Re: pfflowd, new pfsync format
On 2008/07/26 01:57, Sean Malloy wrote: > When I try starting pfflowd it complains about an unsupported pfsync > version. For example ... > > $ sudo pfflowd -Dn 127.0.0.1:12345 > Password: > pfflowd[12161]: pfflowd listening on pfsync0 > pfflowd[12161]: Unsupported pfsync version 4, exiting see Can's email, sorry I forgot to include the pfflowd.h diff when I prepared it. (it's the same change as my earlier diff). > I also noticed that the syslog messages report the wrong time when run > without the -D option. The clock seems to jump ahead five hours when only > run with the -n option. For example ... pfflowd runs in a chroot inside /var/empty, but you don't have /var/empty/etc/localtime, so it defaults to GMT.
Re: pfflowd, new pfsync format
On Fri, Jul 25, 2008 at 03:13:01PM +0100, Stuart Henderson wrote:
> On 2008/07/25 09:55, Stuart Henderson wrote:
> > On 2008/07/24 23:05, Sean Malloy wrote:
> > > Tested on i386 July 16th snapshot. Seems to work fine.
> >
> > thanks Sean!
>
> can I ask you to try this instead please?
> thanks very much!
>
> ? pfflowd.diff.canacar
> cvs server: Diffing .
> Index: Makefile
> ===
> RCS file: /cvs/ports/net/pfflowd/Makefile,v
> retrieving revision 1.8
> diff -u -p -r1.8 Makefile
> --- Makefile 28 Jun 2008 08:30:00 - 1.8
> +++ Makefile 25 Jul 2008 14:12:07 -
> @@ -1,7 +1,5 @@
> # $OpenBSD: Makefile,v 1.8 2008/06/28 08:30:00 ajacoutot Exp $
>
> -BROKEN= needs to cope with recent network changes
> -
> COMMENT= PF to NetFlow converter
>
> DISTNAME=pfflowd-0.7
> cvs server: Diffing patches
> Index: patches/patch-pfflowd_c
> ===
> RCS file: patches/patch-pfflowd_c
> diff -N patches/patch-pfflowd_c
> --- /dev/null 1 Jan 1970 00:00:00 -
> +++ patches/patch-pfflowd_c 25 Jul 2008 14:12:07 -
> @@ -0,0 +1,182 @@
> +$OpenBSD$
> +--- pfflowd.c.orig Fri Jun 13 02:40:21 2008
> pfflowd.cFri Jun 13 02:56:30 2008
> +@@ -210,14 +210,14 @@ connsock(struct sockaddr *addr, socklen_t len)
> + }
> +
> + static void
> +-format_pf_host(char *buf, size_t n, struct pf_state_host *h, sa_family_t af)
> ++format_pf_addr(char *buf, size_t n, const struct pf_addr *h, sa_family_t af)
> + {
> + const char *err = NULL;
> +
> + switch (af) {
> + case AF_INET:
> + case AF_INET6:
> +-if (inet_ntop(af, &h->addr, buf, n) == NULL)
> ++if (inet_ntop(af, h, buf, n) == NULL)
> + err = strerror(errno);
> + break;
> + default:
> +@@ -253,7 +253,8 @@ send_netflow_v1(const struct pfsync_state *st, u_int n
> +
> + hdr = (struct NF1_HEADER *)packet;
> + for(num_packets = offset = j = i = 0; i < n; i++) {
> +-struct pf_state_host src, dst;
> ++const struct pf_addr *src, *dst;
> ++u_int16_t src_port, dst_port;
> + u_int32_t bytes_in, bytes_out;
> + u_int32_t packets_in, packets_out;
> + char src_s[64], dst_s[64], rt_s[64], pbuf[16], creation_s[64];
> +@@ -300,19 +301,23 @@ send_netflow_v1(const struct pfsync_state *st, u_int n
> + creation = uptime_ms; /* Avoid u_int wrap */
> +
> + if (st[i].direction == PF_OUT) {
> +-memcpy(&src, &st[i].lan, sizeof(src));
> +-memcpy(&dst, &st[i].ext, sizeof(dst));
> ++src = &st[i].key[PF_SK_WIRE].addr[1];
> ++dst = &st[i].key[PF_SK_WIRE].addr[0];
> ++src_port = st[i].key[PF_SK_WIRE].port[1];
> ++dst_port = st[i].key[PF_SK_WIRE].port[0];
> + } else {
> +-memcpy(&src, &st[i].ext, sizeof(src));
> +-memcpy(&dst, &st[i].lan, sizeof(dst));
> ++src = &st[i].key[PF_SK_STACK].addr[0];
> ++dst = &st[i].key[PF_SK_STACK].addr[1];
> ++src_port = st[i].key[PF_SK_STACK].port[0];
> ++dst_port = st[i].key[PF_SK_STACK].port[1];
> + }
> +
> + flw = (struct NF1_FLOW *)(packet + offset);
> + if (netflow_socket != -1 && st[i].packets[0][0] != 0) {
