
||
+kernel_find_version() {
|
||
+ KHOW=requested
|
||
+ test "$KVERSION" && return 0
|
||
+
|
||
+ if grep -q '#.*Debian' /proc/version; then
|
||
+ KHOW=proc
|
||
+ KVERSION=`sed -n 's/.*#.*Debian \([0-9\.]\+\)-.*/\1/p' /proc/version`
|
||
+ KLIBMOD=`uname -r`
|
||
+ else
|
||
+ KHOW=uname
|
||
+ KVERSION=`uname -r`
|
||
+ fi
|
||
+ test "$KDIR" || return 0
|
||
+
|
||
+ test -s $KDIR/Makefile || return 1
|
||
+ test -s $KDIR/include/config/kernel.release || return 1
|
||
+ KVERSION=`cat $KDIR/include/config/kernel.release`
|
||
+ KHOW=sources
|
||
+}
|
||
+
|
||
+kernel_check_src() {
|
||
+ if [ -s "$1/Makefile" ]; then
|
||
+ KDIR="$1"
|
||
+ return 0
|
||
+ fi
|
||
+ return 1
|
||
+}
|
||
+
|
||
+kernel_find_source() {
|
||
+ KSHOW=requested
|
||
+ test "$KDIR" && return 0
|
||
+ KSHOW=found
|
||
+ kernel_check_src /lib/modules/$KLIBMOD/build && return 0
|
||
+ kernel_check_src /lib/modules/$KVERSION/build && return 0
|
||
+ kernel_check_src /usr/src/kernels/$KVERSION && return 0
|
||
+ kernel_check_src /usr/src/linux-$KVERSION && return 0
|
||
+ echo "! Linux source not found. Don't panic. You may specify kernel source"
|
||
+ echo "! directory with --kdir=..., or try to install kernel-devel package,"
|
||
+ echo "! or just raw sources for linux-$KVERSION from kernel.org."
|
||
+ if grep -q -i centos /proc/version 2>/dev/null; then
|
||
+ echo "! "
|
||
+ arch=.`uname -m`
|
||
+ echo "! Under Centos simply run this:"
|
||
+ echo "! root# yum install kernel-devel iptables-devel$arch pkgconfig"
|
||
+ fi
|
||
+ if grep -q -i debian /proc/version 2>/dev/null; then
|
||
+ echo "! "
|
||
+ echo "! Under Debian simply run this:"
|
||
+ echo "! root# apt-get install module-assistant iptables-dev pkg-config"
|
||
+ echo "! root# m-a prepare"
|
||
+ fi
|
||
+ exit 1
|
||
+}
|
||
+
|
||
+kernel_check_consistency() {
|
||
+ if test -s $KDIR/include/config/kernel.release; then
|
||
+ SRCVER=`cat $KDIR/include/config/kernel.release`
|
||
+ test "$KVERSION" != "$SRCVER" && error "$KHOW kernel version ($KVERSION) and $KSHOW version of kernel source ($SRCVER) doesn't match!\n!" \
|
||
+ "You may try to specify only kernel source tree with --kdir=$KDIR\n!" \
|
||
+ "and configure will pick up version properly."
|
||
+ else
|
||
+ test -e "$KDIR/.config" || error ".config in kernel source not found, run make menuconfig in $KDIR"
|
||
+ test -d "$KDIR/include/config" || error "kernel is not prepared, run make prepare modules_prepare in $KDIR"
|
||
+ fi
|
||
+}
|
||
+
|
||
+kconfig() {
|
||
+ KCONFIG=$KDIR/.config
|
||
+ if ! grep -q "^$1=" $KCONFIG 2>/dev/null; then
|
||
+ if [ "$KCONFIGREPORTED" != true ]; then
|
||
+ KCONFIGREPORTED=true
|
||
+ echo Kernel config file checked: $KCONFIG
|
||
+ echo
|
||
+ fi
|
||
+ echo "! Attention: $1 is undefined in your kernel configuration"
|
||
+ echo "! Without this option enabled $2 will not work."
|
||
+ echo
|
||
+ fi
|
||
+}
|
||
+
|
||
+kernel_check_config() {
|
||
+ kconfig CONFIG_SYSCTL "sysctl interface"
|
||
+ kconfig CONFIG_PROC_FS "proc interface"
|
||
+ kconfig CONFIG_NF_NAT_NEEDED "natevents"
|
||
+ kconfig CONFIG_NF_CONNTRACK_EVENTS "natevents"
|
||
+ kconfig CONFIG_NF_CONNTRACK_MARK "connmark tracking"
|
||
+ kconfig CONFIG_IPV6 "IPv6"
|
||
+ kconfig CONFIG_IP6_NF_IPTABLES "ip6tables target"
|
||
+}
|
||
|
||
-test "$KDIR" || KDIR=/lib/modules/$KVERSION/build
|
||
-echo Kernel sources: $KDIR
|
||
+kernel_find_version #KVERSION
|
||
+test "$KLIBMOD" || KLIBMOD=$KVERSION
|
||
+echo "Kernel version: $KVERSION ($KHOW)"
|
||
+kernel_find_source #KDIR
|
||
+echo "Kernel sources: $KDIR ($KSHOW)"
|
||
+kernel_check_consistency
|
||
+kernel_check_config
|
||
|
||
test "$IPTBIN" || IPTBIN=`which iptables`
|
||
|
||
-iptables_ver #IPTVER
|
||
-iptables_pkg_config
|
||
-iptables_dir #IPTSRC
|
||
-iptables_src_version #check IPTSRC match to IPTVER
|
||
+iptables_find_version #IPTVER
|
||
+iptables_try_pkgconfig #try to configure from pkg-config
|
||
+iptables_find_src #IPTSRC
|
||
+iptables_src_version #check that IPTSRC match to IPTVER
|
||
iptables_inc #IPTINC
|
||
iptables_modules #IPTLIB
|
||
|
||
@@ -225,7 +374,6 @@ REPLACE="\
|
||
s!@KVERSION@!$KVERSION!;\
|
||
s!@KDIR@!$KDIR!;\
|
||
s!@IPTABLES_VERSION@!$IPTVER!;\
|
||
-s!@IPTABLES_INCLUDES@!$IPTINC!;\
|
||
s!@IPTABLES_CFLAGS@!$IPTCFLAGS $IPTINC!;\
|
||
s!@IPTABLES_MODULES@!$IPTLIB!"
|
||
|
||
diff --git a/ipt_NETFLOW.c b/ipt_NETFLOW.c
|
||
index d4c91e1..ad974c5 100644
|
||
--- a/ipt_NETFLOW.c
|
||
+++ b/ipt_NETFLOW.c
|
||
@@ -1,6 +1,6 @@
|
||
/*
|
||
* This is NetFlow exporting module (NETFLOW target) for linux
|
||
- * (c) 2008-2012 <abc@telekom.ru>
|
||
+ * (c) 2008-2013 <abc@telekom.ru>
|
||
*
|
||
*
|
||
* This program is free software: you can redistribute it and/or modify
|
||
@@ -18,8 +18,6 @@
|
||
*
|
||
*/
|
||
|
||
-//#define RAW_PROMISC_HACK
|
||
-
|
||
#include <linux/module.h>
|
||
#include <linux/skbuff.h>
|
||
#include <linux/proc_fs.h>
|
||
@@ -31,16 +29,26 @@
|
||
#include <linux/icmp.h>
|
||
#include <linux/igmp.h>
|
||
#include <linux/inetdevice.h>
|
||
-#include <linux/jhash.h>
|
||
+#include <linux/hash.h>
|
||
+#include <linux/delay.h>
|
||
+#include <linux/spinlock_types.h>
|
||
#include <net/icmp.h>
|
||
#include <net/ip.h>
|
||
+#include <net/ipv6.h>
|
||
#include <net/tcp.h>
|
||
#include <net/route.h>
|
||
+#include <net/ip6_fib.h>
|
||
#include <net/dst.h>
|
||
#include <linux/netfilter_ipv4/ip_tables.h>
|
||
+#if defined(CONFIG_NF_NAT_NEEDED) || defined(CONFIG_NF_CONNTRACK_MARK)
|
||
+#include <linux/notifier.h>
|
||
+#include <net/netfilter/nf_conntrack.h>
|
||
+#include <net/netfilter/nf_conntrack_core.h>
|
||
+#endif
|
||
#include <linux/version.h>
|
||
#include <asm/unaligned.h>
|
||
#include "ipt_NETFLOW.h"
|
||
+#include "murmur3.h"
|
||
#ifdef CONFIG_BRIDGE_NETFILTER
|
||
#include <linux/netfilter_bridge.h>
|
||
#endif
|
||
@@ -74,41 +82,66 @@
|
||
#define ipt_target xt_target
|
||
#endif
|
||
|
||
-#define IPT_NETFLOW_VERSION "1.8"
|
||
+#define IPT_NETFLOW_VERSION "1.8.2" /* Note that if you are using git, you
|
||
+ will see version in other format. */
|
||
+#include "version.h"
|
||
+#ifdef GITVERSION
|
||
+#undef IPT_NETFLOW_VERSION
|
||
+#define IPT_NETFLOW_VERSION GITVERSION
|
||
+#endif
|
||
|
||
MODULE_LICENSE("GPL");
|
||
MODULE_AUTHOR("<abc@telekom.ru>");
|
||
MODULE_DESCRIPTION("iptables NETFLOW target module");
|
||
MODULE_VERSION(IPT_NETFLOW_VERSION);
|
||
+MODULE_ALIAS("ip6t_NETFLOW");
|
||
|
||
#define DST_SIZE 256
|
||
static char destination_buf[DST_SIZE] = "127.0.0.1:2055";
|
||
static char *destination = destination_buf;
|
||
-module_param(destination, charp, 0400);
|
||
+module_param(destination, charp, 0444);
|
||
MODULE_PARM_DESC(destination, "export destination ipaddress:port");
|
||
|
||
static int inactive_timeout = 15;
|
||
-module_param(inactive_timeout, int, 0600);
|
||
+module_param(inactive_timeout, int, 0644);
|
||
MODULE_PARM_DESC(inactive_timeout, "inactive flows timeout in seconds");
|
||
|
||
static int active_timeout = 30 * 60;
|
||
-module_param(active_timeout, int, 0600);
|
||
+module_param(active_timeout, int, 0644);
|
||
MODULE_PARM_DESC(active_timeout, "active flows timeout in seconds");
|
||
|
||
static int debug = 0;
|
||
-module_param(debug, int, 0600);
|
||
+module_param(debug, int, 0644);
|
||
MODULE_PARM_DESC(debug, "debug verbosity level");
|
||
|
||
static int sndbuf;
|
||
-module_param(sndbuf, int, 0400);
|
||
+module_param(sndbuf, int, 0444);
|
||
MODULE_PARM_DESC(sndbuf, "udp socket SNDBUF size");
|
||
|
||
+static int protocol = 5;
|
||
+module_param(protocol, int, 0444);
|
||
+MODULE_PARM_DESC(protocol, "netflow protocol version (5, 9, 10)");
|
||
+
|
||
+static unsigned int refresh_rate = 20;
|
||
+module_param(refresh_rate, uint, 0644);
|
||
+MODULE_PARM_DESC(refresh_rate, "NetFlow v9/IPFIX refresh rate (packets)");
|
||
+
|
||
+static unsigned int timeout_rate = 30;
|
||
+module_param(timeout_rate, uint, 0644);
|
||
+MODULE_PARM_DESC(timeout_rate, "NetFlow v9/IPFIX timeout rate (minutes)");
|
||
+
|
||
+#ifdef CONFIG_NF_NAT_NEEDED
|
||
+static int natevents = 0;
|
||
+module_param(natevents, int, 0444);
|
||
+MODULE_PARM_DESC(natevents, "send NAT Events");
|
||
+#endif
|
||
+
|
||
static int hashsize;
|
||
-module_param(hashsize, int, 0400);
|
||
+module_param(hashsize, int, 0444);
|
||
MODULE_PARM_DESC(hashsize, "hash table size");
|
||
|
||
static int maxflows = 2000000;
|
||
-module_param(maxflows, int, 0600);
|
||
+module_param(maxflows, int, 0644);
|
||
MODULE_PARM_DESC(maxflows, "maximum number of flows");
|
||
static int peakflows = 0;
|
||
static unsigned long peakflows_at;
|
||
@@ -121,22 +154,52 @@ MODULE_PARM_DESC(aggregation, "aggregation ruleset");
|
||
|
||
static DEFINE_PER_CPU(struct ipt_netflow_stat, ipt_netflow_stat);
|
||
static LIST_HEAD(usock_list);
|
||
-static DEFINE_RWLOCK(sock_lock);
|
||
+static DEFINE_MUTEX(sock_lock);
|
||
|
||
+#define LOCK_COUNT (1<<8)
|
||
+#define LOCK_COUNT_MASK (LOCK_COUNT-1)
|
||
+static spinlock_t htable_locks[LOCK_COUNT] = {
|
||
+ [0 ... LOCK_COUNT - 1] = __SPIN_LOCK_UNLOCKED(htable_locks)
|
||
+};
|
||
+static DEFINE_RWLOCK(htable_rwlock); /* global lock to protect htable_locks change */
|
||
static unsigned int ipt_netflow_hash_rnd;
|
||
-struct hlist_head *ipt_netflow_hash __read_mostly; /* hash table memory */
|
||
+static struct hlist_head *ipt_netflow_hash __read_mostly; /* hash table memory */
|
||
static unsigned int ipt_netflow_hash_size __read_mostly = 0; /* buckets */
|
||
static LIST_HEAD(ipt_netflow_list); /* all flows */
|
||
+static DEFINE_SPINLOCK(hlist_lock); /* should almost always be locked w/o _bh */
|
||
static LIST_HEAD(aggr_n_list);
|
||
static LIST_HEAD(aggr_p_list);
|
||
static DEFINE_RWLOCK(aggr_lock);
|
||
+#ifdef CONFIG_NF_NAT_NEEDED
|
||
+static LIST_HEAD(nat_list); /* nat events */
|
||
+static DEFINE_SPINLOCK(nat_lock);
|
||
+static unsigned long nat_events_start = 0;
|
||
+static unsigned long nat_events_stop = 0;
|
||
+#endif
|
||
static struct kmem_cache *ipt_netflow_cachep __read_mostly; /* ipt_netflow memory */
|
||
static atomic_t ipt_netflow_count = ATOMIC_INIT(0);
|
||
-static DEFINE_SPINLOCK(ipt_netflow_lock); /* hash table lock */
|
||
|
||
-static long long pdu_packets = 0, pdu_traf = 0;
|
||
-static struct netflow5_pdu pdu;
|
||
-static unsigned long pdu_ts_mod;
|
||
+static long long pdu_packets = 0, pdu_traf = 0; /* how much accounted traffic in pdu */
|
||
+static unsigned int pdu_count = 0;
|
||
+static unsigned int pdu_seq = 0;
|
||
+static unsigned int pdu_data_records = 0;
|
||
+static unsigned int pdu_tpl_records = 0;
|
||
+static unsigned long pdu_ts_mod; /* ts of last flow */
|
||
+static union {
|
||
+ struct netflow5_pdu v5;
|
||
+ struct netflow9_pdu v9;
|
||
+ struct ipfix_pdu ipfix;
|
||
+} pdu;
|
||
+static int engine_id = 0; /* Observation Domain */
|
||
+static __u8 *pdu_data_used;
|
||
+static __u8 *pdu_high_wm; /* high watermark */
|
||
+static unsigned int pdu_max_size; /* sizeof pdu */
|
||
+static struct flowset_data *pdu_flowset = NULL; /* current data flowset */
|
||
+
|
||
+static void (*netflow_export_flow)(struct ipt_netflow *nf);
|
||
+static void (*netflow_export_pdu)(void); /* called on timeout */
|
||
+static void netflow_switch_version(int ver);
|
||
+
|
||
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,20)
|
||
static void netflow_work_fn(void *work);
|
||
static DECLARE_WORK(netflow_work, netflow_work_fn, NULL);
|
||
@@ -146,19 +209,26 @@ static DECLARE_DELAYED_WORK(netflow_work, netflow_work_fn);
|
||
#endif
|
||
static struct timer_list rate_timer;
|
||
|
||
+#define TCP_SYN_ACK 0x12
|
||
#define TCP_FIN_RST 0x05
|
||
|
||
static long long sec_prate = 0, sec_brate = 0;
|
||
static long long min_prate = 0, min_brate = 0;
|
||
static long long min5_prate = 0, min5_brate = 0;
|
||
-static unsigned int metric = 10, min15_metric = 10, min5_metric = 10, min_metric = 10; /* hash metrics */
|
||
+static unsigned int metric = 100, min15_metric = 100, min5_metric = 100, min_metric = 100; /* hash metrics */
|
||
|
||
static int set_hashsize(int new_size);
|
||
static void destination_removeall(void);
|
||
static int add_destinations(char *ptr);
|
||
static void aggregation_remove(struct list_head *list);
|
||
static int add_aggregation(char *ptr);
|
||
-static void netflow_scan_and_export(int flush);
|
||
+static int netflow_scan_and_export(int flush);
|
||
+enum {
|
||
+ DONT_FLUSH, AND_FLUSH
|
||
+};
|
||
+static int template_ids = FLOWSET_DATA_FIRST;
|
||
+static int tpl_count = 0; /* how much active templates */
|
||
+
|
||
|
||
static inline __be32 bits2mask(int bits) {
|
||
return (bits? 0xffffffff << (32 - bits) : 0);
|
||
@@ -175,28 +245,46 @@ static inline int mask2bits(__be32 mask) {
|
||
/* under that lock worker is always stopped and not rescheduled,
|
||
* and we can call worker sub-functions manually */
|
||
static DEFINE_MUTEX(worker_lock);
|
||
-static inline void __start_scan_worker(void)
|
||
+#define MIN_DELAY 1
|
||
+#define MAX_DELAY (HZ / 10)
|
||
+static int worker_delay = HZ / 10;
|
||
+static inline void _schedule_scan_worker(const int status)
|
||
{
|
||
- schedule_delayed_work(&netflow_work, HZ / 10);
|
||
+ /* rudimentary congestion avoidance */
|
||
+ if (status > 0)
|
||
+ worker_delay -= status;
|
||
+ else if (status < 0)
|
||
+ worker_delay /= 2;
|
||
+ else
|
||
+ worker_delay++;
|
||
+ if (worker_delay < MIN_DELAY)
|
||
+ worker_delay = MIN_DELAY;
|
||
+ else if (worker_delay > MAX_DELAY)
|
||
+ worker_delay = MAX_DELAY;
|
||
+ schedule_delayed_work(&netflow_work, worker_delay);
|
||
}
|
||
|
||
-static inline void start_scan_worker(void)
|
||
+/* This is only called soon after pause_scan_worker. */
|
||
+static inline void cont_scan_worker(void)
|
||
{
|
||
- __start_scan_worker();
|
||
+ _schedule_scan_worker(0);
|
||
mutex_unlock(&worker_lock);
|
||
}
|
||
|
||
-/* we always stop scanner before write_lock(&sock_lock)
|
||
- * to let it never hold that spin lock */
|
||
-static inline void __stop_scan_worker(void)
|
||
+static inline void _unschedule_scan_worker(void)
|
||
{
|
||
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,23)
|
||
+ cancel_rearming_delayed_work(&netflow_work);
|
||
+#else
|
||
cancel_delayed_work_sync(&netflow_work);
|
||
+#endif
|
||
}
|
||
|
||
-static inline void stop_scan_worker(void)
|
||
+/* This is only used for quick pause (in procctl). */
|
||
+static inline void pause_scan_worker(void)
|
||
{
|
||
mutex_lock(&worker_lock);
|
||
- __stop_scan_worker();
|
||
+ _unschedule_scan_worker();
|
||
}
|
||
|
||
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,24)
|
||
@@ -223,11 +311,14 @@ static int nf_seq_show(struct seq_file *seq, void *v)
|
||
int snum = 0;
|
||
int peak = (jiffies - peakflows_at) / HZ;
|
||
|
||
- seq_printf(seq, "Flows: active %u (peak %u reached %ud%uh%um ago), mem %uK\n",
|
||
+ seq_printf(seq, "ipt_NETFLOW version " IPT_NETFLOW_VERSION ", srcversion %s\n",
|
||
+ THIS_MODULE->srcversion);
|
||
+ seq_printf(seq, "Flows: active %u (peak %u reached %ud%uh%um ago), mem %uK, worker delay %d/%d.\n",
|
||
nr_flows,
|
||
peakflows,
|
||
peak / (60 * 60 * 24), (peak / (60 * 60)) % 24, (peak / 60) % 60,
|
||
- (unsigned int)((nr_flows * sizeof(struct ipt_netflow)) >> 10));
|
||
+ (unsigned int)((nr_flows * sizeof(struct ipt_netflow)) >> 10),
|
||
+ worker_delay, HZ);
|
||
|
||
for_each_present_cpu(cpu) {
|
||
struct ipt_netflow_stat *st = &per_cpu(ipt_netflow_stat, cpu);
|
||
@@ -252,93 +343,123 @@ static int nf_seq_show(struct seq_file *seq, void *v)
|
||
}
|
||
|
||
#define FFLOAT(x, prec) (int)(x) / prec, (int)(x) % prec
|
||
- seq_printf(seq, "Hash: size %u (mem %uK), metric %d.%d, %d.%d, %d.%d, %d.%d. MemTraf: %llu pkt, %llu K (pdu %llu, %llu).\n",
|
||
- ipt_netflow_hash_size,
|
||
- (unsigned int)((ipt_netflow_hash_size * sizeof(struct hlist_head)) >> 10),
|
||
- FFLOAT(metric, 10),
|
||
- FFLOAT(min_metric, 10),
|
||
- FFLOAT(min5_metric, 10),
|
||
- FFLOAT(min15_metric, 10),
|
||
- pkt_total - pkt_out + pdu_packets,
|
||
- (traf_total - traf_out + pdu_traf) >> 10,
|
||
- pdu_packets,
|
||
- pdu_traf);
|
||
-
|
||
- seq_printf(seq, "Timeout: active %d, inactive %d. Maxflows %u\n",
|
||
- active_timeout,
|
||
- inactive_timeout,
|
||
- maxflows);
|
||
-
|
||
- seq_printf(seq, "Rate: %llu bits/sec, %llu packets/sec; Avg 1 min: %llu bps, %llu pps; 5 min: %llu bps, %llu pps\n",
|
||
- sec_brate, sec_prate, min_brate, min_prate, min5_brate, min5_prate);
|
||
-
|
||
- seq_printf(seq, "cpu# stat: <search found new, trunc frag alloc maxflows>, sock: <ok fail cberr, bytes>, traffic: <pkt, bytes>, drop: <pkt, bytes>\n");
|
||
-
|
||
- seq_printf(seq, "Total stat: %6llu %6llu %6llu, %4u %4u %4u %4u, sock: %6u %u %u, %llu K, traffic: %llu, %llu MB, drop: %llu, %llu K\n",
|
||
- (unsigned long long)searched,
|
||
- (unsigned long long)found,
|
||
- (unsigned long long)notfound,
|
||
- truncated, frags, alloc_err, maxflows_err,
|
||
- send_success, send_failed, sock_errors,
|
||
- (unsigned long long)exported_size >> 10,
|
||
- (unsigned long long)pkt_total, (unsigned long long)traf_total >> 20,
|
||
- (unsigned long long)pkt_drop, (unsigned long long)traf_drop >> 10);
|
||
+ seq_printf(seq, "Hash: size %u (mem %uK), metric %d.%02d [%d.%02d, %d.%02d, %d.%02d]."