> +-flw->src_ip = src.addr.v4.s_addr;
> +-flw->dest_ip = dst.addr.v4.s_addr;
> +-flw->src_port = src.port;
> +-flw->dest_port = dst.port;
> ++flw->src_ip = src->v4.s_addr;
> ++flw->dest_ip = dst->v4.s_addr;
> ++flw->src_port = src_port;
> ++flw->dest_port = dst_port;
> + flw->flow_packets = st[i].packets[0][0];
> + flw->flow_octets = st[i].bytes[0][0];
> + flw->flow_start = htonl(uptime_ms - creation);
> +@@ -325,10 +330,10 @@ send_netflow_v1(const struct pfsync_state *st, u_int n
> + }
> + flw = (struct NF1_FLOW *)(packet + offset);
> + if (netflow_socket != -1 && st[i].packets[1][0] != 0) {
> +-flw->src_ip = dst.addr.v4.s_addr;
> +-flw->dest_ip = src.addr.v4.s_addr;
> +-flw->src_port = dst.port;
> +-flw->dest_port = src.port;
> ++flw->src_ip = dst->v4.s_addr;
> ++flw->dest_ip = src->v4.s_addr;
> ++flw->src_port = dst_port;
> ++flw->dest_port = src_port;
> + flw->flow_packets = st[i].packets[1][0];
> + flw->flow_octets = st[i].bytes[1][0];
> + flw->flow_start = htonl(up
Re: pfflowd, new pfsync format
On Wed, Jul 23, 2008 at 08:27:01PM +0100, Stuart Henderson wrote: > On 2008/07/17 17:59, Jason Dixon wrote: > > On Wed, Jul 16, 2008 at 04:02:59PM +0100, Stuart Henderson wrote: > > > I'll be fairly surprised if this is actually correct, but at least > > > it builds and appears to display the right addresses and port numbers. > > > > > > "mkdir patches" before applying.. > > > > Works fine from my limited tests. A single capture from pfflowd -> > > flowd -> Net::Flowd... > > Thanks Jason, anyone else want to see this stay working in 4.4? > > http://marc.info/?m=121622628908314&q=raw Tested on i386 July 16th snapshot. Seems to work fine. -- Sean Malloy www.spmalloy.com GPG KeyID: 0x13EEB747 GPG Fingerprint: D059 5076 ABB3 1E08 9965 1958 F820 CE83 13EE B747
Re: pfflowd, new pfsync format
On 2008/07/17 17:59, Jason Dixon wrote: > On Wed, Jul 16, 2008 at 04:02:59PM +0100, Stuart Henderson wrote: > > I'll be fairly surprised if this is actually correct, but at least > > it builds and appears to display the right addresses and port numbers. > > > > "mkdir patches" before applying.. > > Works fine from my limited tests. A single capture from pfflowd -> > flowd -> Net::Flowd... Thanks Jason, anyone else want to see this stay working in 4.4? http://marc.info/?m=121622628908314&q=raw
Re: pfflowd, new pfsync format
On Wed, Jul 16, 2008 at 04:02:59PM +0100, Stuart Henderson wrote:
> I'll be fairly surprised if this is actually correct, but at least
> it builds and appears to display the right addresses and port numbers.
>
> "mkdir patches" before applying..
Works fine from my limited tests. A single capture from pfflowd ->
flowd -> Net::Flowd...
$VAR1 = {
'protocol' => 17,
'dst_addr_af' => 2,
'flow_ver' => 96,
'time_sec' => 1216331674,
'dst_addr' => '10.80.117.2',
'if_index_out' => 0,
'gateway_addr_af' => 2,
'src_as' => 0,
'gateway_addr' => '0.0.0.0',
'recv_usec' => 320051,
'agent_addr_af' => 2,
'flow_packets' => 1,
'agent_addr' => '127.0.0.1',
'tcp_flags' => 0,
'src_addr' => '10.80.116.137',
'source_id' => 0,
'netflow_version' => 5,
'flow_sequence' => 156,
'engine_id' => 0,
'dst_port' => 53,
'flow_start' => 550717,
'flow_octets' => 116,
'src_addr_af' => 2,
'dst_as' => 0,
'time_nanosec' => 319992000,
'tos' => 0,
'if_index_in' => 0,
'dst_mask' => 0,
'sys_uptime_ms' => 582717,
'src_port' => 44361,
'crc' => 2427304551,
'src_mask' => 0,
'recv_sec' => 1216331674,
'fields' => 1074264750,
'flow_finish' => 582717,
'engine_type' => 0
};
pfflowd, new pfsync format
I'll be fairly surprised if this is actually correct, but at least
it builds and appears to display the right addresses and port numbers.