|
||
+ " MemTraf: %llu pkt, %llu K (pdu %llu, %llu), Out %llu pkt, %llu K.\n",
|
||
+ ipt_netflow_hash_size,
|
||
+ (unsigned int)((ipt_netflow_hash_size * sizeof(struct hlist_head)) >> 10),
|
||
+ FFLOAT(metric, 100),
|
||
+ FFLOAT(min_metric, 100),
|
||
+ FFLOAT(min5_metric, 100),
|
||
+ FFLOAT(min15_metric, 100),
|
||
+ pkt_total - pkt_out + pdu_packets,
|
||
+ (traf_total - traf_out + pdu_traf) >> 10,
|
||
+ pdu_packets,
|
||
+ pdu_traf,
|
||
+ pkt_out,
|
||
+ traf_out >> 10);
|
||
+
|
||
+ seq_printf(seq, "Rate: %llu bits/sec, %llu packets/sec;"
|
||
+ " Avg 1 min: %llu bps, %llu pps; 5 min: %llu bps, %llu pps\n",
|
||
+ sec_brate, sec_prate, min_brate, min_prate, min5_brate, min5_prate);
|
||
+
|
||
+ seq_printf(seq, "cpu# stat: <search found new [metric], trunc frag alloc maxflows>,"
|
||
+ " sock: <ok fail cberr, bytes>, traffic: <pkt, bytes>, drop: <pkt, bytes>\n");
|
||
+
|
||
+#define SAFEDIV(x,y) ((y)? ({ u64 __tmp = x; do_div(__tmp, y); (int)__tmp; }) : 0)
|
||
+ seq_printf(seq, "Total stat: %6llu %6llu %6llu [%d.%02d], %4u %4u %4u %4u,"
|
||
+ " sock: %6u %u %u, %llu K, traffic: %llu, %llu MB, drop: %llu, %llu K\n",
|
||
+ searched,
|
||
+ (unsigned long long)found,
|
||
+ (unsigned long long)notfound,
|
||
+ FFLOAT(SAFEDIV(100LL * (searched + found + notfound), (found + notfound)), 100),
|
||
+ truncated, frags, alloc_err, maxflows_err,
|
||
+ send_success, send_failed, sock_errors,
|
||
+ (unsigned long long)exported_size >> 10,
|
||
+ (unsigned long long)pkt_total, (unsigned long long)traf_total >> 20,
|
||
+ (unsigned long long)pkt_drop, (unsigned long long)traf_drop >> 10);
|
||
|
||
if (num_present_cpus() > 1) {
|
||
for_each_present_cpu(cpu) {
|
||
struct ipt_netflow_stat *st;
|
||
|
||
st = &per_cpu(ipt_netflow_stat, cpu);
|
||
- seq_printf(seq, "cpu%u stat: %6llu %6llu %6llu, %4u %4u %4u %4u, sock: %6u %u %u, %llu K, traffic: %llu, %llu MB, drop: %llu, %llu K\n",
|
||
- cpu,
|
||
- (unsigned long long)st->searched,
|
||
- (unsigned long long)st->found,
|
||
- (unsigned long long)st->notfound,
|
||
- st->truncated, st->frags, st->alloc_err, st->maxflows_err,
|
||
- st->send_success, st->send_failed, st->sock_errors,
|
||
- (unsigned long long)st->exported_size >> 10,
|
||
- (unsigned long long)st->pkt_total, (unsigned long long)st->traf_total >> 20,
|
||
- (unsigned long long)st->pkt_drop, (unsigned long long)st->traf_drop >> 10);
|
||
+ seq_printf(seq, "cpu%u stat: %6llu %6llu %6llu [%d.%02d], %4u %4u %4u %4u,"
|
||
+ " sock: %6u %u %u, %llu K, traffic: %llu, %llu MB, drop: %llu, %llu K\n",
|
||
+ cpu,
|
||
+ (unsigned long long)st->searched,
|
||
+ (unsigned long long)st->found,
|
||
+ (unsigned long long)st->notfound,
|
||
+ FFLOAT(SAFEDIV(100LL * (st->searched + st->found + st->notfound), (st->found + st->notfound)), 100),
|
||
+ st->truncated, st->frags, st->alloc_err, st->maxflows_err,
|
||
+ st->send_success, st->send_failed, st->sock_errors,
|
||
+ (unsigned long long)st->exported_size >> 10,
|
||
+ (unsigned long long)st->pkt_total, (unsigned long long)st->traf_total >> 20,
|
||
+ (unsigned long long)st->pkt_drop, (unsigned long long)st->traf_drop >> 10);
|
||
}
|
||
}
|
||
|
||
- read_lock(&sock_lock);
|
||
+ seq_printf(seq, "Protocol version %d", protocol);
|
||
+ if (protocol == 10)
|
||
+ seq_printf(seq, " (ipfix)");
|
||
+ else
|
||
+ seq_printf(seq, " (netflow)");
|
||
+ if (protocol >= 9)
|
||
+ seq_printf(seq, ", refresh-rate %u, timeout-rate %u, (templates %d, active %d)",
|
||
+ refresh_rate, timeout_rate, template_ids - FLOWSET_DATA_FIRST, tpl_count);
|
||
+
|
||
+ seq_printf(seq, ". Timeouts: active %d, inactive %d. Maxflows %u\n",
|
||
+ active_timeout,
|
||
+ inactive_timeout,
|
||
+ maxflows);
|
||
+
|
||
+#ifdef CONFIG_NF_NAT_NEEDED
|
||
+ seq_printf(seq, "Natevents %s, count start %lu, stop %lu.\n", natevents? "enabled" : "disabled",
|
||
+ nat_events_start, nat_events_stop);
|
||
+#endif
|
||
+
|
||
+ mutex_lock(&sock_lock);
|
||
list_for_each_entry(usock, &usock_list, list) {
|
||
- struct sock *sk = usock->sock->sk;
|
||
-
|
||
- seq_printf(seq, "sock%d: %u.%u.%u.%u:%u, sndbuf %u, filled %u, peak %u; err: sndbuf reached %u, other %u\n",
|
||
- snum,
|
||
- usock->ipaddr >> 24,
|
||
- (usock->ipaddr >> 16) & 255,
|
||
- (usock->ipaddr >> 8) & 255,
|
||
- usock->ipaddr & 255,
|
||
- usock->port,
|
||
- sk->sk_sndbuf,
|
||
- atomic_read(&sk->sk_wmem_alloc),
|
||
- atomic_read(&usock->wmem_peak),
|
||
- atomic_read(&usock->err_full),
|
||
- atomic_read(&usock->err_other));
|
||
+ seq_printf(seq, "sock%d: %u.%u.%u.%u:%u",
|
||
+ snum,
|
||
+ HIPQUAD(usock->ipaddr),
|
||
+ usock->port);
|
||
+ if (usock->sock) {
|
||
+ struct sock *sk = usock->sock->sk;
|
||
+
|
||
+ seq_printf(seq, ", sndbuf %u, filled %u, peak %u;"
|
||
+ " err: sndbuf reached %u, connect %u, other %u\n",
|
||
+ sk->sk_sndbuf,
|
||
+ atomic_read(&sk->sk_wmem_alloc),
|
||
+ atomic_read(&usock->wmem_peak),
|
||
+ atomic_read(&usock->err_full),
|
||
+ atomic_read(&usock->err_connect),
|
||
+ atomic_read(&usock->err_other));
|
||
+ } else
|
||
+ seq_printf(seq, " unconnected (%u attempts).\n",
|
||
+ atomic_read(&usock->err_connect));
|
||
snum++;
|
||
}
|
||
- read_unlock(&sock_lock);
|
||
+ mutex_unlock(&sock_lock);
|
||
|
||
read_lock_bh(&aggr_lock);
|
||
snum = 0;
|
||
list_for_each_entry(aggr_n, &aggr_n_list, list) {
|
||
- seq_printf(seq, "aggr#%d net: match %u.%u.%u.%u/%d strip %d\n",
|
||
- snum,
|
||
- HIPQUAD(aggr_n->addr),
|
||
- mask2bits(aggr_n->mask),
|
||
- mask2bits(aggr_n->aggr_mask));
|
||
+ seq_printf(seq, "aggr#%d net: match %u.%u.%u.%u/%d strip %d (usage %u)\n",
|
||
+ snum,
|
||
+ HIPQUAD(aggr_n->addr),
|
||
+ mask2bits(aggr_n->mask),
|
||
+ mask2bits(aggr_n->aggr_mask),
|
||
+ atomic_read(&aggr_n->usage));
|
||
snum++;
|
||
}
|
||
snum = 0;
|
||
list_for_each_entry(aggr_p, &aggr_p_list, list) {
|
||
- seq_printf(seq, "aggr#%d port: ports %u-%u replace %u\n",
|
||
- snum,
|
||
- aggr_p->port1,
|
||
- aggr_p->port2,
|
||
- aggr_p->aggr_port);
|
||
+ seq_printf(seq, "aggr#%d port: ports %u-%u replace %u (usage %u)\n",
|
||
+ snum,
|
||
+ aggr_p->port1,
|
||
+ aggr_p->port2,
|
||
+ aggr_p->aggr_port,
|
||
+ atomic_read(&aggr_p->usage));
|
||
snum++;
|
||
}
|
||
read_unlock_bh(&aggr_lock);
|
||
@@ -367,8 +488,13 @@ static struct file_operations nf_seq_fops = {
|
||
#define BEFORE2632(x,y)
|
||
#endif
|
||
|
||
+/* PAX need to know that we are allowed to write */
|
||
+#ifndef CONSTIFY_PLUGIN
|
||
+#define ctl_table_no_const ctl_table
|
||
+#endif
|
||
+
|
||
/* sysctl /proc/sys/net/netflow */
|
||
-static int hsize_procctl(ctl_table *ctl, int write, BEFORE2632(struct file *filp,)
|
||
+static int hsize_procctl(ctl_table_no_const *ctl, int write, BEFORE2632(struct file *filp,)
|
||
void __user *buffer, size_t *lenp, loff_t *fpos)
|
||
{
|
||
void *orig = ctl->data;
|
||
@@ -386,20 +512,21 @@ static int hsize_procctl(ctl_table *ctl, int write, BEFORE2632(struct file *filp
|
||
return ret;
|
||
}
|
||
|
||
-static int sndbuf_procctl(ctl_table *ctl, int write, BEFORE2632(struct file *filp,)
|
||
+static int sndbuf_procctl(ctl_table_no_const *ctl, int write, BEFORE2632(struct file *filp,)
|
||
void __user *buffer, size_t *lenp, loff_t *fpos)
|
||
{
|
||
int ret;
|
||
struct ipt_netflow_sock *usock;
|
||
-
|
||
- read_lock(&sock_lock);
|
||
+
|
||
+ mutex_lock(&sock_lock);
|
||
if (list_empty(&usock_list)) {
|
||
- read_unlock(&sock_lock);
|
||
+ mutex_unlock(&sock_lock);
|
||
return -ENOENT;
|
||
}
|
||
usock = list_first_entry(&usock_list, struct ipt_netflow_sock, list);
|
||
- sndbuf = usock->sock->sk->sk_sndbuf;
|
||
- read_unlock(&sock_lock);
|
||
+ if (usock->sock)
|
||
+ sndbuf = usock->sock->sk->sk_sndbuf;
|
||
+ mutex_unlock(&sock_lock);
|
||
|
||
ctl->data = &sndbuf;
|
||
ret = proc_dointvec(ctl, write, BEFORE2632(filp,) buffer, lenp, fpos);
|
||
@@ -407,13 +534,14 @@ static int sndbuf_procctl(ctl_table *ctl, int write, BEFORE2632(struct file *fil
|
||
return ret;
|
||
if (sndbuf < SOCK_MIN_SNDBUF)
|
||
sndbuf = SOCK_MIN_SNDBUF;
|
||
- stop_scan_worker();
|
||
- write_lock(&sock_lock);
|
||
+ pause_scan_worker();
|
||
+ mutex_lock(&sock_lock);
|
||
list_for_each_entry(usock, &usock_list, list) {
|
||
- usock->sock->sk->sk_sndbuf = sndbuf;
|
||
+ if (usock->sock)
|
||
+ usock->sock->sk->sk_sndbuf = sndbuf;
|
||
}
|
||
- write_unlock(&sock_lock);
|
||
- start_scan_worker();
|
||
+ mutex_unlock(&sock_lock);
|
||
+ cont_scan_worker();
|
||
return ret;
|
||
}
|
||
|
||
@@ -424,10 +552,10 @@ static int destination_procctl(ctl_table *ctl, int write, BEFORE2632(struct file
|
||
|
||
ret = proc_dostring(ctl, write, BEFORE2632(filp,) buffer, lenp, fpos);
|
||
if (ret >= 0 && write) {
|
||
- stop_scan_worker();
|
||
+ pause_scan_worker();
|
||
destination_removeall();
|
||
add_destinations(destination_buf);
|
||
- start_scan_worker();
|
||
+ cont_scan_worker();
|
||
}
|
||
return ret;
|
||
}
|
||
@@ -446,13 +574,12 @@ static int aggregation_procctl(ctl_table *ctl, int write, BEFORE2632(struct file
|
||
return ret;
|
||
}
|
||
|
||
-static int flush_procctl(ctl_table *ctl, int write, BEFORE2632(struct file *filp,)
|
||
+static int flush_procctl(ctl_table_no_const *ctl, int write, BEFORE2632(struct file *filp,)
|
||
void __user *buffer, size_t *lenp, loff_t *fpos)
|
||
{
|
||
int ret;
|
||
- int val;
|
||
+ int val = 0;
|
||
|
||
- val = 0;
|
||
ctl->data = &val;
|
||
ret = proc_dointvec(ctl, write, BEFORE2632(filp,) buffer, lenp, fpos);
|
||
|
||
@@ -461,14 +588,67 @@ static int flush_procctl(ctl_table *ctl, int write, BEFORE2632(struct file *filp
|
||
|
||
if (val > 0) {
|
||
printk(KERN_INFO "ipt_NETFLOW: forced flush\n");
|
||
- stop_scan_worker();
|
||
- netflow_scan_and_export(1);
|
||
- start_scan_worker();
|
||
+ pause_scan_worker();
|
||
+ netflow_scan_and_export(AND_FLUSH);
|
||
+ cont_scan_worker();
|
||
+ }
|
||
+
|
||
+ return ret;
|
||
+}
|
||
+
|
||
+static int protocol_procctl(ctl_table *ctl, int write, BEFORE2632(struct file *filp,)
|
||
+ void __user *buffer, size_t *lenp, loff_t *fpos)
|
||
+{
|
||
+ int ret;
|
||
+ int ver = protocol;
|
||
+
|
||
+ ctl->data = &ver;
|
||
+ ret = proc_dointvec(ctl, write, BEFORE2632(filp,) buffer, lenp, fpos);
|
||
+
|
||
+ if (!write)
|
||
+ return ret;
|
||
+
|
||
+ switch (ver) {
|
||
+ case 5:
|
||
+ case 9:
|
||
+ case 10:
|
||
+ printk(KERN_INFO "ipt_NETFLOW: forced flush (protocol version change)\n");
|
||
+ pause_scan_worker();
|
||
+ netflow_scan_and_export(AND_FLUSH);
|
||
+ netflow_switch_version(ver);
|
||
+ cont_scan_worker();
|
||
+ break;
|
||
+ default:
|
||
+ return -EPERM;
|
||
}
|
||
|
||
return ret;
|
||
}
|
||
|
||
+#ifdef CONFIG_NF_NAT_NEEDED
|
||
+static void register_ct_events(void);
|
||
+static void unregister_ct_events(void);
|
||
+static int natevents_procctl(ctl_table *ctl, int write, BEFORE2632(struct file *filp,)
|
||
+ void __user *buffer, size_t *lenp, loff_t *fpos)
|
||
+{
|
||
+ int ret;
|
||
+ int val = natevents;
|
||
+
|
||
+ ctl->data = &val;
|
||
+ ret = proc_dointvec(ctl, write, BEFORE2632(filp,) buffer, lenp, fpos);
|
||
+
|
||
+ if (!write)
|
||
+ return ret;
|
||
+
|
||
+ if (natevents && !val)
|
||
+ unregister_ct_events();
|
||
+ else if (!natevents && val)
|
||
+ register_ct_events();
|
||
+
|
||
+ return ret;
|
||
+}
|
||
+#endif
|
||
+
|
||
static struct ctl_table_header *netflow_sysctl_header;
|
||
|
||
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,20)
|
||
@@ -547,6 +727,38 @@ static struct ctl_table netflow_sysctl_table[] = {
|
||
.maxlen = sizeof(int),
|
||
.proc_handler = &flush_procctl,
|
||
},
|
||
+ {
|
||
+ _CTL_NAME(10)
|
||
+ .procname = "protocol",
|
||
+ .mode = 0644,
|
||
+ .maxlen = sizeof(int),
|
||
+ .proc_handler = &protocol_procctl,
|
||
+ },
|
||
+ {
|
||
+ _CTL_NAME(11)
|
||
+ .procname = "refresh-rate",
|
||
+ .mode = 0644,
|
||
+ .data = &refresh_rate,
|
||
+ .maxlen = sizeof(int),
|
||
+ .proc_handler = &proc_dointvec,
|
||
+ },
|
||
+ {
|
||
+ _CTL_NAME(12)
|
||
+ .procname = "timeout-rate",
|
||
+ .mode = 0644,
|
||
+ .data = &timeout_rate,
|
||
+ .maxlen = sizeof(int),
|
||
+ .proc_handler = &proc_dointvec,
|
||
+ },
|
||
+#ifdef CONFIG_NF_NAT_NEEDED
|
||
+ {
|
||
+ _CTL_NAME(13)
|
||
+ .procname = "natevents",
|
||
+ .mode = 0644,
|
||
+ .maxlen = sizeof(int),
|
||
+ .proc_handler = &natevents_procctl,
|
||
+ },
|
||
+#endif
|
||
{ }
|
||
};
|
||
|
||
@@ -588,18 +800,69 @@ static struct ctl_path netflow_sysctl_path[] = {
|
||
static void sk_error_report(struct sock *sk)
|
||
{
|
||
/* clear connection refused errors if any */
|
||
- write_lock_bh(&sk->sk_callback_lock);
|
||
if (debug > 1)
|
||
- printk(KERN_INFO "NETFLOW: socket error <%d>\n", sk->sk_err);
|
||
+ printk(KERN_INFO "ipt_NETFLOW: socket error <%d>\n", sk->sk_err);
|
||
sk->sk_err = 0;
|
||
NETFLOW_STAT_INC(sock_errors);
|
||
- write_unlock_bh(&sk->sk_callback_lock);
|
||
return;
|
||
}
|
||
|
||
+static struct socket *_usock_alloc(const __be32 ipaddr, const unsigned short port)
|
||
+{
|
||
+ struct sockaddr_in sin;
|
||
+ struct socket *sock;
|
||
+ int error;
|
||
+
|
||
+ if ((error = sock_create_kern(PF_INET, SOCK_DGRAM, IPPROTO_UDP, &sock)) < 0) {
|
||
+ printk(KERN_ERR "ipt_NETFLOW: sock_create_kern error %d\n", -error);
|
||
+ return NULL;
|
||
+ }
|
||
+ sock->sk->sk_allocation = GFP_ATOMIC;
|
||
+ sock->sk->sk_prot->unhash(sock->sk); /* hidden from input */
|
||
+ sock->sk->sk_error_report = &sk_error_report; /* clear ECONNREFUSED */
|
||
+ if (sndbuf)
|
||
+ sock->sk->sk_sndbuf = sndbuf;
|
||
+ else
|
||
+ sndbuf = sock->sk->sk_sndbuf;
|
||
+ memset(&sin, 0, sizeof(sin));
|
||
+ sin.sin_family = AF_INET;
|
||
+ sin.sin_addr.s_addr = htonl(ipaddr);
|
||
+ sin.sin_port = htons(port);
|
||
+ if ((error = sock->ops->connect(sock, (struct sockaddr *)&sin,
|
||
+ sizeof(sin), 0)) < 0) {
|
||
+ printk(KERN_ERR "ipt_NETFLOW: error connecting UDP socket %d,"
|
||
+ " don't worry, will try reconnect later.\n", -error);
|
||
+ /* ENETUNREACH when no interfaces */
|
||
+ sock_release(sock);
|
||
+ return NULL;
|
||
+ }
|
||
+ return sock;
|
||
+}
|
||
+
|
||
+static void usock_connect(struct ipt_netflow_sock *usock, const int sendmsg)
|
||
+{
|
||
+ usock->sock = _usock_alloc(usock->ipaddr, usock->port);
|
||
+ if (usock->sock) {
|
||
+ if (sendmsg || debug)
|
||
+ printk(KERN_INFO "ipt_NETFLOW: connected %u.%u.%u.%u:%u\n",
|
||
+ HIPQUAD(usock->ipaddr),
|
||
+ usock->port);
|
||
+ } else {
|
||
+ atomic_inc(&usock->err_connect);
|
||
+ if (debug)
|
||
+ printk(KERN_INFO "ipt_NETFLOW: connect to %u.%u.%u.%u:%u failed%s.\n",
|
||
+ HIPQUAD(usock->ipaddr),
|
||
+ usock->port,
|
||
+ (sendmsg)? " (pdu lost)" : "");
|
||
+ }
|
||
+ atomic_set(&usock->wmem_peak, 0);
|
||
+ atomic_set(&usock->err_full, 0);
|
||
+ atomic_set(&usock->err_other, 0);
|
||
+}
|
||
+
|
||
// return numbers of sends succeded, 0 if none
|
||
/* only called in scan worker path */
|
||
-static int netflow_send_pdu(void *buffer, int len)
|
||
+static void netflow_sendmsg(void *buffer, const int len)
|
||
{
|
||
struct msghdr msg = { .msg_flags = MSG_DONTWAIT|MSG_NOSIGNAL };
|
||
struct kvec iov = { buffer, len };
|
||
@@ -607,9 +870,16 @@ static int netflow_send_pdu(void *buffer, int len)
|
||
int snum = 0;
|
||
struct ipt_netflow_sock *usock;
|
||
|
||
+ mutex_lock(&sock_lock);
|
||
list_for_each_entry(usock, &usock_list, list) {
|
||
+ if (!usock->sock)
|
||
+ usock_connect(usock, 1);
|
||
+ if (!usock->sock) {
|
||
+ NETFLOW_STAT_INC_ATOMIC(send_failed);
|
||
+ continue;
|
||
+ }
|
||
if (debug)
|
||
- printk(KERN_INFO "netflow_send_pdu: sendmsg(%d, %d) [%u %u]\n",
|
||
+ printk(KERN_INFO "netflow_sendmsg: sendmsg(%d, %d) [%u %u]\n",
|
||
snum,
|
||
len,
|
||
atomic_read(&usock->sock->sk->sk_wmem_alloc),
|
||
@@ -624,7 +894,7 @@ static int netflow_send_pdu(void *buffer, int len)
|
||
suggestion = ": increase sndbuf!";
|
||
} else
|
||
atomic_inc(&usock->err_other);
|
||
- printk(KERN_ERR "netflow_send_pdu[%d]: sendmsg error %d: data loss %llu pkt, %llu bytes%s\n",
|
||
+ printk(KERN_ERR "ipt_NETFLOW: sendmsg[%d] error %d: data loss %llu pkt, %llu bytes%s\n",
|
||
snum, ret, pdu_packets, pdu_traf, suggestion);
|
||
} else {
|
||
unsigned int wmem = atomic_read(&usock->sock->sk->sk_wmem_alloc);
|
||
@@ -636,98 +906,67 @@ static int netflow_send_pdu(void *buffer, int len)
|
||
}
|
||
snum++;
|
||
}
|
||
- return retok;
|
||
+ mutex_unlock(&sock_lock);
|
||
+ if (retok == 0) {
|
||
+ /* not least one send succeded, account stat for dropped packets */
|
||
+ NETFLOW_STAT_ADD_ATOMIC(pkt_drop, pdu_packets);
|
||
+ NETFLOW_STAT_ADD_ATOMIC(traf_drop, pdu_traf);
|
||
+ }
|
||
}
|
||
|
||
-static void usock_free(struct ipt_netflow_sock *usock)
|
||
+static void usock_close_free(struct ipt_netflow_sock *usock)
|
||
{
|
||
- printk(KERN_INFO "netflow: remove destination %u.%u.%u.%u:%u (%p)\n",
|
||
+ printk(KERN_INFO "ipt_NETFLOW: removed destination %u.%u.%u.%u:%u\n",
|
||
HIPQUAD(usock->ipaddr),
|
||
- usock->port,
|
||
- usock->sock);
|
||
+ usock->port);
|
||
if (usock->sock)
|
||
sock_release(usock->sock);
|
||
usock->sock = NULL;
|
||
- vfree(usock);
|
||
+ vfree(usock);
|
||
}
|
||
|
||
static void destination_removeall(void)
|
||
{
|
||
- write_lock(&sock_lock);
|
||
+ mutex_lock(&sock_lock);
|
||
while (!list_empty(&usock_list)) {
|
||
struct ipt_netflow_sock *usock;
|
||
|
||
usock = list_entry(usock_list.next, struct ipt_netflow_sock, list);
|
||
list_del(&usock->list);
|
||
- write_unlock(&sock_lock);
|
||
- usock_free(usock);
|
||
- write_lock(&sock_lock);
|
||
+ mutex_unlock(&sock_lock);
|
||
+ usock_close_free(usock);
|
||
+ mutex_lock(&sock_lock);
|
||
}
|
||
- write_unlock(&sock_lock);
|
||
+ mutex_unlock(&sock_lock);
|
||
}
|
||
|
||
static void add_usock(struct ipt_netflow_sock *usock)
|
||
{
|
||
struct ipt_netflow_sock *sk;
|
||
|
||
- /* don't need empty sockets */
|
||
- if (!usock->sock) {
|
||
- usock_free(usock);
|
||
- return;
|
||
- }
|
||
-
|
||
- write_lock(&sock_lock);
|
||
+ mutex_lock(&sock_lock);
|
||
/* don't need duplicated sockets */
|
||
list_for_each_entry(sk, &usock_list, list) {
|
||
if (sk->ipaddr == usock->ipaddr &&
|
||
sk->port == usock->port) {
|
||
- write_unlock(&sock_lock);
|
||
- usock_free(usock);
|
||
+ mutex_unlock(&sock_lock);
|
||
+ usock_close_free(usock);
|
||
return;
|
||
}
|
||
}
|
||
list_add_tail(&usock->list, &usock_list);
|
||
- printk(KERN_INFO "netflow: added destination %u.%u.%u.%u:%u\n",
|
||
+ printk(KERN_INFO "ipt_NETFLOW: added destination %u.%u.%u.%u:%u%s\n",
|
||
HIPQUAD(usock->ipaddr),
|
||
- usock->port);
|
||
- write_unlock(&sock_lock);
|
||
-}
|
||
-
|
||
-static struct socket *usock_alloc(__be32 ipaddr, unsigned short port)
|
||
-{
|
||
- struct sockaddr_in sin;
|
||
- struct socket *sock;
|
||
- int error;
|
||
-
|
||
- if ((error = sock_create_kern(PF_INET, SOCK_DGRAM, IPPROTO_UDP, &sock)) < 0) {
|
||
- printk(KERN_ERR "netflow: sock_create_kern error %d\n", error);
|
||
- return NULL;
|
||
- }
|
||
- sock->sk->sk_allocation = GFP_ATOMIC;
|
||
- sock->sk->sk_prot->unhash(sock->sk); /* hidden from input */
|
||
- sock->sk->sk_error_report = &sk_error_report; /* clear ECONNREFUSED */
|
||
- if (sndbuf)
|
||
- sock->sk->sk_sndbuf = sndbuf;
|
||
- else
|
||
- sndbuf = sock->sk->sk_sndbuf;
|
||
- memset(&sin, 0, sizeof(sin));
|
||
- sin.sin_family = AF_INET;
|
||
- sin.sin_addr.s_addr = htonl(ipaddr);
|
||
- sin.sin_port = htons(port);
|
||
- if ((error = sock->ops->connect(sock, (struct sockaddr *)&sin,
|
||
- sizeof(sin), 0)) < 0) {
|
||
- printk(KERN_ERR "netflow: error connecting UDP socket %d\n", error);
|
||
- sock_release(sock);
|
||
- return NULL;
|
||
- }
|
||
- return sock;
|
||
+ usock->port,
|
||
+ (!usock->sock)? " (unconnected)" : "");
|
||
+ mutex_unlock(&sock_lock);
|
||
}
|
||
|
||
#define SEPARATORS " ,;\t\n"
|
||
static int add_destinations(char *ptr)
|
||
{
|
||
while (ptr) {
|
||
- unsigned char ip[4];
|
||
+ unsigned char ip[4];
|
||
unsigned short port;
|
||
|
||
ptr += strspn(ptr, SEPARATORS);
|
||
@@ -737,17 +976,15 @@ static int add_destinations(char *ptr)
|
||
struct ipt_netflow_sock *usock;
|
||
|
||
if (!(usock = vmalloc(sizeof(*usock)))) {
|
||
- printk(KERN_ERR "netflow: can't vmalloc socket\n");
|
||
+ printk(KERN_ERR "ipt_NETFLOW: can't vmalloc socket\n");
|
||
return -ENOMEM;
|
||
}
|
||
|
||
memset(usock, 0, sizeof(*usock));
|
||
+ atomic_set(&usock->err_connect, 0);
|
||
usock->ipaddr = ntohl(*(__be32 *)ip);
|
||
usock->port = port;
|
||
- usock->sock = usock_alloc(usock->ipaddr, port);
|
||
- atomic_set(&usock->wmem_peak, 0);
|
||
- atomic_set(&usock->err_full, 0);
|
||
- atomic_set(&usock->err_other, 0);
|
||
+ usock_connect(usock, 0);
|
||
add_usock(usock);
|
||
} else
|
||
break;
|
||
@@ -781,7 +1018,7 @@ static int add_aggregation(char *ptr)
|
||
LIST_HEAD(old_aggr_list);
|
||
|
||
while (ptr && *ptr) {
|
||
- unsigned char ip[4];
|
||
+ unsigned char ip[4];
|
||
unsigned int mask;
|
||
unsigned int port1, port2;
|
||
unsigned int aggr_to;
|
||
@@ -792,16 +1029,16 @@ static int add_aggregation(char *ptr)
|
||
ip, ip + 1, ip + 2, ip + 3, &mask, &aggr_to) == 6) {
|
||
|
||
if (!(aggr_n = vmalloc(sizeof(*aggr_n)))) {
|
||
- printk(KERN_ERR "netflow: can't vmalloc aggr\n");
|
||
+ printk(KERN_ERR "ipt_NETFLOW: can't vmalloc aggr\n");
|
||
return -ENOMEM;
|
||
}
|
||
memset(aggr_n, 0, sizeof(*aggr_n));
|
||
|
||
- aggr_n->addr = ntohl(*(__be32 *)ip);
|
||
aggr_n->mask = bits2mask(mask);
|
||
+ aggr_n->addr = ntohl(*(__be32 *)ip) & aggr_n->mask;
|
||
aggr_n->aggr_mask = bits2mask(aggr_to);
|
||
aggr_n->prefix = mask;
|
||
- printk(KERN_INFO "netflow: add aggregation [%u.%u.%u.%u/%u=%u]\n",
|
||
+ printk(KERN_INFO "ipt_NETFLOW: add aggregation [%u.%u.%u.%u/%u=%u]\n",
|
||
HIPQUAD(aggr_n->addr), mask, aggr_to);
|
||
list_add_tail(&aggr_n->list, &new_aggr_n_list);
|
||
|
||
@@ -809,7 +1046,7 @@ static int add_aggregation(char *ptr)
|
||
sscanf(ptr, "%u=%u", &port2, &aggr_to) == 2) {
|
||
|
||
if (!(aggr_p = vmalloc(sizeof(*aggr_p)))) {
|
||
- printk(KERN_ERR "netflow: can't vmalloc aggr\n");
|
||
+ printk(KERN_ERR "ipt_NETFLOW: can't vmalloc aggr\n");
|
||
return -ENOMEM;
|
||
}
|
||
memset(aggr_p, 0, sizeof(*aggr_p));
|
||
@@ -817,11 +1054,11 @@ static int add_aggregation(char *ptr)
|
||
aggr_p->port1 = port1;
|
||
aggr_p->port2 = port2;
|
||
aggr_p->aggr_port = aggr_to;
|
||
- printk(KERN_INFO "netflow: add aggregation [%u-%u=%u]\n",
|
||
+ printk(KERN_INFO "ipt_NETFLOW: add aggregation [%u-%u=%u]\n",
|
||
port1, port2, aggr_to);
|
||
list_add_tail(&aggr_p->list, &new_aggr_p_list);
|
||
} else {
|
||
- printk(KERN_ERR "netflow: bad aggregation rule: %s (ignoring)\n", ptr);
|
||
+ printk(KERN_ERR "ipt_NETFLOW: bad aggregation rule: %s (ignoring)\n", ptr);
|
||
break;
|
||
}
|
||
|
||
@@ -846,17 +1083,23 @@ static int add_aggregation(char *ptr)
|
||
|
||
static inline u_int32_t hash_netflow(const struct ipt_netflow_tuple *tuple)
|
||
{
|
||
- /* tuple is rounded to u32s */
|
||
- return jhash2((u32 *)tuple, NETFLOW_TUPLE_SIZE, ipt_netflow_hash_rnd) % ipt_netflow_hash_size;
|
||
+ return murmur3(tuple, sizeof(struct ipt_netflow_tuple), ipt_netflow_hash_rnd) % ipt_netflow_hash_size;
|
||
}
|
||
|
||
static struct ipt_netflow *
|
||
-ipt_netflow_find(const struct ipt_netflow_tuple *tuple, unsigned int hash)
|
||
+ipt_netflow_find(const struct ipt_netflow_tuple *tuple, const unsigned int hash)
|
||
{
|
||
struct ipt_netflow *nf;
|
||
+#if LINUX_VERSION_CODE < KERNEL_VERSION(3,9,0)
|
||
+#define compat_hlist_for_each_entry hlist_for_each_entry
|
||
+#define compat_hlist_for_each_entry_safe hlist_for_each_entry_safe
|
||
struct hlist_node *pos;
|
||
+#else /* since 3.9.0 */
|
||
+#define compat_hlist_for_each_entry(a,pos,c,d) hlist_for_each_entry(a,c,d)
|
||
+#define compat_hlist_for_each_entry_safe(a,pos,c,d,e) hlist_for_each_entry_safe(a,c,d,e)
|
||
+#endif
|
||
|
||
- hlist_for_each_entry(nf, pos, &ipt_netflow_hash[hash], hlist) {
|
||
+ compat_hlist_for_each_entry(nf, pos, &ipt_netflow_hash[hash], hlist) {
|
||
if (ipt_netflow_tuple_equal(tuple, &nf->tuple) &&
|
||
nf->nr_bytes < FLOW_FULL_WATERMARK) {
|
||
NETFLOW_STAT_INC(found);
|
||
@@ -868,7 +1111,7 @@ ipt_netflow_find(const struct ipt_netflow_tuple *tuple, unsigned int hash)
|
||
return NULL;
|
||
}
|
||
|
||
-static struct hlist_head *alloc_hashtable(int size)
|
||
+static struct hlist_head *alloc_hashtable(const int size)
|
||
{
|
||
struct hlist_head *hash;
|
||
|
||
@@ -879,19 +1122,18 @@ static struct hlist_head *alloc_hashtable(int size)
|
||
for (i = 0; i < size; i++)
|
||
INIT_HLIST_HEAD(&hash[i]);
|
||
} else
|
||
- printk(KERN_ERR "netflow: unable to vmalloc hash table.\n");
|
||
+ printk(KERN_ERR "ipt_NETFLOW: unable to vmalloc hash table.\n");
|
||
|
||
return hash;
|
||
}
|
||
|
||
-static int set_hashsize(int new_size)
|
||
+static int set_hashsize(const int new_size)
|
||
{
|
||
struct hlist_head *new_hash, *old_hash;
|
||
- unsigned int hash;
|
||
struct ipt_netflow *nf;
|
||
int rnd;
|
||
|
||
- printk(KERN_INFO "netflow: allocating new hash table %u -> %u buckets\n",
|
||
+ printk(KERN_INFO "ipt_NETFLOW: allocating new hash table %u -> %u buckets\n",
|
||
ipt_netflow_hash_size, new_size);
|
||
new_hash = alloc_hashtable(new_size);
|
||
if (!new_hash)
|
||
@@ -900,19 +1142,24 @@ static int set_hashsize(int new_size)
|
||
get_random_bytes(&rnd, 4);
|
||
|
||
/* rehash */
|
||
- spin_lock_bh(&ipt_netflow_lock);
|
||
+ write_lock_bh(&htable_rwlock);
|
||
old_hash = ipt_netflow_hash;
|
||
ipt_netflow_hash = new_hash;
|
||
ipt_netflow_hash_size = new_size;
|
||
ipt_netflow_hash_rnd = rnd;
|
||
/* hash_netflow() is dependent on ipt_netflow_hash_* values */
|
||
+ spin_lock(&hlist_lock);
|
||
list_for_each_entry(nf, &ipt_netflow_list, list) {
|
||
+ unsigned int hash;
|
||
+
|
||
hash = hash_netflow(&nf->tuple);
|
||
/* hlist_add_head overwrites hlist pointers for this node
|
||
* so it's good */
|
||
hlist_add_head(&nf->hlist, &new_hash[hash]);
|
||
+ nf->lock = &htable_locks[hash & LOCK_COUNT_MASK];
|
||
}
|
||
- spin_unlock_bh(&ipt_netflow_lock);
|
||
+ spin_unlock(&hlist_lock);
|
||
+ write_unlock_bh(&htable_rwlock);
|
||
|
||
vfree(old_hash);
|
||
|
||
@@ -920,14 +1167,14 @@ static int set_hashsize(int new_size)
|
||
}
|
||
|
||
static struct ipt_netflow *
|
||
-ipt_netflow_alloc(struct ipt_netflow_tuple *tuple)
|
||
+ipt_netflow_alloc(const struct ipt_netflow_tuple *tuple)
|
||
{
|
||
struct ipt_netflow *nf;
|
||
long count;
|
||
|
||
nf = kmem_cache_alloc(ipt_netflow_cachep, GFP_ATOMIC);
|
||
if (!nf) {
|
||
- printk(KERN_ERR "Can't allocate netflow.\n");
|
||
+ printk(KERN_ERR "ipt_NETFLOW: Can't allocate flow.\n");
|
||
return NULL;
|
||
}
|
||
|
||
@@ -945,13 +1192,15 @@ ipt_netflow_alloc(struct ipt_netflow_tuple *tuple)
|
||
|
||
static void ipt_netflow_free(struct ipt_netflow *nf)
|
||
{
|
||
+ if (IS_DUMMY_FLOW(nf))
|
||
+ return;
|
||
atomic_dec(&ipt_netflow_count);
|
||
kmem_cache_free(ipt_netflow_cachep, nf);
|
||
}
|
||
|
||
static struct ipt_netflow *
|
||
-init_netflow(struct ipt_netflow_tuple *tuple,
|
||
- struct sk_buff *skb, unsigned int hash)
|
||
+init_netflow(const struct ipt_netflow_tuple *tuple,
|
||
+ const struct sk_buff *skb, const unsigned int hash)
|
||
{
|
||
struct ipt_netflow *nf;
|
||
|
||
@@ -959,93 +1208,774 @@ init_netflow(struct ipt_netflow_tuple *tuple,
|
||
if (!nf)
|
||
return NULL;
|
||
|
||
+ nf->lock = &htable_locks[hash & LOCK_COUNT_MASK];
|
||
hlist_add_head(&nf->hlist, &ipt_netflow_hash[hash]);
|
||
+ spin_lock(&hlist_lock);
|
||
list_add(&nf->list, &ipt_netflow_list);
|
||
+ spin_unlock(&hlist_lock);
|
||
|
||
return nf;
|
||
}
|
||
|
||
/* cook pdu, send, and clean */
|
||
/* only called in scan worker path */
|
||
-static void netflow_export_pdu(void)
|
||
+static void netflow_export_pdu_v5(void)
|
||
{
|
||
struct timeval tv;
|
||
int pdusize;
|
||
|
||
- if (!pdu.nr_records)
|
||
+ if (!pdu_data_records)
|
||
return;
|
||
|
||
if (debug > 1)
|
||
- printk(KERN_INFO "netflow_export_pdu with %d records\n", pdu.nr_records);
|
||
- do_gettimeofday(&tv);
|
||
-
|
||
- pdu.version = htons(5);
|
||
- pdu.ts_uptime = htonl(jiffies_to_msecs(jiffies));
|
||
- pdu.ts_usecs = htonl(tv.tv_sec);
|
||
- pdu.ts_unsecs = htonl(tv.tv_usec);
|
||
- //pdu.eng_type = 0;
|
||
- //pdu.eng_id = 0;
|
||
- //pdu.padding = 0;
|
||
+ printk(KERN_INFO "netflow_export_pdu_v5 with %d records\n", pdu_data_records);
|
||
|
||
- pdusize = NETFLOW5_HEADER_SIZE + sizeof(struct netflow5_record) * pdu.nr_records;
|
||
-
|
||
- /* especially fix nr_records before export */
|
||
- pdu.nr_records = htons(pdu.nr_records);
|
||
+ pdu.v5.version = htons(5);
|
||
+ pdu.v5.nr_records = htons(pdu_data_records);
|
||
+ pdu.v5.ts_uptime = htonl(jiffies_to_msecs(jiffies));
|
||
+ do_gettimeofday(&tv);
|
||
+ pdu.v5.ts_usecs = htonl(tv.tv_sec);
|
||
+ pdu.v5.ts_unsecs = htonl(tv.tv_usec);
|
||
+ pdu.v5.seq = htonl(pdu_seq);
|
||
+ //pdu.v5.eng_type = 0;
|
||
+ pdu.v5.eng_id = engine_id;
|
||
+ //pdu.v5.padding = 0;
|
||
|
||
- if (netflow_send_pdu(&pdu, pdusize) == 0) {
|
||
- /* not least one send succeded, account stat for dropped packets */
|
||
- NETFLOW_STAT_ADD_ATOMIC(pkt_drop, pdu_packets);
|
||
- NETFLOW_STAT_ADD_ATOMIC(traf_drop, pdu_traf);
|
||
- }
|
||
+ pdusize = NETFLOW5_HEADER_SIZE + sizeof(struct netflow5_record) * pdu_data_records;
|
||
|
||
- pdu.seq = htonl(ntohl(pdu.seq) + ntohs(pdu.nr_records));
|
||
+ netflow_sendmsg(&pdu.v5, pdusize);
|
||
|
||
- pdu.nr_records = 0;
|
||
pdu_packets = 0;
|
||
- pdu_traf = 0;
|
||
+ pdu_traf = 0;
|
||
+
|
||
+ pdu_seq += pdu_data_records;
|
||
+ pdu_count++;
|
||
+ pdu_data_records = 0;
|
||
}
|
||
|
||
/* only called in scan worker path */
|
||
-static void netflow_export_flow(struct ipt_netflow *nf)
|
||
+static void netflow_export_flow_v5(struct ipt_netflow *nf)
|
||
{
|
||