"mkdir patches" before applying..
Index: Makefile
===
RCS file: /cvs/ports/net/pfflowd/Makefile,v
retrieving revision 1.7
diff -u -p -r1.7 Makefile
--- Makefile15 Sep 2007 22:36:58 - 1.7
+++ Makefile16 Jul 2008 14:58:24 -
@@ -3,6 +3,7 @@
COMMENT= PF to NetFlow converter
DISTNAME= pfflowd-0.7
+PKGNAME= ${DISTNAME}p0
CATEGORIES=net
MASTER_SITES= http://www.mindrot.org/files/pfflowd/
Index: patches/patch-pfflowd_c
===
RCS file: patches/patch-pfflowd_c
diff -N patches/patch-pfflowd_c
--- /dev/null 1 Jan 1970 00:00:00 -
+++ patches/patch-pfflowd_c 16 Jul 2008 14:59:04 -
@@ -0,0 +1,43 @@
+$OpenBSD$
+--- pfflowd.c.orig Wed Jun 7 11:58:37 2006
pfflowd.c Wed Jul 16 15:46:15 2008
+@@ -300,11 +300,15 @@ send_netflow_v1(const struct pfsync_state *st, u_int n
+ creation = uptime_ms; /* Avoid u_int wrap */
+
+ if (st[i].direction == PF_OUT) {
+- memcpy(&src, &st[i].lan, sizeof(src));
+- memcpy(&dst, &st[i].ext, sizeof(dst));
++ memcpy(&src, &st[i].key[0].addr[0], sizeof(src));
++ memcpy(&src.port, &st[i].key[0].port[0],
sizeof(src.port));
++ memcpy(&dst, &st[i].key[0].addr[1], sizeof(dst));
++ memcpy(&dst.port, &st[i].key[0].port[1],
sizeof(dst.port));
+ } else {
+- memcpy(&src, &st[i].ext, sizeof(src));
+- memcpy(&dst, &st[i].lan, sizeof(dst));
++ memcpy(&src, &st[i].key[0].addr[1], sizeof(src));
++ memcpy(&src.port, &st[i].key[0].port[1],
sizeof(src.port));
++ memcpy(&dst, &st[i].key[0].addr[0], sizeof(dst));
++ memcpy(&dst.port, &st[i].key[0].port[0],
sizeof(dst.port));
+ }
+
+ flw = (struct NF1_FLOW *)(packet + offset);
+@@ -473,11 +477,15 @@ send_netflow_v5(const struct pfsync_state *st, u_int n
+ creation = uptime_ms; /* Avoid u_int wrap */
+
+ if (st[i].direction == PF_OUT) {
+- memcpy(&src, &st[i].lan, sizeof(src));
+- memcpy(&dst, &st[i].ext, sizeof(dst));
++ memcpy(&src.addr, &st[i].key[0].addr[0],
sizeof(src.addr));
++ memcpy(&src.port, &st[i].key[0].port[0],
sizeof(src.port));
++ memcpy(&dst.addr, &st[i].key[0].addr[1],
sizeof(dst.addr));
++ memcpy(&dst.port, &st[i].key[0].port[1],
sizeof(dst.port));
+ } else {
+- memcpy(&src, &st[i].ext, sizeof(src));
+- memcpy(&dst, &st[i].lan, sizeof(dst));
++ memcpy(&src.addr, &st[i].key[0].addr[1],
sizeof(src.addr));
++ memcpy(&src.port, &st[i].key[0].port[1],
sizeof(src.port));
++ memcpy(&dst.addr, &st[i].key[0].addr[0],
sizeof(dst.addr));
++ memcpy(&dst.port, &st[i].key[0].port[0],
sizeof(dst.port));
+ }
+
+ flw = (struct NF5_FLOW *)(packet + offset);
Index: patches/patch-pfflowd_h
===
RCS file: patches/patch-pfflowd_h
diff -N patches/patch-pfflowd_h
--- /dev/null 1 Jan 1970 00:00:00 -
+++ patches/patch-pfflowd_h 16 Jul 2008 14:59:04 -
@@ -0,0 +1,12 @@
+$OpenBSD$
+--- pfflowd.h.orig Wed Jul 16 13:48:31 2008
pfflowd.h Wed Jul 16 13:48:40 2008
+@@ -29,7 +29,7 @@
+ #define DEFAULT_INTERFACE "pfsync0"
+ #define LIBPCAP_SNAPLEN 2020/* Default MTU */
+
+-#define _PFSYNC_VER3
++#define _PFSYNC_VER4
+
+ /*
+ * This is the Cisco Netflow(tm) version 1 packet format