struct netflow5_record *rec;
|
||
|
||
- if (debug > 2)
|
||
- printk(KERN_INFO "adding flow to export (%d)\n", pdu.nr_records);
|
||
+ if (unlikely(debug > 2))
|
||
+ printk(KERN_INFO "adding flow to export (%d)\n", pdu_data_records);
|
||
|
||
pdu_packets += nf->nr_packets;
|
||
pdu_traf += nf->nr_bytes;
|
||
pdu_ts_mod = jiffies;
|
||
- rec = &pdu.flow[pdu.nr_records++];
|
||
+ rec = &pdu.v5.flow[pdu_data_records++];
|
||
|
||
/* make V5 flow record */
|
||
- rec->s_addr = nf->tuple.s_addr;
|
||
- rec->d_addr = nf->tuple.d_addr;
|
||
- //rec->nexthop = 0;
|
||
+ rec->s_addr = nf->tuple.src.ip;
|
||
+ rec->d_addr = nf->tuple.dst.ip;
|
||
+ rec->nexthop = nf->nh.ip;
|
||
rec->i_ifc = htons(nf->tuple.i_ifc);
|
||
rec->o_ifc = htons(nf->o_ifc);
|
||
rec->nr_packets = htonl(nf->nr_packets);
|
||
rec->nr_octets = htonl(nf->nr_bytes);
|
||
- rec->ts_first = htonl(jiffies_to_msecs(nf->ts_first));
|
||
- rec->ts_last = htonl(jiffies_to_msecs(nf->ts_last));
|
||
+ rec->first_ms = htonl(jiffies_to_msecs(nf->ts_first));
|
||
+ rec->last_ms = htonl(jiffies_to_msecs(nf->ts_last));
|
||
rec->s_port = nf->tuple.s_port;
|
||
rec->d_port = nf->tuple.d_port;
|
||
- //rec->reserved = 0;
|
||
+ //rec->reserved = 0; /* pdu is always zeroized for v5 in netflow_switch_version */
|
||
rec->tcp_flags = nf->tcp_flags;
|
||
rec->protocol = nf->tuple.protocol;
|
||
rec->tos = nf->tuple.tos;
|
||
- //rec->s_as = 0;
|
||
- //rec->d_as = 0;
|
||
+#ifdef CONFIG_NF_NAT_NEEDED
|
||
+ rec->s_as = nf->s_as;
|
||
+ rec->d_as = nf->d_as;
|
||
+#endif
|
||
rec->s_mask = nf->s_mask;
|
||
rec->d_mask = nf->d_mask;
|
||
//rec->padding = 0;
|
||
ipt_netflow_free(nf);
|
||
|
||
- if (pdu.nr_records == NETFLOW5_RECORDS_MAX)
|
||
+ if (pdu_data_records == NETFLOW5_RECORDS_MAX)
|
||
+ netflow_export_pdu_v5();
|
||
+}
|
||
+
|
||
+/* pdu is initially blank, export current pdu, and prepare next for filling. */
|
||
+static void netflow_export_pdu_v9(void)
|
||
+{
|
||
+ struct timeval tv;
|
||
+ int pdusize;
|
||
+
|
||
+ if (pdu_data_used <= pdu.v9.data)
|
||
+ return;
|
||
+
|
||
+ if (debug > 1)
|
||
+ printk(KERN_INFO "netflow_export_pdu_v9 with %d records\n",
|
||
+ pdu_data_records + pdu_tpl_records);
|
||
+
|
||
+ pdu.v9.version = htons(9);
|
||
+ pdu.v9.nr_records = htons(pdu_data_records + pdu_tpl_records);
|
||
+ pdu.v9.sys_uptime_ms = htonl(jiffies_to_msecs(jiffies));
|
||
+ do_gettimeofday(&tv);
|
||
+ pdu.v9.export_time_s = htonl(tv.tv_sec);
|
||
+ pdu.v9.seq = htonl(pdu_seq);
|
||
+ pdu.v9.source_id = engine_id;
|
||
+
|
||
+ pdusize = pdu_data_used - (unsigned char *)&pdu.v9;
|
||
+
|
||
+ netflow_sendmsg(&pdu.v9, pdusize);
|
||
+
|
||
+ pdu_packets = 0;
|
||
+ pdu_traf = 0;
|
||
+
|
||
+ pdu_seq++;
|
||
+ pdu_count++;
|
||
+ pdu_data_records = pdu_tpl_records = 0;
|
||
+ pdu_data_used = pdu.v9.data;
|
||
+ pdu_flowset = NULL;
|
||
+}
|
||
+
|
||
+static void netflow_export_pdu_ipfix(void)
|
||
+{
|
||
+ struct timeval tv;
|
||
+ int pdusize;
|
||
+
|
||
+ if (pdu_data_used <= pdu.ipfix.data)
|
||
+ return;
|
||
+
|
||
+ if (debug > 1)
|
||
+ printk(KERN_INFO "netflow_export_pduX with %d records\n",
|
||
+ pdu_data_records);
|
||
+
|
||
+ pdu.ipfix.version = htons(10);
|
||
+ do_gettimeofday(&tv);
|
||
+ pdu.ipfix.export_time_s = htonl(tv.tv_sec);
|
||
+ pdu.ipfix.seq = htonl(pdu_seq);
|
||
+ pdu.ipfix.odomain_id = engine_id;
|
||
+ pdusize = pdu_data_used - (unsigned char *)&pdu;
|
||
+ pdu.ipfix.length = htons(pdusize);
|
||
+
|
||
+ netflow_sendmsg(&pdu.ipfix, pdusize);
|
||
+
|
||
+ pdu_packets = 0;
|
||
+ pdu_traf = 0;
|
||
+
|
||
+ pdu_seq += pdu_data_records;
|
||
+ pdu_count++;
|
||
+ pdu_data_records = pdu_tpl_records = 0;
|
||
+ pdu_data_used = pdu.ipfix.data;
|
||
+ pdu_flowset = NULL;
|
||
+}
|
||
+
|
||
+static inline int pdu_have_space(const size_t size)
|
||
+{
|
||
+ return ((pdu_data_used + size) <= pdu_high_wm);
|
||
+}
|
||
+
|
||
+static inline unsigned char *pdu_grab_space(const size_t size)
|
||
+{
|
||
+ unsigned char *ptr = pdu_data_used;
|
||
+ pdu_data_used += size;
|
||
+ return ptr;
|
||
+}
|
||
+
|
||
+// allocate data space in pdu, or fail if pdu is reallocated.
|
||
+static inline unsigned char *pdu_alloc_fail(const size_t size)
|
||
+{
|
||
+ if (!pdu_have_space(size)) {
|
||
netflow_export_pdu();
|
||
+ return NULL;
|
||
+ }
|
||
+ return pdu_grab_space(size);
|
||
+}
|
||
+
|
||
+/* doesn't fail, but can provide empty pdu. */
|
||
+static unsigned char *pdu_alloc(const size_t size)
|
||
+{
|
||
+ return pdu_alloc_fail(size) ?: pdu_grab_space(size);
|
||
+}
|
||
+
|
||
+/* global table of sizes of template field types */
|
||
+static u_int8_t tpl_element_sizes[] = {
|
||
+ [IN_BYTES] = 4,
|
||
+ [IN_PKTS] = 4,
|
||
+ [PROTOCOL] = 1,
|
||
+ [TOS] = 1,
|
||
+ [TCP_FLAGS] = 1,
|
||
+ [L4_SRC_PORT] = 2,
|
||
+ [IPV4_SRC_ADDR] = 4,
|
||
+ [SRC_MASK] = 1,
|
||
+ [INPUT_SNMP] = 2,
|
||
+ [L4_DST_PORT] = 2,
|
||
+ [IPV4_DST_ADDR] = 4,
|
||
+ [DST_MASK] = 1,
|
||
+ [OUTPUT_SNMP] = 2,
|
||
+ [IPV4_NEXT_HOP] = 4,
|
||
+ //[SRC_AS] = 2,
|
||
+ //[DST_AS] = 2,
|
||
+ //[BGP_IPV4_NEXT_HOP] = 4,
|
||
+ //[MUL_DST_PKTS] = 4,
|
||
+ //[MUL_DST_BYTES] = 4,
|
||
+ [LAST_SWITCHED] = 4,
|
||
+ [FIRST_SWITCHED]= 4,
|
||
+ [IPV6_SRC_ADDR] = 16,
|
||
+ [IPV6_DST_ADDR] = 16,
|
||
+ [IPV6_FLOW_LABEL] = 3,
|
||
+ [ICMP_TYPE] = 2,
|
||
+ [MUL_IGMP_TYPE] = 1,
|
||
+ //[TOTAL_BYTES_EXP] = 4,
|
||
+ //[TOTAL_PKTS_EXP] = 4,
|
||
+ //[TOTAL_FLOWS_EXP] = 4,
|
||
+ [IPV6_NEXT_HOP] = 16,
|
||
+ [IPV6_OPTION_HEADERS] = 2,
|
||
+ [commonPropertiesId] = 4,
|
||
+ [ipv4Options] = 4,
|
||
+ [tcpOptions] = 4,
|
||
+ [postNATSourceIPv4Address] = 4,
|
||
+ [postNATDestinationIPv4Address] = 4,
|
||
+ [postNAPTSourceTransportPort] = 2,
|
||
+ [postNAPTDestinationTransportPort] = 2,
|
||
+ [natEvent] = 1,
|
||
+ [postNATSourceIPv6Address] = 16,
|
||
+ [postNATDestinationIPv6Address] = 16,
|
||
+ [IPSecSPI] = 4,
|
||
+ [observationTimeMilliseconds] = 8,
|
||
+ [observationTimeMicroseconds] = 8,
|
||
+ [observationTimeNanoseconds] = 8,
|
||
+};
|
||
+
|
||
+#define TEMPLATES_HASH_BSIZE 8
|
||
+#define TEMPLATES_HASH_SIZE (1<<TEMPLATES_HASH_BSIZE)
|
||
+static struct hlist_head templates_hash[TEMPLATES_HASH_SIZE];
|
||
+
|
||
+struct base_template {
|
||
+ int length; /* number of elements in template */
|
||
+ u_int16_t types[]; /* {type, size} pairs */
|
||
+};
|
||
+
|
||
+/* base templates */
|
||
+#define BTPL_BASE 0x00000001 /* base stat */
|
||
+#define BTPL_IP4 0x00000002 /* IPv4 */
|
||
+#define BTPL_MASK4 0x00000004 /* Aggregated */
|
||
+#define BTPL_PORTS 0x00000008 /* UDP&TCP */
|
||
+#define BTPL_IP6 0x00000010 /* IPv6 */
|
||
+#define BTPL_ICMP 0x00000020 /* ICMP */
|
||
+#define BTPL_IGMP 0x00000040 /* IGMP */
|
||
+#define BTPL_IPSEC 0x00000080 /* AH&ESP */
|
||
+#define BTPL_NAT4 0x00000100 /* NAT IPv4 */
|
||
+#define BTPL_MARK 0x00000400 /* connmark */
|
||
+#define BTPL_LABEL6 0x00000800 /* IPv6 flow label */
|
||
+#define BTPL_OPTIONS4 0x00001000 /* IPv4 Options */
|
||
+#define BTPL_OPTIONS6 0x00002000 /* IPv6 Options */
|
||
+#define BTPL_TCPOPTIONS 0x00004000 /* TCP Options */
|
||
+#define BTPL_MAX 32
|
||
+
|
||
+static struct base_template template_base = {
|
||
+ .types = {
|
||
+ INPUT_SNMP,
|
||
+ OUTPUT_SNMP,
|
||
+ IN_PKTS,
|
||
+ IN_BYTES,
|
||
+ FIRST_SWITCHED,
|
||
+ LAST_SWITCHED,
|
||
+ PROTOCOL,
|
||
+ TOS,
|
||
+ 0
|
||
+ }
|
||
+};
|
||
+static struct base_template template_ipv4 = {
|
||
+ .types = {
|
||
+ IPV4_SRC_ADDR,
|
||
+ IPV4_DST_ADDR,
|
||
+ IPV4_NEXT_HOP,
|
||
+ 0
|
||
+ }
|
||
+};
|
||
+static struct base_template template_options4 = {
|
||
+ .types = { ipv4Options, 0 }
|
||
+};
|
||
+static struct base_template template_tcpoptions = {
|
||
+ .types = { tcpOptions, 0 }
|
||
+};
|
||
+static struct base_template template_ipv6 = {
|
||
+ .types = {
|
||
+ IPV6_SRC_ADDR,
|
||
+ IPV6_DST_ADDR,
|
||
+ IPV6_NEXT_HOP,
|
||
+ 0
|
||
+ }
|
||
+};
|
||
+static struct base_template template_options6 = {
|
||
+ .types = { IPV6_OPTION_HEADERS, 0 }
|
||
+};
|
||
+static struct base_template template_label6 = {
|
||
+ .types = { IPV6_FLOW_LABEL, 0 }
|
||
+};
|
||
+static struct base_template template_ipv4_mask = {
|
||
+ .types = {
|
||
+ SRC_MASK,
|
||
+ DST_MASK,
|
||
+ 0
|
||
+ }
|
||
+};
|
||
+static struct base_template template_ports = {
|
||
+ .types = {
|
||
+ L4_SRC_PORT,
|
||
+ L4_DST_PORT,
|
||
+ TCP_FLAGS,
|
||
+ 0
|
||
+ }
|
||
+};
|
||
+static struct base_template template_icmp = {
|
||
+ .types = { ICMP_TYPE, 0 }
|
||
+};
|
||
+static struct base_template template_igmp = {
|
||
+ .types = { MUL_IGMP_TYPE, 0 }
|
||
+};
|
||
+static struct base_template template_ipsec = {
|
||
+ .types = { IPSecSPI, 0 }
|
||
+};
|
||
+static struct base_template template_nat4 = {
|
||
+ .types = {
|
||
+ observationTimeMilliseconds,
|
||
+ IPV4_SRC_ADDR,
|
||
+ IPV4_DST_ADDR,
|
||
+ postNATSourceIPv4Address,
|
||
+ postNATDestinationIPv4Address,
|
||
+ L4_SRC_PORT,
|
||
+ L4_DST_PORT,
|
||
+ postNAPTSourceTransportPort,
|
||
+ postNAPTDestinationTransportPort,
|
||
+ PROTOCOL,
|
||
+ natEvent,
|
||
+ 0
|
||
+ }
|
||
+};
|
||
+static struct base_template template_mark = {
|
||
+ .types = { commonPropertiesId, 0 }
|
||
+};
|
||
+
|
||
+struct data_template {
|
||
+ struct hlist_node hlist;
|
||
+ int tpl_mask;
|
||
+
|
||
+ int length; /* number of elements in template */
|
||
+ int tpl_size; /* summary size of template with flowset header */
|
||
+ int rec_size; /* summary size of all recods of template (w/o flowset header) */
|
||
+ int template_id_n; /* assigned from template_ids, network order. */
|
||
+ int exported_cnt;
|
||
+ unsigned long exported_ts; /* jiffies */
|
||
+ u_int16_t fields[]; /* {type, size} pairs */
|
||
+} __attribute__ ((packed));
|
||
+
|
||
+#define TPL_FIELD_NSIZE 4 /* one complete template field's network size */
|
||
+
|
||
+static void free_templates(void)
|
||
+{
|
||
+ int i;
|
||
+#if LINUX_VERSION_CODE < KERNEL_VERSION(3,9,0)
|
||
+ struct hlist_node *pos;
|
||
+#endif
|
||
+ struct hlist_node *tmp;
|
||
+
|
||
+ for (i = 0; i < TEMPLATES_HASH_SIZE; i++) {
|
||
+ struct hlist_head *thead = &templates_hash[i];
|
||
+ struct data_template *tpl;
|
||
+
|
||
+ compat_hlist_for_each_entry_safe(tpl, pos, tmp, thead, hlist)
|
||
+ kfree(tpl);
|
||
+ INIT_HLIST_HEAD(thead);
|
||
+ }
|
||
+ tpl_count = 0;
|
||
+}
|
||
+
|
||
+/* create combined template from mask */
|
||
+static struct data_template *get_template(const int tmask)
|
||
+{
|
||
+ struct base_template *tlist[BTPL_MAX];
|
||
+ struct data_template *tpl;
|
||
+ int tnum;
|
||
+ int length;
|
||
+ int i, j, k;
|
||
+#if LINUX_VERSION_CODE < KERNEL_VERSION(3,9,0)
|
||
+ struct hlist_node *pos;
|
||
+#endif
|
||
+ int hash = hash_long(tmask, TEMPLATES_HASH_BSIZE);
|
||
+
|
||
+ compat_hlist_for_each_entry(tpl, pos, &templates_hash[hash], hlist)
|
||
+ if (tpl->tpl_mask == tmask)
|
||
+ return tpl;
|
||
+
|
||
+ tnum = 0;
|
||
+ if (tmask & BTPL_IP4) {
|
||
+ tlist[tnum++] = &template_ipv4;
|
||
+ if (tmask & BTPL_OPTIONS4)
|
||
+ tlist[tnum++] = &template_options4;
|
||
+ if (tmask & BTPL_MASK4)
|
||
+ tlist[tnum++] = &template_ipv4_mask;
|
||
+ } else if (tmask & BTPL_IP6) {
|
||
+ tlist[tnum++] = &template_ipv6;
|
||
+ if (tmask & BTPL_LABEL6)
|
||
+ tlist[tnum++] = &template_label6;
|
||
+ if (tmask & BTPL_OPTIONS6)
|
||
+ tlist[tnum++] = &template_options6;
|
||
+ } else if (tmask & BTPL_NAT4)
|
||
+ tlist[tnum++] = &template_nat4;
|
||
+ if (tmask & BTPL_PORTS)
|
||
+ tlist[tnum++] = &template_ports;
|
||
+ if (tmask & BTPL_BASE)
|
||
+ tlist[tnum++] = &template_base;
|
||
+ if (tmask & BTPL_TCPOPTIONS)
|
||
+ tlist[tnum++] = &template_tcpoptions;
|
||
+ if (tmask & BTPL_ICMP)
|
||
+ tlist[tnum++] = &template_icmp;
|
||
+ if (tmask & BTPL_IGMP)
|
||
+ tlist[tnum++] = &template_igmp;
|
||
+ if (tmask & BTPL_IPSEC)
|
||
+ tlist[tnum++] = &template_ipsec;
|
||
+ if (tmask & BTPL_MARK)
|
||
+ tlist[tnum++] = &template_mark;
|
||
+
|
||
+ /* calc memory size */
|
||
+ length = 0;
|
||
+ for (i = 0; i < tnum; i++) {
|
||
+ if (!tlist[i]->length) {
|
||
+ for (k = 0; tlist[i]->types[k]; k++);
|
||
+ tlist[i]->length = k;
|
||
+ }
|
||
+ length += tlist[i]->length;
|
||
+ }
|
||
+ /* elements are pairs + one termiantor */
|
||
+ tpl = kmalloc(sizeof(struct data_template) + (length * 2 + 1) * sizeof(u_int16_t), GFP_KERNEL);
|
||
+ if (!tpl) {
|
||
+ printk(KERN_ERR "ipt_NETFLOW: unable to kmalloc template.\n");
|
||
+ return NULL;
|
||
+ }
|
||
+ tpl->tpl_mask = tmask;
|
||
+ tpl->length = length;
|
||
+ tpl->tpl_size = sizeof(struct flowset_template);
|
||
+ tpl->rec_size = 0;
|
||
+ tpl->template_id_n = htons(template_ids++);
|
||
+ tpl->exported_cnt = 0;
|
||
+ tpl->exported_ts = 0;
|
||
+
|
||
+ j = 0;
|
||
+ for (i = 0; i < tnum; i++) {
|
||
+ struct base_template *btpl = tlist[i];
|
||
+
|
||
+ for (k = 0; k < btpl->length; k++) {
|
||
+ int size;
|
||
+ int type = btpl->types[k];
|
||
+
|
||
+ tpl->fields[j++] = type;
|
||
+ size = tpl_element_sizes[type];
|
||
+ tpl->fields[j++] = size;
|
||
+ tpl->rec_size += size;
|
||
+ }
|
||
+ tpl->tpl_size += btpl->length * TPL_FIELD_NSIZE;
|
||
+ }
|
||
+ tpl->fields[j++] = 0;
|
||
+
|
||
+ hlist_add_head(&tpl->hlist, &templates_hash[hash]);
|
||
+ tpl_count++;
|
||
+
|
||
+ return tpl;
|
||
+}
|
||
+
|
||
+static void pdu_add_template(struct data_template *tpl)
|
||
+{
|
||
+ int i;
|
||
+ unsigned char *ptr;
|
||
+ struct flowset_template *ntpl;
|
||
+ __be16 *sptr;
|
||
+
|
||
+ ptr = pdu_alloc(tpl->tpl_size);
|
||
+ ntpl = (struct flowset_template *)ptr;
|
||
+ ntpl->flowset_id = protocol == 9? htons(FLOWSET_TEMPLATE) : htons(IPFIX_TEMPLATE);
|
||
+ ntpl->length = htons(tpl->tpl_size);
|
||
+ ntpl->template_id = tpl->template_id_n;
|
||
+ ntpl->field_count = htons(tpl->length);
|
||
+ ptr += sizeof(struct flowset_template);
|
||
+ sptr = (__be16 *)ptr;
|
||
+ for (i = 0; ; ) {
|
||
+ int type = tpl->fields[i++];
|
||
+ if (!type)
|
||
+ break;
|
||
+ *sptr++ = htons(type);
|
||
+ *sptr++ = htons(tpl->fields[i++]);
|
||
+ }
|
||
+
|
||
+ tpl->exported_cnt = pdu_count;
|
||
+ tpl->exported_ts = jiffies;
|
||
+
|
||
+ pdu_flowset = NULL;
|
||
+ pdu_tpl_records++;
|
||
+}
|
||
+
|
||
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,35)
|
||
+static inline s64 portable_ktime_to_ms(const ktime_t kt)
|
||
+{
|
||
+ struct timeval tv = ktime_to_timeval(kt);
|
||
+ return (s64) tv.tv_sec * MSEC_PER_SEC + tv.tv_usec / USEC_PER_MSEC;
|
||
+}
|
||
+#define ktime_to_ms portable_ktime_to_ms
|
||
+#endif
|
||
+
|
||
+/* encode one field */
|
||
+typedef struct in6_addr in6_t;
|
||
+static inline void add_ipv4_field(__u8 *ptr, const int type, const struct ipt_netflow *nf)
|
||
+{
|
||
+ switch (type) {
|
||
+ case IN_BYTES: *(__be32 *)ptr = htonl(nf->nr_bytes); break;
|
||
+ case IN_PKTS: *(__be32 *)ptr = htonl(nf->nr_packets); break;
|
||
+ case FIRST_SWITCHED: *(__be32 *)ptr = htonl(jiffies_to_msecs(nf->ts_first)); break;
|
||
+ case LAST_SWITCHED: *(__be32 *)ptr = htonl(jiffies_to_msecs(nf->ts_last)); break;
|
||
+ case IPV4_SRC_ADDR: *(__be32 *)ptr = nf->tuple.src.ip; break;
|
||
+ case IPV4_DST_ADDR: *(__be32 *)ptr = nf->tuple.dst.ip; break;
|
||
+ case IPV4_NEXT_HOP: *(__be32 *)ptr = nf->nh.ip; break;
|
||
+ case L4_SRC_PORT: *(__be16 *)ptr = nf->tuple.s_port; break;
|
||
+ case L4_DST_PORT: *(__be16 *)ptr = nf->tuple.d_port; break;
|
||
+ case INPUT_SNMP: *(__be16 *)ptr = htons(nf->tuple.i_ifc); break;
|
||
+ case OUTPUT_SNMP: *(__be16 *)ptr = htons(nf->o_ifc); break;
|
||
+ case PROTOCOL: *ptr = nf->tuple.protocol; break;
|
||
+ case TCP_FLAGS: *ptr = nf->tcp_flags; break;
|
||
+ case TOS: *ptr = nf->tuple.tos; break;
|
||
+ case IPV6_SRC_ADDR: *(in6_t *)ptr = nf->tuple.src.in6; break;
|
||
+ case IPV6_DST_ADDR: *(in6_t *)ptr = nf->tuple.dst.in6; break;
|
||
+ case IPV6_NEXT_HOP: *(in6_t *)ptr = nf->nh.in6; break;
|
||
+ case IPV6_FLOW_LABEL: *ptr++ = nf->flow_label >> 16;
|
||
+ *(__be16 *)ptr = nf->flow_label;
|
||
+ break;
|
||
+ case tcpOptions: *(__be32 *)ptr = htonl(nf->tcpoptions); break;
|
||
+ case ipv4Options: *(__be32 *)ptr = htonl(nf->options); break;
|
||
+ case IPV6_OPTION_HEADERS: *(__be16 *)ptr = htons(nf->options); break;
|
||
+#ifdef CONFIG_NF_CONNTRACK_MARK
|
||
+ case commonPropertiesId:
|
||
+ *(__be32 *)ptr = htonl(nf->mark); break;
|
||
+#endif
|
||
+ case SRC_MASK: *ptr = nf->s_mask; break;
|
||
+ case DST_MASK: *ptr = nf->d_mask; break;
|
||
+ case ICMP_TYPE: *(__be16 *)ptr = nf->tuple.d_port; break;
|
||
+ case MUL_IGMP_TYPE: *ptr = nf->tuple.d_port; break;
|
||
+#ifdef CONFIG_NF_NAT_NEEDED
|
||
+ case postNATSourceIPv4Address: *(__be32 *)ptr = nf->nat->post.s_addr; break;
|
||
+ case postNATDestinationIPv4Address: *(__be32 *)ptr = nf->nat->post.d_addr; break;
|
||
+ case postNAPTSourceTransportPort: *(__be16 *)ptr = nf->nat->post.s_port; break;
|
||
+ case postNAPTDestinationTransportPort: *(__be16 *)ptr = nf->nat->post.d_port; break;
|
||
+ case natEvent: *ptr = nf->nat->nat_event; break;
|
||
+#endif
|
||
+ case IPSecSPI: *(__u32 *)ptr = (nf->tuple.s_port << 16) | nf->tuple.d_port; break;
|
||
+ case observationTimeMilliseconds:
|
||
+ *(__be64 *)ptr = cpu_to_be64(ktime_to_ms(nf->ts_obs)); break;
|
||
+ case observationTimeMicroseconds:
|
||
+ *(__be64 *)ptr = cpu_to_be64(ktime_to_us(nf->ts_obs)); break;
|
||
+ case observationTimeNanoseconds:
|
||
+ *(__be64 *)ptr = cpu_to_be64(ktime_to_ns(nf->ts_obs)); break;
|
||
+ default:
|
||
+ memset(ptr, 0, tpl_element_sizes[type]);
|
||
+ }
|
||
+}
|
||
+
|
||
+#define PAD_SIZE 4 /* rfc prescribes flowsets to be padded */
|
||
+
|
||
+/* cache timeout_rate in jiffies */
|
||
+static inline unsigned long timeout_rate_j(void)
|
||
+{
|
||
+ static unsigned int t_rate = 0;
|
||
+ static unsigned long t_rate_j = 0;
|
||
+
|
||
+ if (unlikely(timeout_rate != t_rate)) {
|
||
+ struct timeval tv = { .tv_sec = timeout_rate * 60, .tv_usec = 0 };
|
||
+
|
||
+ t_rate = timeout_rate;
|
||
+ t_rate_j = timeval_to_jiffies(&tv);
|
||
+ }
|
||
+ return t_rate_j;
|
||
+}
|
||
+
|
||
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,20)
|
||
+#define IPPROTO_UDPLITE 136
|
||
+#endif
|
||
+
|
||
+#ifndef time_is_before_jiffies
|
||
+#define time_is_before_jiffies(a) time_after(jiffies, a)
|
||
+#endif
|
||
+
|
||
+static void netflow_export_flow_tpl(struct ipt_netflow *nf)
|
||
+{
|
||
+ unsigned char *ptr;
|
||
+ int i;
|
||
+ struct data_template *tpl;
|
||
+ int tpl_mask = BTPL_BASE;
|
||
+
|
||
+ if (unlikely(debug > 2))
|
||
+ printk(KERN_INFO "adding flow to export (%d)\n",
|
||
+ pdu_data_records + pdu_tpl_records);
|
||
+
|
||
+ if (likely(nf->tuple.l3proto == AF_INET)) {
|
||
+ tpl_mask |= BTPL_IP4;
|
||
+ if (unlikely(nf->options))
|
||
+ tpl_mask |= BTPL_OPTIONS4;
|
||
+ } else {
|
||
+ tpl_mask |= BTPL_IP6;
|
||
+ if (unlikely(nf->options))
|
||
+ tpl_mask |= BTPL_OPTIONS6;
|
||
+ if (unlikely(nf->flow_label))
|
||
+ tpl_mask |= BTPL_LABEL6;
|
||
+ }
|
||
+ if (unlikely(nf->tcpoptions))
|
||
+ tpl_mask |= BTPL_TCPOPTIONS;
|
||
+ if (unlikely(nf->s_mask || nf->d_mask))
|
||
+ tpl_mask |= BTPL_MASK4;
|
||
+ if (likely(nf->tuple.protocol == IPPROTO_TCP ||
|
||
+ nf->tuple.protocol == IPPROTO_UDP ||
|
||
+ nf->tuple.protocol == IPPROTO_SCTP ||
|
||
+ nf->tuple.protocol == IPPROTO_UDPLITE))
|
||
+ tpl_mask |= BTPL_PORTS;
|
||
+ else if (nf->tuple.protocol == IPPROTO_ICMP)
|
||
+ tpl_mask |= BTPL_ICMP;
|
||
+ else if (nf->tuple.protocol == IPPROTO_IGMP)
|
||
+ tpl_mask |= BTPL_IGMP;
|
||
+#ifdef CONFIG_NF_CONNTRACK_MARK
|
||
+ if (nf->mark)
|
||
+ tpl_mask |= BTPL_MARK;
|
||
+#endif
|
||
+#ifdef CONFIG_NF_NAT_NEEDED
|
||
+ if (nf->nat)
|
||
+ tpl_mask = BTPL_NAT4;
|
||
+#endif
|
||
+
|
||
+ tpl = get_template(tpl_mask);
|
||
+ if (unlikely(!tpl)) {
|
||
+ printk(KERN_INFO "ipt_NETFLOW: template allocation failed.\n");
|
||
+ NETFLOW_STAT_INC(alloc_err);
|
||
+ NETFLOW_STAT_ADD_ATOMIC(pkt_drop, nf->nr_packets);
|
||
+ NETFLOW_STAT_ADD_ATOMIC(traf_drop, nf->nr_bytes);
|
||
+ ipt_netflow_free(nf);
|
||
+ return;
|
||
+ }
|
||
+
|
||
+ if (unlikely(!pdu_flowset ||
|
||
+ pdu_flowset->flowset_id != tpl->template_id_n ||
|
||
+ !(ptr = pdu_alloc_fail(tpl->rec_size)))) {
|
||
+
|
||
+ /* if there was previous data template we should pad it to 4 bytes */
|
||
+ if (pdu_flowset) {
|
||
+ int padding = (PAD_SIZE - ntohs(pdu_flowset->length) % PAD_SIZE) % PAD_SIZE;
|
||
+ if (padding && (ptr = pdu_alloc_fail(padding))) {
|
||
+ pdu_flowset->length = htons(ntohs(pdu_flowset->length) + padding);
|
||
+ for (; padding; padding--)
|
||
+ *ptr++ = 0;
|
||
+ }
|
||
+ }
|
||
+
|
||
+ if (!tpl->exported_ts ||
|
||
+ pdu_count > (tpl->exported_cnt + refresh_rate) ||
|
||
+ time_is_before_jiffies(tpl->exported_ts + timeout_rate_j())) {
|
||
+ pdu_add_template(tpl);
|
||
+ }
|
||
+
|
||
+ ptr = pdu_alloc(sizeof(struct flowset_data) + tpl->rec_size);
|
||
+ pdu_flowset = (struct flowset_data *)ptr;
|
||
+ pdu_flowset->flowset_id = tpl->template_id_n;
|
||
+ pdu_flowset->length = htons(sizeof(struct flowset_data));
|
||
+ ptr += sizeof(struct flowset_data);
|
||
+ }
|
||
+
|
||
+ /* encode all fields */
|
||
+ for (i = 0; ; ) {
|
||
+ int type = tpl->fields[i++];
|
||
+
|
||
+ if (!type)
|
||
+ break;
|
||
+ add_ipv4_field(ptr, type, nf);
|
||
+ ptr += tpl->fields[i++];
|
||
+ }
|
||
+
|
||
+ pdu_data_records++;
|
||
+ pdu_flowset->length = htons(ntohs(pdu_flowset->length) + tpl->rec_size);
|
||
+
|
||
+ pdu_packets += nf->nr_packets;
|
||
+ pdu_traf += nf->nr_bytes;
|
||
+
|
||
+ ipt_netflow_free(nf);
|
||
+ pdu_ts_mod = jiffies;
|
||
+}
|
||
+
|
||
+static void netflow_switch_version(const int ver)
|
||
+{
|
||
+ protocol = ver;
|
||
+ if (protocol == 5) {
|
||
+ memset(&pdu, 0, sizeof(pdu));
|
||
+ netflow_export_flow = &netflow_export_flow_v5;
|
||
+ netflow_export_pdu = &netflow_export_pdu_v5;
|
||
+ } else if (protocol == 9) {
|
||
+ pdu_data_used = pdu.v9.data;
|
||
+ pdu_max_size = sizeof(pdu.v9);
|
||
+ pdu_high_wm = (unsigned char *)&pdu + pdu_max_size;
|
||
+ netflow_export_flow = &netflow_export_flow_tpl;
|
||
+ netflow_export_pdu = &netflow_export_pdu_v9;
|
||
+ } else { /* IPFIX */
|
||
+ pdu_data_used = pdu.ipfix.data;
|
||
+ pdu_max_size = sizeof(pdu.ipfix);
|
||
+ pdu_high_wm = (unsigned char *)&pdu + pdu_max_size;
|
||
+ netflow_export_flow = &netflow_export_flow_tpl;
|
||
+ netflow_export_pdu = &netflow_export_pdu_ipfix;
|
||
+ }
|
||
+ if (protocol != 5)
|
||
+ free_templates();
|
||
+ pdu_data_records = pdu_tpl_records = 0;
|
||
+ pdu_flowset = NULL;
|
||
+ printk(KERN_INFO "ipt_NETFLOW protocol version %d (%s) enabled.\n",
|
||
+ protocol, protocol == 10? "IPFIX" : "NetFlow");
|
||
+}
|
||
+
|
||
+#ifdef CONFIG_NF_NAT_NEEDED
|
||
+static void export_nat_event(struct nat_event *nel)
|
||
+{
|
||
+ static struct ipt_netflow nf = { { NULL } };
|
||
+
|
||
+ nf.tuple.l3proto = AF_INET;
|
||
+ nf.tuple.protocol = nel->protocol;
|
||
+ nf.nat = nel; /* this is also flag of dummy flow */
|
||
+ nf.tcp_flags = (nel->nat_event == NAT_DESTROY)? TCP_FIN_RST : TCP_SYN_ACK;
|
||
+ if (protocol >= 9) {
|
||
+ nf.ts_obs = nel->ts_ktime;
|
||
+ nf.tuple.src.ip = nel->pre.s_addr;
|
||
+ nf.tuple.dst.ip = nel->pre.d_addr;
|
||
+ nf.tuple.s_port = nel->pre.s_port;
|
||
+ nf.tuple.d_port = nel->pre.d_port;
|
||
+ netflow_export_flow(&nf);
|
||
+ } else { /* v5 */
|
||
+ /* The weird v5 packet(s).
|
||
+ * src and dst will be same as in data flow from the FORWARD chain
|
||
+ * where src is pre-nat src ip and dst is post-nat dst ip.
|
||
+ * What we lacking here is external src ip for SNAT, or
|
||
+ * pre-nat dst ip for DNAT. We will put this into Nexthop field
|
||
+ * with port into src/dst AS field. tcp_flags will distinguish it's
|
||
+ * start or stop event. Two flows in case of full nat. */
|
||
+ nf.tuple.src.ip = nel->pre.s_addr;
|
||
+ nf.tuple.s_port = nel->pre.s_port;
|
||
+ nf.tuple.dst.ip = nel->post.d_addr;
|
||
+ nf.tuple.d_port = nel->post.d_port;
|
||
+
|
||
+ nf.ts_first = nel->ts_jiffies;
|
||
+ nf.ts_last = nel->ts_jiffies;
|
||
+ if (nel->pre.s_addr != nel->post.s_addr ||
|
||
+ nel->pre.s_port != nel->post.s_port) {
|
||
+ nf.nh.ip = nel->post.s_addr;
|
||
+ nf.s_as = nel->post.s_port;
|
||
+ nf.d_as = 0;
|
||
+ netflow_export_flow(&nf);
|
||
+ }
|
||
+ if (nel->pre.d_addr != nel->post.d_addr ||
|
||
+ nel->pre.d_port != nel->post.d_port) {
|
||
+ nf.nh.ip = nel->pre.d_addr;
|
||
+ nf.s_as = 0;
|
||
+ nf.d_as = nel->pre.d_port;
|
||
+ netflow_export_flow(&nf);
|
||
+ }
|
||
+ }
|
||
+ kfree(nel);
|
||
}
|
||
+#endif /* CONFIG_NF_NAT_NEEDED */
|
||
|
||
-static inline int active_needs_export(struct ipt_netflow *nf, long a_timeout)
|
||
+static inline int active_needs_export(const struct ipt_netflow *nf, const long a_timeout)
|
||
{
|
||
/* active too long, finishing, or having too much bytes */
|
||
return ((jiffies - nf->ts_first) > a_timeout) ||
|
||
@@ -1057,42 +1987,77 @@ static inline int active_needs_export(struct ipt_netflow *nf, long a_timeout)
|
||
|
||
/* could be called with zero to flush cache and pdu */
|
||
/* this function is guaranteed to be called non-concurrently */
|
||
-static void netflow_scan_and_export(int flush)
|
||
+/* return -1 is trylockfailed, 0 if nothin gexported, >=1 if exported something */
|
||
+static int netflow_scan_and_export(const int flush)
|
||
{
|
||
long i_timeout = inactive_timeout * HZ;
|
||
long a_timeout = active_timeout * HZ;
|
||
+ int trylock_failed = 0;
|
||
+ int pdu_c = pdu_count;
|
||
|
||
if (flush)
|
||
i_timeout = 0;
|
||
|
||
- spin_lock_bh(&ipt_netflow_lock);
|
||
- while (!list_empty(&ipt_netflow_list)) {
|
||
+ local_bh_disable();
|
||
+ spin_lock(&hlist_lock);
|
||
+ /* This is different order of locking than elsewhere,
|
||
+ * so we trylock&break to avoid deadlock. */
|
||
+
|
||
+ while (likely(!list_empty(&ipt_netflow_list))) {
|
||
struct ipt_netflow *nf;
|
||
-
|
||
+
|
||
+ /* Last entry, which is usually oldest. */
|
||
nf = list_entry(ipt_netflow_list.prev, struct ipt_netflow, list);
|
||
+ if (!spin_trylock(nf->lock)) {
|
||
+ trylock_failed = 1;
|
||
+ break;
|
||
+ }
|
||
/* Note: i_timeout checked with >= to allow specifying zero timeout
|
||
* to purge all flows on module unload */
|
||
if (((jiffies - nf->ts_last) >= i_timeout) ||
|
||
active_needs_export(nf, a_timeout)) {
|
||
hlist_del(&nf->hlist);
|
||
+ spin_unlock(nf->lock);
|
||
+
|
||
list_del(&nf->list);
|
||
+ spin_unlock(&hlist_lock);
|
||
+ local_bh_enable();
|
||
+
|
||
NETFLOW_STAT_ADD(pkt_out, nf->nr_packets);
|
||
NETFLOW_STAT_ADD(traf_out, nf->nr_bytes);
|
||
- spin_unlock_bh(&ipt_netflow_lock);
|
||
netflow_export_flow(nf);
|
||
- spin_lock_bh(&ipt_netflow_lock);
|
||
+
|
||
+ local_bh_disable();
|
||
+ spin_lock(&hlist_lock);
|
||
} else {
|
||
+ spin_unlock(nf->lock);
|
||
/* all flows which need to be exported is always at the tail
|
||
* so if no more exportable flows we can break */
|
||
break;
|
||
}
|
||
}
|
||
- spin_unlock_bh(&ipt_netflow_lock);
|
||
-
|
||
+ spin_unlock(&hlist_lock);
|
||
+ local_bh_enable();
|
||
+
|
||
+#ifdef CONFIG_NF_NAT_NEEDED
|
||
+ spin_lock_bh(&nat_lock);
|
||
+ while (!list_empty(&nat_list)) {
|
||
+ struct nat_event *nel;
|
||
+
|
||
+ nel = list_entry(nat_list.next, struct nat_event, list);
|
||
+ list_del(&nel->list);
|
||
+ spin_unlock_bh(&nat_lock);
|
||
+ export_nat_event(nel);
|
||
+ spin_lock_bh(&nat_lock);
|
||
+ }
|
||
+ spin_unlock_bh(&nat_lock);
|
||
+#endif
|
||
/* flush flows stored in pdu if there no new flows for too long */
|
||
/* Note: using >= to allow flow purge on zero timeout */
|
||
if ((jiffies - pdu_ts_mod) >= i_timeout)
|
||
netflow_export_pdu();
|
||
+
|
||
+ return trylock_failed? -1 : pdu_count - pdu_c;
|
||
}
|
||
|
||
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,20)
|
||
@@ -1101,8 +2066,10 @@ static void netflow_work_fn(void *dummy)
|
||
static void netflow_work_fn(struct work_struct *dummy)
|
||
#endif
|
||
{
|
||
- netflow_scan_and_export(0);
|
||
- __start_scan_worker();
|
||
+ int status;
|
||
+
|
||
+ status = netflow_scan_and_export(DONT_FLUSH);
|
||
+ _schedule_scan_worker(status);
|
||
}
|
||
|
||
#define RATESHIFT 2
|
||
@@ -1154,7 +2121,7 @@ static void rate_timer_calc(unsigned long dummy)
|
||
old_found = found;
|
||
old_notfound = notfound;
|
||
/* if there is no access to hash keep rate steady */
|
||
- metric = (dfnd + dnfnd)? 10 * (dsrch + dfnd + dnfnd) / (dfnd + dnfnd) : metric;
|
||
+ metric = (dfnd + dnfnd)? 100 * (dsrch + dfnd + dnfnd) / (dfnd + dnfnd) : metric;
|
||
CALC_RATE(min15_metric, (unsigned long long)metric, 15);
|
||
CALC_RATE(min5_metric, (unsigned long long)metric, 5);
|
||
CALC_RATE(min_metric, (unsigned long long)metric, 1);
|
||
@@ -1162,6 +2129,262 @@ static void rate_timer_calc(unsigned long dummy)
|
||
mod_timer(&rate_timer, jiffies + (HZ * SAMPLERATE));
|
||
}
|
||
|
||
+#ifdef CONFIG_NF_NAT_NEEDED
|
||
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,31)
|
||
+static struct nf_ct_event_notifier *saved_event_cb __read_mostly = NULL;
|
||
+static int netflow_conntrack_event(const unsigned int events, struct nf_ct_event *item)
|
||
+#else
|
||
+static int netflow_conntrack_event(struct notifier_block *this, unsigned long events, void *ptr)
|
||
+#endif
|
||
+{
|
||
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,31)
|
||
+ struct nf_conn *ct = item->ct;
|
||
+#else
|
||
+ struct nf_conn *ct = (struct nf_conn *)ptr;
|
||
+#endif
|
||
+ struct nat_event *nel;
|
||
+ const struct nf_conntrack_tuple *t;
|
||
+ int ret = NOTIFY_DONE;
|
||
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,31)
|
||
+ struct nf_ct_event_notifier *notifier;
|
||
+
|
||
+ /* Call netlink first. */
|
||
+ notifier = rcu_dereference(saved_event_cb);
|
||
+ if (likely(notifier))
|
||
+ ret = notifier->fcn(events, item);
|
||
+#endif
|
||
+ if (unlikely(!natevents))
|
||
+ return ret;
|
||
+
|
||
+ if (!(events & ((1 << IPCT_NEW) | (1 << IPCT_RELATED) | (1 << IPCT_DESTROY))))
|
||
+ return ret;
|
||
+
|
||
+ if (!(ct->status & IPS_NAT_MASK))
|
||
+ return ret;
|
||
+
|
||
+ if (unlikely(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num != AF_INET ||
|
||
+ ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.l3num != AF_INET)) {
|
||
+ /* Well, there is no linux NAT for IPv6 anyway. */
|
||
+ return ret;
|
||
+ }
|
||
+
|
||
+ if (!(nel = kmalloc(sizeof(struct nat_event), GFP_ATOMIC))) {
|
||
+ printk(KERN_ERR "ipt_NETFLOW: can't kmalloc nat event\n");
|
||
+ return ret;
|
||
+ }
|
||
+ memset(nel, 0, sizeof(struct nat_event));
|
||
+ nel->ts_ktime = ktime_get_real();
|
||
+ nel->ts_jiffies = jiffies;
|
||
+ t = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
|
||
+ nel->protocol = t->dst.protonum;
|
||
+ nel->pre.s_addr = t->src.u3.ip;
|
||
+ nel->pre.d_addr = t->dst.u3.ip;
|
||
+ nel->pre.s_port = t->src.u.all;
|
||
+ nel->pre.d_port = t->dst.u.all;
|
||
+ t = &ct->tuplehash[IP_CT_DIR_REPLY].tuple;
|
||
+ /* reply is reversed */
|
||
+ nel->post.s_addr = t->dst.u3.ip;
|
||
+ nel->post.d_addr = t->src.u3.ip;
|
||
+ nel->post.s_port = t->dst.u.all;
|
||
+ nel->post.d_port = t->src.u.all;
|
||
+ if (events & (1 << IPCT_DESTROY)) {
|
||
+ nel->nat_event = NAT_DESTROY;
|
||
+ nat_events_stop++;
|
||
+ } else {
|
||
+ nel->nat_event = NAT_CREATE;
|
||
+ nat_events_start++;
|
||
+ }
|
||
+
|
||
+ spin_lock_bh(&nat_lock);
|
||
+ list_add_tail(&nel->list, &nat_list);
|
||
+ spin_unlock_bh(&nat_lock);
|
||
+
|
||
+ return ret;
|
||
+}
|
||
+
|
||
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,31)
|
||
+static struct notifier_block ctnl_notifier = {
|
||
+ .notifier_call = netflow_conntrack_event
|
||
+};
|
||
+#else
|
||
+static struct nf_ct_event_notifier ctnl_notifier = {
|
||
+ .fcn = netflow_conntrack_event
|
||
+};
|
||
+#endif /* since 2.6.31 */
|
||
+#endif /* CONFIG_NF_NAT_NEEDED */
|
||
+
|
||
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,23) && \
|
||
+ LINUX_VERSION_CODE < KERNEL_VERSION(2,6,35)
|
||
+static bool
|
||
+#else
|
||
+static int
|
||
+#endif
|
||
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,28)
|
||
+netflow_target_check(const char *tablename, const void *entry, const struct xt_target *target,
|
||
+ void *targinfo,
|
||
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,18)
|
||
+ unsigned int targinfosize,
|
||
+#endif
|
||
+ unsigned int hook_mask)
|
||
+{
|
||
+#else
|
||
+netflow_target_check(const struct xt_tgchk_param *par)
|
||
+{
|
||
+ const char *tablename = par->table;
|
||
+ const struct xt_target *target = par->target;
|
||
+#endif
|
||
+ if (strcmp("nat", tablename) == 0) {
|
||
+ /* In the nat table we only see single packet per flow, which is useless. */
|
||
+ printk(KERN_ERR "%s target: is not valid in %s table\n", target->name, tablename);
|
||
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,35)
|
||
+#define CHECK_FAIL 0
|
||
+#define CHECK_OK 1
|
||
+#else
|
||
+#define CHECK_FAIL -EINVAL
|
||
+#define CHECK_OK 0
|
||
+#endif
|
||
+ return CHECK_FAIL;
|
||
+ }
|
||
+ if (target->family == AF_INET6 && protocol == 5) {
|
||
+ printk(KERN_ERR "ip6tables NETFLOW target is meaningful for protocol 9 or 10 only.\n");
|
||
+ return CHECK_FAIL;
|
||
+ }
|
||
+ return CHECK_OK;
|
||
+}
|
||
+
|
||
+#define SetXBit(x) (0x8000 >> (x)) /* Proper bit for htons later. */
|
||
+#ifndef IPPROTO_MH
|
||
+#define IPPROTO_MH 135
|
||
+#endif
|
||
+static inline __u16 observed_hdrs(const __u8 currenthdr)
|
||
+{
|
||
+ switch (currenthdr) {
|
||
+ case IPPROTO_TCP:
|
||
+ case IPPROTO_UDP:
|
||
+ /* For speed, in case switch is not optimized. */
|
||
+ return 0;
|
||
+ case IPPROTO_DSTOPTS: return SetXBit(0);
|
||
+ case IPPROTO_HOPOPTS: return SetXBit(1);
|
||
+ case IPPROTO_ROUTING: return SetXBit(5);
|
||
+ case IPPROTO_MH: return SetXBit(12);
|
||
+ case IPPROTO_ESP: return SetXBit(13);
|
||
+ case IPPROTO_AH: return SetXBit(14);
|
||
+ case IPPROTO_COMP: return SetXBit(15);
|
||
+ case IPPROTO_FRAGMENT: /* Handled elsewhere. */
|
||
+ /* Next is known headers. */
|
||
+ case IPPROTO_ICMPV6:
|
||
+ case IPPROTO_UDPLITE:
|
||
+ case IPPROTO_IPIP:
|
||
+ case IPPROTO_PIM:
|
||
+ case IPPROTO_GRE:
|
||
+ case IPPROTO_SCTP:
|
||
+#ifdef IPPROTO_L2TP
|
||
+ case IPPROTO_L2TP:
|
||
+#endif
|
||
+ case IPPROTO_DCCP:
|
||
+ return 0;
|
||
+ }
|
||
+ return SetXBit(3); /* Unknown header. */
|
||
+}
|
||
+
|
||
+/* http://www.iana.org/assignments/ip-parameters/ip-parameters.xhtml */
|
||
+static const __u8 ip4_opt_table[] = {
|
||
+ [7] = 0, /* RR */ /* parsed manually becasue of 0 */
|
||
+ [134] = 1, /* CIPSO */
|
||
+ [133] = 2, /* E-SEC */
|
||
+ [68] = 3, /* TS */
|
||
+ [131] = 4, /* LSR */
|
||
+ [130] = 5, /* SEC */
|
||
+ [1] = 6, /* NOP */
|
||
+ [0] = 7, /* EOOL */
|
||
+ [15] = 8, /* ENCODE */
|
||
+ [142] = 9, /* VISA */
|
||
+ [205] = 10, /* FINN */
|
||
+ [12] = 11, /* MTUR */
|
||
+ [11] = 12, /* MTUP */
|
||
+ [10] = 13, /* ZSU */
|
||
+ [137] = 14, /* SSR */
|
||
+ [136] = 15, /* SID */
|
||
+ [151] = 16, /* DPS */
|
||
+ [150] = 17, /* NSAPA */
|
||
+ [149] = 18, /* SDB */
|
||
+ [147] = 19, /* ADDEXT */
|
||
+ [148] = 20, /* RTRALT */
|
||
+ [82] = 21, /* TR */
|
||
+ [145] = 22, /* EIP */
|
||
+ [144] = 23, /* IMITD */
|
||
+ [30] = 25, /* EXP */
|
||
+ [94] = 25, /* EXP */
|
||
+ [158] = 25, /* EXP */
|
||
+ [222] = 25, /* EXP */
|
||
+ [25] = 30, /* QS */
|
||
+ [152] = 31, /* UMP */
|
||
+};
|
||
+/* Parse IPv4 Options array int ipv4Options IPFIX value. */
|
||
+static inline __u32 ip4_options(const u_int8_t *p, const unsigned int optsize)
|
||
+{
|
||
+ __u32 ret = 0;
|
||
+ unsigned int i;
|
||
+
|
||
+ for (i = 0; likely(i < optsize); ) {
|
||
+ u_int8_t op = p[i++];
|
||
+
|
||
+ if (op == 7) /* RR: bit 0 */
|
||
+ ret |= 1;
|
||
+ else if (likely(op < ARRAY_SIZE(ip4_opt_table))) {
|
||
+ /* Btw, IANA doc is messed up in a crazy way:
|
||
+ * http://www.ietf.org/mail-archive/web/ipfix/current/msg06008.html (2011)
|
||
+ * I decided to follow IANA _text_ description from
|
||
+ * http://www.iana.org/assignments/ipfix/ipfix.xhtml (2013-09-18)
|
||
+ *
|
||
+ * Set proper bit for htonl later. */
|
||
+ if (ip4_opt_table[op])
|
||
+ ret |= 1 << (32 - ip4_opt_table[op]);
|
||
+ }
|
||
+ if (likely(i >= optsize || op == 0))
|
||
+ break;
|
||
+ else if (unlikely(op == 1))
|
||
+ continue;
|
||
+ else if (unlikely(p[i] < 2))
|
||
+ break;
|
||
+ else
|
||
+ i += p[i] - 1;
|
||
+ }
|
||
+ return ret;
|
||
+}
|
||
+
|
||
+#define TCPHDR_MAXSIZE (4 * 15)
|
||
+/* List of options: http://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml */
|
||
+static inline __u32 tcp_options(const struct sk_buff *skb, const unsigned int ptr, const struct tcphdr *th)
|
||
+{
|
||
+ const unsigned int optsize = th->doff * 4 - sizeof(struct tcphdr);
|
||
+ __u8 _opt[TCPHDR_MAXSIZE];
|
||
+ const u_int8_t *p;
|
||
+ __u32 ret;
|
||
+ unsigned int i;
|
||
+
|
||
+ p = skb_header_pointer(skb, ptr + sizeof(struct tcphdr), optsize, _opt);
|
||
+ if (unlikely(!p))
|
||
+ return 0;
|
||
+ ret = 0;
|
||
+ for (i = 0; likely(i < optsize); ) {
|
||
+ u_int8_t opt = p[i++];
|
||
+
|
||
+ if (likely(opt < 32)) {
|
||
+ /* IANA doc is messed up, see above. */
|
||
+ ret |= 1 << (32 - opt);
|
||
+ }
|
||
+ if (likely(i >= optsize || opt == 0))
|
||
+ break;
|
||
+ else if (unlikely(opt == 1))
|
||
+ continue;
|
||
+ else if (unlikely(p[i] < 2)) /* "silly options" */
|
||
+ break;
|
||
+ else
|
||
+ i += p[i] - 1;
|
||
+ }
|
||
+ return ret;
|
||
+}
|
||
/* packet receiver */
|
||
static unsigned int netflow_target(
|
||
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,24)
|
||
@@ -1192,27 +2415,38 @@ static unsigned int netflow_target(
|
||
)
|
||
{
|
||
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,24)
|
||
- struct sk_buff *skb = *pskb;
|
||
+ const struct sk_buff *skb = *pskb;
|
||
+#endif
|
||
+ union {
|
||
+ struct iphdr ip;
|
||
+ struct ipv6hdr ip6;
|
||
+ } _iph, *iph;
|
||
+ unsigned int hash;
|
||
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,28)
|
||
+ const int family = target->family;
|
||
+#else
|
||
+ const int family = par->family;
|
||
#endif
|
||
- struct iphdr _iph, *iph;
|
||
struct ipt_netflow_tuple tuple;
|
||
struct ipt_netflow *nf;
|
||
__u8 tcp_flags;
|
||
struct netflow_aggr_n *aggr_n;
|
||
struct netflow_aggr_p *aggr_p;
|
||
__u8 s_mask, d_mask;
|
||
- unsigned int hash;
|
||
-
|
||
- iph = skb_header_pointer(skb, 0, sizeof(_iph), &_iph); //iph = ip_hdr(skb);
|
||
-
|
||
- if (iph == NULL) {
|
||
+ unsigned int ptr;
|
||
+ int fragment;
|
||
+ size_t pkt_len;
|
||
+ int options = 0;
|
||
+ int tcpoptions = 0;
|
||
+
|
||
+ iph = skb_header_pointer(skb, 0, (likely(family == AF_INET))? sizeof(_iph.ip) : sizeof(_iph.ip6), &iph);
|
||
+ if (unlikely(iph == NULL)) {
|
||
NETFLOW_STAT_INC(truncated);
|
||
NETFLOW_STAT_INC(pkt_drop);
|
||
return IPT_CONTINUE;
|
||
}
|
||
|
||
- tuple.s_addr = iph->saddr;
|
||
- tuple.d_addr = iph->daddr;
|
||
+ tuple.l3proto = family;
|
||
tuple.s_port = 0;
|
||
tuple.d_port = 0;
|
||
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,28)
|
||
@@ -1220,30 +2454,118 @@ static unsigned int netflow_target(
|
||
#else
|
||
tuple.i_ifc = par->in? par->in->ifindex : -1;
|
||
#endif
|
||
- tuple.protocol = iph->protocol;
|
||
- tuple.tos = iph->tos;
|
||
tcp_flags = 0; /* Cisco sometimes have TCP ACK for non TCP packets, don't get it */
|
||
s_mask = 0;
|
||
d_mask = 0;
|
||
|
||
- if (iph->frag_off & htons(IP_OFFSET))
|
||
+ if (likely(family == AF_INET)) {
|
||
+ tuple.src = (union nf_inet_addr){ .ip = iph->ip.saddr };
|
||
+ tuple.dst = (union nf_inet_addr){ .ip = iph->ip.daddr };
|
||
+ tuple.tos = iph->ip.tos;
|
||
+ tuple.protocol = iph->ip.protocol;
|
||
+ fragment = unlikely(iph->ip.frag_off & htons(IP_OFFSET));
|
||
+ ptr = iph->ip.ihl * 4;
|
||
+ pkt_len = ntohs(iph->ip.tot_len);
|
||
+
|
||
+#define IPHDR_MAXSIZE (4 * 15)
|
||
+ if (unlikely(iph->ip.ihl * 4 > sizeof(struct iphdr))) {
|
||
+ u_int8_t _opt[IPHDR_MAXSIZE - sizeof(struct iphdr)];
|
||
+ const u_int8_t *op;
|
||
+ unsigned int optsize = iph->ip.ihl * 4 - sizeof(struct iphdr);
|
||
+
|
||
+ op = skb_header_pointer(skb, sizeof(struct iphdr), optsize, _opt);
|
||
+ if (likely(op))
|
||
+ options = ip4_options(op, optsize);
|
||
+ }
|
||
+ } else {
|
||
+ __u8 currenthdr;
|
||
+
|
||
+ tuple.src.in6 = iph->ip6.saddr;
|
||
+ tuple.dst.in6 = iph->ip6.daddr;
|
||
+ tuple.tos = iph->ip6.priority;
|
||
+ fragment = 0;
|
||
+ ptr = sizeof(struct ipv6hdr);
|
||
+ pkt_len = ntohs(iph->ip6.payload_len) + sizeof(struct ipv6hdr);
|
||
+
|
||
+ currenthdr = iph->ip6.nexthdr;
|
||
+ while (currenthdr != NEXTHDR_NONE && ipv6_ext_hdr(currenthdr)) {
|
||
+ struct ipv6_opt_hdr _hdr;
|
||
+ const struct ipv6_opt_hdr *hp;
|
||
+ unsigned int hdrlen = 0;
|
||
+
|
||
+ options |= observed_hdrs(currenthdr);
|
||
+ hp = skb_header_pointer(skb, ptr, sizeof(_hdr), &_hdr);
|
||
+ if (hp == NULL) {
|
||
+ /* We have src/dst, so must account something. */
|
||
+ tuple.protocol = currenthdr;
|
||
+ fragment = 3;
|
||
+ goto do_protocols;
|
||
+ }
|
||
+
|
||
+ switch (currenthdr) {
|
||
+ case IPPROTO_FRAGMENT: {
|
||
+ struct frag_hdr _fhdr;
|
||
+ const struct frag_hdr *fh;
|
||
+
|
||
+ fh = skb_header_pointer(skb, ptr, sizeof(_fhdr),
|
||
+ &_fhdr);
|
||
+ if (fh == NULL) {
|
||
+ tuple.protocol = currenthdr;
|
||
+ fragment = 2;
|
||
+ goto do_protocols;
|
||
+ }
|
||
+ fragment = 1;
|
||
+#define FRA0 SetXBit(4) /* Fragment header - first fragment */
|
||
+#define FRA1 SetXBit(6) /* Fragmentation header - not first fragment */
|
||
+ options |= (ntohs(fh->frag_off) & 0xFFF8)? FRA1 : FRA0;
|
||
+ hdrlen = 8;
|
||
+ break;
|
||
+ }
|
||
+ case IPPROTO_AH: {
|
||
+ struct ip_auth_hdr _hdr, *hp;
|
||
+
|
||
+ if (likely(hp = skb_header_pointer(skb, ptr, 8, &_hdr))) {
|
||
+ tuple.s_port = hp->spi >> 16;
|
||
+ tuple.d_port = hp->spi;
|
||
+ }
|
||
+ hdrlen = (hp->hdrlen + 2) << 2;
|
||
+ break;
|
||
+ }
|
||
+ default:
|
||
+ hdrlen = ipv6_optlen(hp);
|
||
+ }
|
||
+ currenthdr = hp->nexthdr;
|
||
+ ptr += hdrlen;
|
||
+ }
|
||
+ tuple.protocol = currenthdr;
|
||
+ options |= observed_hdrs(currenthdr);
|
||
+ }
|
||
+
|
||
+do_protocols:
|
||
+ if (fragment) {
|
||
+ /* if conntrack is enabled it should defrag on pre-routing and local-out */
|
||
NETFLOW_STAT_INC(frags);
|
||
- else {
|
||
+ } else {
|
||
switch (tuple.protocol) {
|
||
case IPPROTO_TCP: {
|
||
struct tcphdr _hdr, *hp;
|
||
|
||
- if ((hp = skb_header_pointer(skb, iph->ihl * 4, 14, &_hdr))) {
|
||
+ if (likely(hp = skb_header_pointer(skb, ptr, 14, &_hdr))) {
|
||
tuple.s_port = hp->source;
|
||
tuple.d_port = hp->dest;
|
||
tcp_flags = (u_int8_t)(ntohl(tcp_flag_word(hp)) >> 16);
|
||
+
|
||
+ if (unlikely(hp->doff * 4 > sizeof(struct tcphdr)))
|
||
+ tcpoptions = tcp_options(skb, ptr, hp);
|
||
}
|
||
break;
|
||
}
|
||
- case IPPROTO_UDP: {
|
||
+ case IPPROTO_UDP:
|
||
+ case IPPROTO_UDPLITE:
|
||
+ case IPPROTO_SCTP: {
|
||
struct udphdr _hdr, *hp;
|
||
|
||
- if ((hp = skb_header_pointer(skb, iph->ihl * 4, 4, &_hdr))) {
|
||
+ if (likely(hp = skb_header_pointer(skb, ptr, 4, &_hdr))) {
|
||
tuple.s_port = hp->source;
|
||
tuple.d_port = hp->dest;
|
||
}
|
||
@@ -1252,72 +2574,111 @@ static unsigned int netflow_target(
|
||
case IPPROTO_ICMP: {
|
||
struct icmphdr _hdr, *hp;
|
||
|
||
- if ((hp = skb_header_pointer(skb, iph->ihl * 4, 2, &_hdr)))
|
||
- tuple.d_port = (hp->type << 8) | hp->code;
|
||
+ if (likely(family == AF_INET &&
|
||
+ (hp = skb_header_pointer(skb, ptr, 2, &_hdr))))
|
||
+ tuple.d_port = htons((hp->type << 8) | hp->code);
|
||
break;
|
||
}
|
||
+ case IPPROTO_ICMPV6: {
|
||
+ struct icmp6hdr _icmp6h, *ic;
|
||
+
|
||
+ if (likely(family == AF_INET6 &&
|
||
+ (ic = skb_header_pointer(skb, ptr, 2, &_icmp6h))))
|
||
+ tuple.d_port = htons((ic->icmp6_type << 8) | ic->icmp6_code);
|
||
+ break;
|
||
+ }
|
||
case IPPROTO_IGMP: {
|
||
- struct igmphdr *_hdr, *hp;
|
||
+ struct igmphdr _hdr, *hp;
|
||
|
||
- if ((hp = skb_header_pointer(skb, iph->ihl * 4, 1, &_hdr)))
|
||
+ if (likely(hp = skb_header_pointer(skb, ptr, 1, &_hdr)))
|
||
tuple.d_port = hp->type;
|
||
}
|
||
break;
|
||
+ case IPPROTO_AH: { /* IPSEC */
|
||
+ struct ip_auth_hdr _hdr, *hp;
|
||
+
|
||
+ if (likely(family == AF_INET && /* For IPv6 it's parsed above. */
|
||
+ (hp = skb_header_pointer(skb, ptr, 8, &_hdr)))) {
|
||
+ tuple.s_port = hp->spi >> 16;
|
||
+ tuple.d_port = hp->spi;
|
||
+ }
|
||
+ break;
|
||
+ }
|
||
+ case IPPROTO_ESP: {
|
||
+ struct ip_esp_hdr _hdr, *hp;
|
||
+
|
||
+ if (likely(hp = skb_header_pointer(skb, ptr, 4, &_hdr)))
|
||
+ tuple.s_port = hp->spi >> 16;
|
||
+ tuple.d_port = hp->spi;
|
||
+ }
|
||
+ break;
|
||
}
|
||
} /* not fragmented */
|
||
|
||
/* aggregate networks */
|
||
read_lock_bh(&aggr_lock);
|
||
- list_for_each_entry(aggr_n, &aggr_n_list, list)
|
||
- if ((ntohl(tuple.s_addr) & aggr_n->mask) == aggr_n->addr) {
|
||
- tuple.s_addr &= htonl(aggr_n->aggr_mask);
|
||
- s_mask = aggr_n->prefix;
|
||
- break;
|
||
- }
|
||
- list_for_each_entry(aggr_n, &aggr_n_list, list)
|
||
- if ((ntohl(tuple.d_addr) & aggr_n->mask) == aggr_n->addr) {
|
||
- tuple.d_addr &= htonl(aggr_n->aggr_mask);
|
||
- d_mask = aggr_n->prefix;
|
||
- break;
|
||
- }
|
||
+ if (family == AF_INET) {
|
||
+ list_for_each_entry(aggr_n, &aggr_n_list, list)
|
||
+ if (unlikely((ntohl(tuple.src.ip) & aggr_n->mask) == aggr_n->addr)) {
|
||
+ tuple.src.ip &= htonl(aggr_n->aggr_mask);
|
||
+ s_mask = aggr_n->prefix;
|
||
+ atomic_inc(&aggr_n->usage);
|
||
+ break;
|
||
+ }
|
||
+ list_for_each_entry(aggr_n, &aggr_n_list, list)
|
||
+ if (unlikely((ntohl(tuple.dst.ip) & aggr_n->mask) == aggr_n->addr)) {
|
||
+ tuple.dst.ip &= htonl(aggr_n->aggr_mask);
|
||
+ d_mask = aggr_n->prefix;
|
||
+ atomic_inc(&aggr_n->usage);
|
||
+ break;
|
||
+ }
|
||
+ }
|
||
|
||
- /* aggregate ports */
|
||
- list_for_each_entry(aggr_p, &aggr_p_list, list)
|
||
- if (ntohs(tuple.s_port) >= aggr_p->port1 &&
|
||
- ntohs(tuple.s_port) <= aggr_p->port2) {
|
||
- tuple.s_port = htons(aggr_p->aggr_port);
|
||
- break;
|
||
- }
|
||
+ if (tuple.protocol == IPPROTO_TCP ||
|
||
+ tuple.protocol == IPPROTO_UDP ||
|
||
+ tuple.protocol == IPPROTO_SCTP ||
|
||
+ tuple.protocol == IPPROTO_UDPLITE) {
|
||
+ /* aggregate ports */
|
||
+ list_for_each_entry(aggr_p, &aggr_p_list, list)
|
||
+ if (unlikely(ntohs(tuple.s_port) >= aggr_p->port1 &&
|
||
+ ntohs(tuple.s_port) <= aggr_p->port2)) {
|
||
+ tuple.s_port = htons(aggr_p->aggr_port);
|
||
+ atomic_inc(&aggr_p->usage);
|
||
+ break;
|
||
+ }
|
||
|
||
- list_for_each_entry(aggr_p, &aggr_p_list, list)
|
||
- if (ntohs(tuple.d_port) >= aggr_p->port1 &&
|
||
- ntohs(tuple.d_port) <= aggr_p->port2) {
|
||
- tuple.d_port = htons(aggr_p->aggr_port);
|
||
- break;
|
||
- }
|
||
+ list_for_each_entry(aggr_p, &aggr_p_list, list)
|
||
+ if (unlikely(ntohs(tuple.d_port) >= aggr_p->port1 &&
|
||
+ ntohs(tuple.d_port) <= aggr_p->port2)) {
|
||
+ tuple.d_port = htons(aggr_p->aggr_port);
|
||
+ atomic_inc(&aggr_p->usage);
|
||
+ break;
|
||
+ }
|
||
+ }
|
||
read_unlock_bh(&aggr_lock);
|
||
|
||
hash = hash_netflow(&tuple);
|
||
- spin_lock_bh(&ipt_netflow_lock);
|
||
+ read_lock_bh(&htable_rwlock);
|
||
+ spin_lock(&htable_locks[hash & LOCK_COUNT_MASK]);
|
||
/* record */
|
||
nf = ipt_netflow_find(&tuple, hash);
|
||
- if (!nf) {
|
||
- if (maxflows > 0 && atomic_read(&ipt_netflow_count) >= maxflows) {
|
||
+ if (unlikely(!nf)) {
|
||
+ struct rtable *rt;
|
||
+
|
||
+ if (unlikely(maxflows > 0 && atomic_read(&ipt_netflow_count) >= maxflows)) {
|
||
/* This is DOS attack prevention */
|
||
NETFLOW_STAT_INC(maxflows_err);
|
||
NETFLOW_STAT_INC(pkt_drop);
|
||
- NETFLOW_STAT_ADD(traf_drop, ntohs(iph->tot_len));
|
||
- spin_unlock_bh(&ipt_netflow_lock);
|
||
- return IPT_CONTINUE;
|
||
+ NETFLOW_STAT_ADD(traf_drop, pkt_len);
|
||
+ goto unlock_return;
|
||
}
|
||
|
||
nf = init_netflow(&tuple, skb, hash);
|
||
- if (!nf || IS_ERR(nf)) {
|
||
+ if (unlikely(!nf || IS_ERR(nf))) {
|
||
NETFLOW_STAT_INC(alloc_err);
|
||
NETFLOW_STAT_INC(pkt_drop);
|
||
- NETFLOW_STAT_ADD(traf_drop, ntohs(iph->tot_len));
|
||
- spin_unlock_bh(&ipt_netflow_lock);
|
||
- return IPT_CONTINUE;
|
||
+ NETFLOW_STAT_ADD(traf_drop, pkt_len);
|
||
+ goto unlock_return;
|
||
}
|
||
|
||
nf->ts_first = jiffies;
|
||
@@ -1330,31 +2691,68 @@ static unsigned int netflow_target(
|
||
nf->s_mask = s_mask;
|
||
nf->d_mask = d_mask;
|
||
|
||
- if (debug > 2)
|
||
- printk(KERN_INFO "ipt_netflow: new (%u) %hd:%hd SRC=%u.%u.%u.%u:%u DST=%u.%u.%u.%u:%u\n",
|
||
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,26)
|
||
+ rt = (struct rtable *)skb->dst;
|
||
+#else /* since 2.6.26 */
|
||
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,31)
|
||
+ rt = skb->rtable;
|
||
+#else /* since 2.6.31 */
|
||
+ rt = skb_rtable(skb);
|
||
+#endif
|
||
+#endif
|
||
+ if (likely(family == AF_INET)) {
|
||
+ if (rt)
|
||
+ nf->nh.ip = rt->rt_gateway;
|
||
+ } else {
|
||
+ if (rt)
|
||
+ nf->nh.in6 = ((struct rt6_info *)rt)->rt6i_gateway;
|
||
+ nf->flow_label = (iph->ip6.flow_lbl[0] << 16) |
|
||
+ (iph->ip6.flow_lbl[1] << 8) | (iph->ip6.flow_lbl[2]);
|
||
+ }
|
||
+#if 0
|
||
+ if (unlikely(debug > 2))
|
||
+ printk(KERN_INFO "ipt_NETFLOW: new (%u) %hd:%hd SRC=%u.%u.%u.%u:%u DST=%u.%u.%u.%u:%u\n",
|
||
atomic_read(&ipt_netflow_count),
|
||
tuple.i_ifc, nf->o_ifc,
|
||
NIPQUAD(tuple.s_addr), ntohs(tuple.s_port),
|
||
NIPQUAD(tuple.d_addr), ntohs(tuple.d_port));
|
||
+#endif
|
||
} else {
|
||
/* ipt_netflow_list is sorted by access time:
|
||
* most recently accessed flows are at head, old flows remain at tail
|
||
* this function bubble up flow to the head */
|
||
+ spin_lock(&hlist_lock);
|
||
list_move(&nf->list, &ipt_netflow_list);
|
||
+ spin_unlock(&hlist_lock);
|
||
}
|
||
|
||
+#ifdef CONFIG_NF_CONNTRACK_MARK
|
||
+ {
|
||
+ struct nf_conn *ct;
|
||
+ enum ip_conntrack_info ctinfo;
|
||
+ ct = nf_ct_get(skb, &ctinfo);
|
||
+ if (ct)
|
||
+ nf->mark = ct->mark;
|
||
+ }
|
||
+#endif
|
||
+
|
||
nf->nr_packets++;
|
||
- nf->nr_bytes += ntohs(iph->tot_len);
|
||
+ nf->nr_bytes += pkt_len;
|
||
nf->ts_last = jiffies;
|
||
nf->tcp_flags |= tcp_flags;
|
||
+ nf->options |= options;
|
||
+ if (tuple.protocol == IPPROTO_TCP)
|
||
+ nf->tcpoptions |= tcpoptions;
|
||
|
||
NETFLOW_STAT_INC(pkt_total);
|
||
- NETFLOW_STAT_ADD(traf_total, ntohs(iph->tot_len));
|
||
+ NETFLOW_STAT_ADD(traf_total, pkt_len);
|
||
|
||
- if (active_needs_export(nf, active_timeout * HZ)) {
|
||
+ if (likely(active_needs_export(nf, active_timeout * HZ))) {
|
||
/* ok, if this active flow to be exported
|
||
* bubble it to the tail */
|
||
+ spin_lock(&hlist_lock);
|
||
list_move_tail(&nf->list, &ipt_netflow_list);
|
||
+ spin_unlock(&hlist_lock);
|
||
|
||
/* Blog: I thought about forcing timer to wake up sooner if we have
|
||
* enough exportable flows, but in fact this doesn't have much sense,
|
||
@@ -1363,35 +2761,194 @@ static unsigned int netflow_target(
|
||
* limited size). But yes, this is disputable. */
|
||
}
|
||
|
||
- spin_unlock_bh(&ipt_netflow_lock);
|
||
+unlock_return:
|
||
+ spin_unlock(&htable_locks[hash & LOCK_COUNT_MASK]);
|
||
+ read_unlock_bh(&htable_rwlock);
|
||
|
||
return IPT_CONTINUE;
|
||
}
|
||
|
||
-static struct ipt_target ipt_netflow_reg = {
|
||
- .name = "NETFLOW",
|
||
- .target = netflow_target,
|
||
- .family = AF_INET,
|
||
-#ifndef RAW_PROMISC_HACK
|
||
- .table = "filter",
|
||
-#ifndef NF_IP_LOCAL_IN /* 2.6.25 */
|
||
- .hooks = (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_FORWARD) |
|
||
- (1 << NF_INET_LOCAL_OUT),
|
||
-#else
|
||
- .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
|
||
- (1 << NF_IP_LOCAL_OUT),
|
||
-#endif /* NF_IP_LOCAL_IN */
|
||
+#ifdef CONFIG_NF_NAT_NEEDED
|
||
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,31)
|
||
+ /* Below 2.6.31 we don't need to handle callback chain manually. */
|
||
+
|
||
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3,2,0)
|
||
+#define NET_STRUCT struct net *net
|
||
+#define NET_ARG net,
|
||
+#define nf_conntrack_event_cb net->ct.nf_conntrack_event_cb
|
||
#else
|
||
- .table = "raw",
|
||
-#ifndef NF_IP_LOCAL_IN
|
||
- .hooks = (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_FORWARD) |
|
||
- (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_PRE_ROUTING),
|
||
+#define NET_STRUCT void
|
||
+#define NET_ARG
|
||
+#endif
|
||
+static int set_notifier_cb(NET_STRUCT)
|
||
+{
|
||
+ struct nf_ct_event_notifier *notifier;
|
||
+
|
||
+ notifier = rcu_dereference(nf_conntrack_event_cb);
|
||
+ if (notifier == NULL) {
|
||
+ /* Polite mode. */
|
||
+ nf_conntrack_register_notifier(NET_ARG &ctnl_notifier);
|
||
+ } else if (notifier != &ctnl_notifier) {
|
||
+ if (!saved_event_cb)
|
||
+ saved_event_cb = notifier;
|
||
+ else if (saved_event_cb != notifier)
|
||
+ printk(KERN_ERR "natevents_net_init: %p != %p (report error.)\n",
|
||
+ saved_event_cb, notifier);
|
||
+ rcu_assign_pointer(nf_conntrack_event_cb, &ctnl_notifier);
|
||
+ } else
|
||
+ printk(KERN_ERR "ipt_NETFLOW: natevents already enabled.\n");
|
||
+ return 0;
|
||
+}
|
||
+static void unset_notifier_cb(NET_STRUCT)
|
||
+{
|
||
+ struct nf_ct_event_notifier *notifier;
|
||
+
|
||
+ notifier = rcu_dereference(nf_conntrack_event_cb);
|
||
+ if (notifier == &ctnl_notifier) {
|
||
+ if (saved_event_cb == NULL)
|
||
+ nf_conntrack_unregister_notifier(NET_ARG &ctnl_notifier);
|
||
+ else
|
||
+ rcu_assign_pointer(nf_conntrack_event_cb, saved_event_cb);
|
||
+ } else
|
||
+ printk(KERN_ERR "ipt_NETFLOW: natevents already disabled.\n");
|
||
+}
|
||
+
|
||
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3,2,0)
|
||
+#undef nf_conntrack_event_cb
|
||
+static struct pernet_operations natevents_net_ops = {
|
||
+ .init = set_notifier_cb,
|
||
+ .exit = unset_notifier_cb
|
||
+};
|
||
+#endif
|
||
+#endif /* since 2.6.31 */
|
||
+
|
||
+static DEFINE_MUTEX(events_lock);
|
||
+/* Both functions may be called multiple times. */
|
||
+static void register_ct_events(void)
|
||
+{
|
||
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,31)
|
||
+#define NETLINK_M "nf_conntrack_netlink"
|
||
+ struct module *netlink_m;
|
||
+ static int referenced = 0;
|
||
+#endif
|
||
+
|
||
+ printk(KERN_INFO "ipt_NETFLOW: enable natevents.\n");
|
||
+ mutex_lock(&events_lock);
|
||
+
|
||
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,31)
|
||
+ /* Pre-load netlink module who will be first notifier
|
||
+ * user, and then hijack nf_conntrack_event_cb from it. */
|
||
+ if (
|
||
+#if LINUX_VERSION_CODE < KERNEL_VERSION(3,2,0)
|
||
+ !rcu_dereference(nf_conntrack_event_cb) ||
|
||
+#endif
|
||
+ !(netlink_m = find_module(NETLINK_M))) {
|
||
+ printk("Loading " NETLINK_M "\n");
|
||
+ request_module(NETLINK_M);
|
||
+ }
|
||
+ /* Reference netlink module to prevent it's unsafe unload before us. */
|
||
+ if (!referenced && (netlink_m = find_module(NETLINK_M))) {
|
||
+ referenced++;
|
||
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,35)
|
||
+#define use_module ref_module
|
||
+#endif
|
||
+ use_module(THIS_MODULE, netlink_m);
|
||
+ }
|
||
+
|
||
+ /* Register ct events callback. */
|
||
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3,2,0)
|
||
+ register_pernet_subsys(&natevents_net_ops);
|
||
#else
|
||
- .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
|
||
- (1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_PRE_ROUTING),
|
||
-#endif /* NF_IP_LOCAL_IN */
|
||
-#endif /* !RAW_PROMISC_HACK */
|
||
- .me = THIS_MODULE
|
||
+ set_notifier_cb();
|
||
+#endif
|
||
+#else /* below v2.6.31 */
|
||
+ if (!natevents && nf_conntrack_register_notifier(&ctnl_notifier) < 0)
|
||
+ printk(KERN_ERR "Can't register conntrack notifier, natevents disabled.\n");
|
||
+ else
|
||
+#endif
|
||
+ natevents = 1;
|
||
+ mutex_unlock(&events_lock);
|
||
+}
|
||
+
|
||
+static void unregister_ct_events(void)
|
||
+{
|
||
+ printk(KERN_INFO "ipt_NETFLOW: disable natevents.\n");
|
||
+ mutex_lock(&events_lock);
|
||
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,31)
|
||
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3,2,0)
|
||
+ unregister_pernet_subsys(&natevents_net_ops);
|
||
+#else /* < v3.2 */
|
||
+ unset_notifier_cb();
|
||
+#endif /* v3.2 */
|
||
+ rcu_assign_pointer(saved_event_cb, NULL);
|
||
+#else /* < v2.6.31 */
|
||
+ nf_conntrack_unregister_notifier(&ctnl_notifier);
|
||
+#endif
|
||
+ natevents = 0;
|
||
+ mutex_unlock(&events_lock);
|
||
+}
|
||
+#endif /* CONFIG_NF_NAT_NEEDED */
|
||
+
|
||
+#ifndef NF_IP_LOCAL_IN /* 2.6.25 */
|
||
+#define NF_IP_PRE_ROUTING NF_INET_PRE_ROUTING
|
||
+#define NF_IP_LOCAL_IN NF_INET_LOCAL_IN
|
||
+#define NF_IP_FORWARD NF_INET_FORWARD
|
||
+#define NF_IP_LOCAL_OUT NF_INET_LOCAL_OUT
|
||
+#define NF_IP_POST_ROUTING NF_INET_POST_ROUTING
|
||
+#endif
|
||
+
|
||
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
|
||
+/* net/netfilter/x_tables.c */
|
||
+static void xt_unregister_targets(struct xt_target *target, unsigned int n)
|
||
+{
|
||
+ unsigned int i;
|
||
+
|
||
+ for (i = 0; i < n; i++)
|
||
+ xt_unregister_target(&target[i]);
|
||
+}
|
||
+static int xt_register_targets(struct xt_target *target, unsigned int n)
|
||
+{
|
||
+ unsigned int i;
|
||
+
|
||
+ int err = 0;
|
||
+ for (i = 0; i < n; i++)
|
||
+ if ((err = xt_register_target(&target[i])))
|
||
+ goto err;
|
||
+ return err;
|
||
+err:
|
||
+ if (i > 0)
|
||
+ xt_unregister_targets(target, i);
|
||
+ return err;
|
||
+}
|
||
+#endif
|
||
+
|
||
+static struct ipt_target ipt_netflow_reg[] __read_mostly = {
|
||
+ {
|
||
+ .name = "NETFLOW",
|
||
+ .target = netflow_target,
|
||
+ .checkentry = netflow_target_check,
|
||
+ .family = AF_INET,
|
||
+ .hooks =
|
||
+ (1 << NF_IP_PRE_ROUTING) |
|
||
+ (1 << NF_IP_LOCAL_IN) |
|
||
+ (1 << NF_IP_FORWARD) |
|
||
+ (1 << NF_IP_LOCAL_OUT) |
|
||
+ (1 << NF_IP_POST_ROUTING),
|
||
+ .me = THIS_MODULE
|
||
+ },
|
||
+ {
|
||
+ .name = "NETFLOW",
|
||
+ .target = netflow_target,
|
||
+ .checkentry = netflow_target_check,
|
||
+ .family = AF_INET6,
|
||
+ .hooks =
|
||
+ (1 << NF_IP_PRE_ROUTING) |
|
||
+ (1 << NF_IP_LOCAL_IN) |
|
||
+ (1 << NF_IP_FORWARD) |
|
||
+ (1 << NF_IP_LOCAL_OUT) |
|
||
+ (1 << NF_IP_POST_ROUTING),
|
||
+ .me = THIS_MODULE
|
||
+ },
|
||
};
|
||
|
||
static int __init ipt_netflow_init(void)
|
||
@@ -1399,11 +2956,16 @@ static int __init ipt_netflow_init(void)
|
||
#ifdef CONFIG_PROC_FS
|
||
struct proc_dir_entry *proc_stat;
|
||
#endif
|
||
+ printk(KERN_INFO "ipt_NETFLOW version %s, srcversion %s\n",
|
||
+ IPT_NETFLOW_VERSION, THIS_MODULE->srcversion);
|
||
|
||
get_random_bytes(&ipt_netflow_hash_rnd, 4);
|
||
|
||
/* determine hash size (idea from nf_conntrack_core.c) */
|
||
if (!hashsize) {
|
||
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3,11,0)
|
||
+#define num_physpages totalram_pages
|
||
+#endif
|
||
hashsize = (((num_physpages << PAGE_SHIFT) / 16384)
|
||
/ sizeof(struct hlist_head));
|
||
if (num_physpages > (1024 * 1024 * 1024 / PAGE_SIZE))
|
||
@@ -1411,8 +2973,7 @@ static int __init ipt_netflow_init(void)
|
||
}
|
||
if (hashsize < 16)
|
||
hashsize = 16;
|
||
- printk(KERN_INFO "ipt_netflow version %s (%u buckets)\n",
|
||
- IPT_NETFLOW_VERSION, hashsize);
|
||
+ printk(KERN_INFO "ipt_NETFLOW: hashsize %u\n", hashsize);
|
||
|
||
ipt_netflow_hash_size = hashsize;
|
||
ipt_netflow_hash = alloc_hashtable(ipt_netflow_hash_size);
|
||
@@ -1434,12 +2995,18 @@ static int __init ipt_netflow_init(void)
|
||
}
|
||
|
||
#ifdef CONFIG_PROC_FS
|
||
+#if LINUX_VERSION_CODE < KERNEL_VERSION(3,10,0)
|
||
proc_stat = create_proc_entry("ipt_netflow", S_IRUGO, INIT_NET(proc_net_stat));
|
||
+#else
|
||
+ proc_stat = proc_create("ipt_netflow", S_IRUGO, INIT_NET(proc_net_stat), &nf_seq_fops);
|
||
+#endif
|
||
if (!proc_stat) {
|
||
printk(KERN_ERR "Unable to create /proc/net/stat/ipt_netflow entry\n");
|
||
goto err_free_netflow_slab;
|
||
}
|
||
+#if LINUX_VERSION_CODE < KERNEL_VERSION(3,10,0)
|
||
proc_stat->proc_fops = &nf_seq_fops;
|
||
+#endif
|
||
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,30)
|
||
proc_stat->owner = THIS_MODULE;
|
||
#endif
|
||
@@ -1480,21 +3047,28 @@ static int __init ipt_netflow_init(void)
|
||
}
|
||
add_aggregation(aggregation);
|
||
|
||
- __start_scan_worker();
|
||
+ netflow_switch_version(protocol);
|
||
+ _schedule_scan_worker(0);
|
||
setup_timer(&rate_timer, rate_timer_calc, 0);
|
||
mod_timer(&rate_timer, jiffies + (HZ * SAMPLERATE));
|
||
|
||
- if (xt_register_target(&ipt_netflow_reg))
|
||
+ peakflows_at = jiffies;
|
||
+ if (xt_register_targets(ipt_netflow_reg, ARRAY_SIZE(ipt_netflow_reg)))
|
||
goto err_stop_timer;
|
||
|
||
- peakflows_at = jiffies;
|
||
+#ifdef CONFIG_NF_NAT_NEEDED
|
||
+ if (natevents)
|
||
+ register_ct_events();
|
||
+#endif
|
||
|
||
- printk(KERN_INFO "ipt_netflow loaded.\n");
|
||
+ printk(KERN_INFO "ipt_NETFLOW is loaded.\n");
|
||
return 0;
|
||
|
||
err_stop_timer:
|
||
- __stop_scan_worker();
|
||
+ _unschedule_scan_worker();
|
||
+ netflow_scan_and_export(AND_FLUSH);
|
||
del_timer_sync(&rate_timer);
|
||
+ free_templates();
|
||
destination_removeall();
|
||
aggregation_remove(&aggr_n_list);
|
||
aggregation_remove(&aggr_p_list);
|
||
@@ -1506,17 +3080,18 @@ err_free_proc_stat:
|
||
#ifdef CONFIG_PROC_FS
|
||
remove_proc_entry("ipt_netflow", INIT_NET(proc_net_stat));
|
||
err_free_netflow_slab:
|
||
-#endif
|
||
+#endif
|
||
kmem_cache_destroy(ipt_netflow_cachep);
|
||
err_free_hash:
|
||
vfree(ipt_netflow_hash);
|
||
err:
|
||
+ printk(KERN_INFO "ipt_NETFLOW is not loaded.\n");
|
||
return -ENOMEM;
|
||
}
|
||
|
||
static void __exit ipt_netflow_fini(void)
|
||
{
|
||
- printk(KERN_INFO "ipt_netflow unloading..\n");
|
||
+ printk(KERN_INFO "ipt_NETFLOW unloading..\n");
|
||
|
||
#ifdef CONFIG_SYSCTL
|
||
unregister_sysctl_table(netflow_sysctl_header);
|
||
@@ -1524,14 +3099,18 @@ static void __exit ipt_netflow_fini(void)
|
||
#ifdef CONFIG_PROC_FS
|
||
remove_proc_entry("ipt_netflow", INIT_NET(proc_net_stat));
|
||
#endif
|
||
-
|
||
- xt_unregister_target(&ipt_netflow_reg);
|
||
- __stop_scan_worker();
|
||
- netflow_scan_and_export(1);
|
||
+ xt_unregister_targets(ipt_netflow_reg, ARRAY_SIZE(ipt_netflow_reg));
|
||
+#ifdef CONFIG_NF_NAT_NEEDED
|
||
+ if (natevents)
|
||
+ unregister_ct_events();
|
||
+#endif
|
||
+ _unschedule_scan_worker();
|
||
+ netflow_scan_and_export(AND_FLUSH);
|
||
del_timer_sync(&rate_timer);
|
||
|
||
synchronize_sched();
|
||
|
||
+ free_templates();
|
||
destination_removeall();
|
||
aggregation_remove(&aggr_n_list);
|
||
aggregation_remove(&aggr_p_list);
|
||
@@ -1539,7 +3118,7 @@ static void __exit ipt_netflow_fini(void)
|
||
kmem_cache_destroy(ipt_netflow_cachep);
|
||
vfree(ipt_netflow_hash);
|
||
|
||
- printk(KERN_INFO "ipt_netflow unloaded.\n");
|
||
+ printk(KERN_INFO "ipt_NETFLOW unloaded.\n");
|
||
}
|
||
|
||
module_init(ipt_netflow_init);
|
||
diff --git a/ipt_NETFLOW.h b/ipt_NETFLOW.h
|
||
index 4a7b645..749f985 100644
|
||
--- a/ipt_NETFLOW.h
|
||
+++ b/ipt_NETFLOW.h
|
||
@@ -35,8 +35,8 @@ struct netflow5_record {
|
||
__be16 o_ifc;
|
||
__be32 nr_packets;
|
||
__be32 nr_octets;
|
||
- __be32 ts_first;
|
||
- __be32 ts_last;
|
||
+ __be32 first_ms;
|
||
+ __be32 last_ms;
|
||
__be16 s_port;
|
||
__be16 d_port;
|
||
__u8 reserved;
|
||
@@ -54,9 +54,9 @@ struct netflow5_record {
|
||
struct netflow5_pdu {
|
||
__be16 version;
|
||
__be16 nr_records;
|
||
- __be32 ts_uptime;
|
||
- __be32 ts_usecs;
|
||
- __be32 ts_unsecs;
|
||
+ __be32 ts_uptime; /* ms */
|
||
+ __be32 ts_usecs; /* s */
|
||
+ __be32 ts_unsecs; /* ns */
|
||
__be32 seq;
|
||
__u8 eng_type;
|
||
__u8 eng_id;
|
||
@@ -65,42 +65,185 @@ struct netflow5_pdu {
|
||
} __attribute__ ((packed));
|
||
#define NETFLOW5_HEADER_SIZE (sizeof(struct netflow5_pdu) - NETFLOW5_RECORDS_MAX * sizeof(struct netflow5_record))
|
||
|
||
+/* NetFlow v9 RFC http://www.ietf.org/rfc/rfc3954.txt */
|
||
+enum {
|
||
+ IN_BYTES = 1,
|
||
+ IN_PKTS = 2,
|
||
+ PROTOCOL = 4,
|
||
+ TOS = 5,
|
||
+ TCP_FLAGS = 6,
|
||
+ L4_SRC_PORT = 7,
|
||
+ IPV4_SRC_ADDR = 8,
|
||
+ SRC_MASK = 9,
|
||
+ INPUT_SNMP = 10,
|
||
+ L4_DST_PORT = 11,
|
||
+ IPV4_DST_ADDR = 12,
|
||
+ DST_MASK = 13,
|
||
+ OUTPUT_SNMP = 14,
|
||
+ IPV4_NEXT_HOP = 15,
|
||
+ //SRC_AS = 16,
|
||
+ //DST_AS = 17,
|
||
+ //BGP_IPV4_NEXT_HOP = 18,
|
||
+ //MUL_DST_PKTS = 19,
|
||
+ //MUL_DST_BYTES = 20,
|
||
+ LAST_SWITCHED = 21,
|
||
+ FIRST_SWITCHED = 22,
|
||
+ IPV6_SRC_ADDR = 27,
|
||
+ IPV6_DST_ADDR = 28,
|
||
+ IPV6_FLOW_LABEL = 31,
|
||
+ ICMP_TYPE = 32,
|
||
+ MUL_IGMP_TYPE = 33,
|
||
+ //TOTAL_BYTES_EXP = 40,
|
||
+ //TOTAL_PKTS_EXP = 41,
|
||
+ //TOTAL_FLOWS_EXP = 42,
|
||
+ IPV6_NEXT_HOP = 62,
|
||
+ IPV6_OPTION_HEADERS = 64,
|
||
+ commonPropertiesId = 137, /* for MARK */
|
||
+ ipv4Options = 208,
|
||
+ tcpOptions = 209,
|
||
+ postNATSourceIPv4Address = 225,
|
||
+ postNATDestinationIPv4Address = 226,
|
||
+ postNAPTSourceTransportPort = 227,
|
||
+ postNAPTDestinationTransportPort = 228,
|
||
+ natEvent = 230,
|
||
+ postNATSourceIPv6Address = 281,
|
||
+ postNATDestinationIPv6Address = 282,
|
||
+ IPSecSPI = 295,
|
||
+ observationTimeMilliseconds = 323,
|
||
+ observationTimeMicroseconds = 324,
|
||
+ observationTimeNanoseconds = 325,
|
||
+};
|
||
+
|
||
+enum {
|
||
+ FLOWSET_TEMPLATE = 0,
|
||
+ FLOWSET_OPTIONS = 1,
|
||
+ IPFIX_TEMPLATE = 2,
|
||
+ IPFIX_OPTIONS = 3,
|
||
+ FLOWSET_DATA_FIRST = 256,
|
||
+};
|
||
+
|
||
+struct flowset_template {
|
||
+ __be16 flowset_id;
|
||
+ __be16 length;
|
||
+ __be16 template_id;
|
||
+ __be16 field_count;
|
||
+} __attribute__ ((packed));
|
||
+
|
||
+struct flowset_data {
|
||
+ __be16 flowset_id;
|
||
+ __be16 length;
|
||
+} __attribute__ ((packed));
|
||
+
|
||
+/* NetFlow v9 packet. */
|
||
+struct netflow9_pdu {
|
||
+ __be16 version;
|
||
+ __be16 nr_records;
|
||
+ __be32 sys_uptime_ms;
|
||
+ __be32 export_time_s;
|
||
+ __be32 seq;
|
||
+ __be32 source_id; /* Exporter Observation Domain */
|
||
+ __u8 data[1400];
|
||
+} __attribute__ ((packed));
|
||
+
|
||
+/* IPFIX packet. */
|
||
+struct ipfix_pdu {
|
||
+ __be16 version;
|
||
+ __be16 length;
|
||
+ __be32 export_time_s;
|
||
+ __be32 seq;
|
||
+ __be32 odomain_id; /* Observation Domain ID */
|
||
+ __u8 data[1400];
|
||
+} __attribute__ ((packed));
|
||
+
|
||
+/* Maximum bytes flow can have, after it's reached flow will become
|
||
+ * not searchable and will be exported soon. */
|
||
+#define FLOW_FULL_WATERMARK 0xffefffff
|
||
+
|
||
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,25)
|
||
+union nf_inet_addr {
|
||
+ __be32 ip;
|
||
+ __be32 ip6[4];
|
||
+ struct in_addr in;
|
||
+ struct in6_addr in6;
|
||
+};
|
||
+#endif
|
||
+
|
||
/* hashed data which identify unique flow */
|
||
+/* 16+16 + 2+2 + 2+1+1+1 = 41 */
|
||
struct ipt_netflow_tuple {
|
||
- __be32 s_addr; // Network byte order
|
||
- __be32 d_addr; // -"-
|
||
- __be16 s_port; // -"-
|
||
+ union nf_inet_addr src;
|
||
+ union nf_inet_addr dst;
|
||
+ __be16 s_port; // Network byte order
|
||
__be16 d_port; // -"-
|
||
- __be16 i_ifc; // Local byte order
|
||
+ __u16 i_ifc; // Host byte order
|
||
__u8 protocol;
|
||
__u8 tos;
|
||
+ __u8 l3proto;
|
||
};
|
||
-/* tuple size is rounded to u32s */
|
||
-#define NETFLOW_TUPLE_SIZE (sizeof(struct ipt_netflow_tuple) / 4)
|
||
-
|
||
-/* maximum bytes flow can have, after it reached flow become not searchable and will be exported soon */
|
||
-#define FLOW_FULL_WATERMARK 0xffefffff
|
||
|
||
-/* flow entry */
|
||
+/* hlist[2] + tuple[]: 8+8 + 41 = 57 (less than usual cache line, 64) */
|
||
struct ipt_netflow {
|
||
struct hlist_node hlist; // hashtable search chain
|
||
- struct list_head list; // all flows chain
|
||
|
||
/* unique per flow data (hashed, NETFLOW_TUPLE_SIZE) */
|
||
struct ipt_netflow_tuple tuple;
|
||
|
||
/* volatile data */
|
||
- __be16 o_ifc;
|
||
+ union nf_inet_addr nh;
|
||
+ __u16 o_ifc;
|
||
__u8 s_mask;
|
||
__u8 d_mask;
|
||
+ __u8 tcp_flags; /* `OR' of all tcp flags */
|
||
|
||
/* flow statistics */
|
||
u_int32_t nr_packets;
|
||
u_int32_t nr_bytes;
|
||
- unsigned long ts_first;
|
||
- unsigned long ts_last;
|
||
- __u8 tcp_flags; /* `OR' of all tcp flags */
|
||
+ union {
|
||
+ struct {
|
||
+ unsigned long first;
|
||
+ unsigned long last;
|
||
+ } ts;
|
||
+ ktime_t ts_obs;
|
||
+ } _ts_un;
|
||
+#define ts_first _ts_un.ts.first
|
||
+#define ts_last _ts_un.ts.last
|
||
+#define ts_obs _ts_un.ts_obs
|
||
+ u_int32_t flow_label; /* IPv6 */
|
||
+ u_int32_t options; /* IPv4(16) & IPv6(32) Options */
|
||
+ u_int32_t tcpoptions;
|
||
+#ifdef CONFIG_NF_CONNTRACK_MARK
|
||
+ u_int32_t mark; /* Exported as commonPropertiesId */
|
||
+#endif
|
||
+#ifdef CONFIG_NF_NAT_NEEDED
|
||
+ __be32 s_as;
|
||
+ __be32 d_as;
|
||
+ struct nat_event *nat;
|
||
+#endif
|
||
+ struct list_head list; // all flows chain
|
||
+ spinlock_t *lock;
|
||
+};
|
||
+
|
||
+#ifdef CONFIG_NF_NAT_NEEDED
|
||
+enum {
|
||
+ NAT_CREATE, NAT_DESTROY, NAT_POOLEXHAUSTED
|
||
};
|
||
+struct nat_event {
|
||
+ struct list_head list;
|
||
+ struct {
|
||
+ __be32 s_addr;
|
||
+ __be32 d_addr;
|
||
+ __be16 s_port;
|
||
+ __be16 d_port;
|
||
+ } pre, post;
|
||
+ ktime_t ts_ktime;
|
||
+ unsigned long ts_jiffies;
|
||
+ __u8 protocol;
|
||
+ __u8 nat_event;
|
||
+};
|
||
+#define IS_DUMMY_FLOW(nf) (nf->nat)
|
||
+#else
|
||
+#define IS_DUMMY_FLOW(nf) 0
|
||
+#endif
|
||
|
||
static inline int ipt_netflow_tuple_equal(const struct ipt_netflow_tuple *t1,
|
||
const struct ipt_netflow_tuple *t2)
|
||
@@ -115,11 +258,13 @@ struct ipt_netflow_sock {
|
||
unsigned short port;
|
||
atomic_t wmem_peak; // sk_wmem_alloc peak value
|
||
atomic_t err_full; // socket filled error
|
||
+ atomic_t err_connect; // connect errors
|
||
atomic_t err_other; // other socket errors
|
||
};
|
||
|
||
struct netflow_aggr_n {
|
||
struct list_head list;
|
||
+ atomic_t usage;
|
||
__u32 mask;
|
||
__u32 addr;
|
||
__u32 aggr_mask;
|
||
@@ -128,6 +273,7 @@ struct netflow_aggr_n {
|
||
|
||
struct netflow_aggr_p {
|
||
struct list_head list;
|
||
+ atomic_t usage;
|
||
__u16 port1;
|
||
__u16 port2;
|
||
__u16 aggr_port;
|
||
diff --git a/libipt_NETFLOW.c b/libipt_NETFLOW.c
|
||
index d85b6d9..a0f9e5d 100644
|
||
--- a/libipt_NETFLOW.c
|
||
+++ b/libipt_NETFLOW.c
|
||
@@ -58,24 +58,24 @@
|
||
#define _IPT_IP struct ipt_ip
|
||
#endif
|
||
|
||
+#ifndef IPTABLES_VERSION
|
||
+#define IPTABLES_VERSION XTABLES_VERSION
|
||
+#endif
|
||
+
|
||
static struct option opts[] = {
|
||
- {0}
|
||
+ { 0 }
|
||
};
|
||
|
||
static void help(void)
|
||
{
|
||
- printf( "NETFLOW target\n");
|
||
+ printf("NETFLOW target\n");
|
||
}
|
||
|
||
-//static int parse(int c, char **argv, int invert, unsigned int *flags,
|
||
-// const _IPT_ENTRY *entry,
|
||
-// struct ipt_entry_target **target)
|
||
static int parse(int c, char **argv, int invert, unsigned int *flags,
|
||
const _IPT_ENTRY *entry,
|
||
struct ipt_entry_target **targetinfo)
|
||
|
||
{
|
||
-
|
||
return 1;
|
||
}
|
||
|
||
@@ -95,16 +95,9 @@ static void print(const _IPT_IP *ip,
|
||
}
|
||
|
||
static struct iptables_target netflow = {
|
||
-#ifdef MOD140
|
||
- .family = AF_INET,
|
||
-#endif
|
||
.next = NULL,
|
||
.name = "NETFLOW",
|
||
-#ifdef XTABLES_VERSION
|
||
- .version = XTABLES_VERSION,
|
||
-#else
|
||
.version = IPTABLES_VERSION,
|
||
-#endif
|
||
.size = IPT_ALIGN(0),
|
||
.userspacesize = IPT_ALIGN(0),
|
||
.help = &help,
|
||
diff --git a/murmur3.h b/murmur3.h
|
||
new file mode 100644
|
||
index 0000000..57a6006
|
||
--- /dev/null
|
||
+++ b/murmur3.h
|
||
@@ -0,0 +1,42 @@
|
||
+/* MurmurHash3, based on https://code.google.com/p/smhasher of Austin Appleby. */
|
||
+
|
||
+static __always_inline uint32_t rotl32(const uint32_t x, const int8_t r)
|
||
+{
|
||
+ return (x << r) | (x >> (32 - r));
|
||
+}
|
||
+
|
||
+static __always_inline uint32_t fmix32(register uint32_t h)
|
||
+{
|
||
+ h ^= h >> 16;
|
||
+ h *= 0x85ebca6b;
|
||
+ h ^= h >> 13;
|
||
+ h *= 0xc2b2ae35;
|
||
+ h ^= h >> 16;
|
||
+ return h;
|
||
+}
|
||
+
|
||
+static inline uint32_t murmur3(const void *key, const uint32_t len, const uint32_t seed)
|
||
+{
|
||
+ const uint32_t c1 = 0xcc9e2d51;
|
||
+ const uint32_t c2 = 0x1b873593;
|
||
+ const uint32_t *blocks;
|
||
+ const uint8_t *tail;
|
||
+ register uint32_t h1 = seed;
|
||
+ uint32_t k1 = 0;
|
||
+ uint32_t i;
|
||
+
|
||
+ blocks = (const uint32_t *)key;
|
||
+ for (i = len / 4; i; --i) {
|
||
+ h1 ^= rotl32(*blocks++ * c1, 15) * c2;
|
||
+ h1 = rotl32(h1, 13) * 5 + 0xe6546b64;
|
||
+ }
|
||
+ tail = (const uint8_t*)blocks;
|
||
+ switch (len & 3) {
|
||
+ case 3: k1 ^= tail[2] << 16;
|
||
+ case 2: k1 ^= tail[1] << 8;
|
||
+ case 1: k1 ^= tail[0];
|
||
+ h1 ^= rotl32(k1 * c1, 15) * c2;
|
||
+ }
|
||
+ return fmix32(h1^ len);
|
||
+}
|
||
+
|
||
diff --git a/raw_promisc_debian_squeeze6.patch b/raw_promisc_debian_squeeze6.patch
|
||
new file mode 100644
|
||
index 0000000..69d0d35
|
||
--- /dev/null
|
||
+++ b/raw_promisc_debian_squeeze6.patch
|
||
@@ -0,0 +1,37 @@
|
||
+
|
||
+ Short manual and patch for Debian Squeeze
|
||
+ suggested by Pavel Odintsov:
|
||
+
|
||
+On Thu, Dec 27, 2012 at 07:46:30PM +0400, Pavel Odintsov wrote:
|
||
+>
|
||
+> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Debian Squeeze <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> promisc.
|
||
+>
|
||
+> cd /usr/src
|
||
+> apt-get install -y dpkg-dev
|
||
+> apt-get build-dep linux-image-2.6.32-5-amd64
|
||
+> cd linux-2.6-2.6.32/
|
||
+> apt-get source linux-image-2.6.32-5-amd64
|
||
+>
|
||
+> wget .... /root/raw_promisc_debian_squeeze6.patch
|
||
+> patch -p1 < raw_promisc_debian_squeeze6.patch
|
||
+> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>:
|
||
+> debian/rules source
|
||
+>
|
||
+> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>:
|
||
+> debian/rules binary
|
||
+>
|
||
+
|
||
+diff -rupN linux-2.6-2.6.32/net/ipv4/ip_input.c linux-2.6-2.6.32_promisc_raw//net/ipv4/ip_input.c
|
||
+--- linux-2.6-2.6.32/net/ipv4/ip_input.c 2009-12-03 04:51:21.000000000 +0100
|
||
++++ linux-2.6-2.6.32_promisc_raw//net/ipv4/ip_input.c 2012-06-25 19:13:49.000000000 +0200
|
||
+@@ -383,8 +383,8 @@ int ip_rcv(struct sk_buff *skb, struct n
|
||
+ /* When the interface is in promisc. mode, drop all the crap
|
||
+ * that it receives, do not try to analyse it.
|
||
+ */
|
||
+- if (skb->pkt_type == PACKET_OTHERHOST)
|
||
+- goto drop;
|
||
++ //if (skb->pkt_type == PACKET_OTHERHOST)
|
||
++ // goto drop;
|
||
+
|
||
+
|
||
+ IP_UPD_PO_STATS_BH(dev_net(dev), IPSTATS_MIB_IN, skb->len);
|