Author: manu
Date: Fri Mar 2 15:17:42 2018
New Revision: 330280
URL: https://svnweb.freebsd.org/changeset/base/330280
Log:
MFC r320943-r320944, r321008, r321072, r321128
r320943:
Add ipfw_status command to etc/rc.d/ipfw
This is helpful when using service/conf management tools.
Sonsored-By: Gandi.net
r320944:
Add an rc.d script to setup a netflow export via ng_netflow
The default is to export netflow data on localhost on the netflow port.
ngtee is used to have the lowest overhead possible.
The ipfw ng hook is the netflow port (it can only be numeric)
Default is netflow version 5.
Sponsored-By: Gandi.net
Reviewed by: bapt (earlier version), olivier (earlier version)
r321008:
etc/rc.d: Only install ipfw_netflow is MK_IPFW and MK_NETGRAPH is defined
While here only install ipfw rc script if MK_IPFW is defined.
Reported by: ngie
r321072:
ipfw_netflow: add +ipfw_netflow_enable="NO" to defaults/rc.conf and document
usage in rc.conf(5)
Reported by: markj
Sponsored by: Gandi.net
r321128:
ipfw_netflow: Add support for FIB
If ipfw_netflow_fib, the ipfw rule will only match packets in that FIB.
While here correct some value in rc.conf(5) to be int and not str.
Sponsored by: Gandi.net
Added:
stable/11/etc/rc.d/ipfw_netflow
- copied, changed from r320944, head/etc/rc.d/ipfw_netflow
Modified:
stable/11/etc/defaults/rc.conf
stable/11/etc/rc.d/Makefile
stable/11/etc/rc.d/ipfw
stable/11/share/man/man5/rc.conf.5
Directory Properties:
stable/11/ (props changed)
Modified: stable/11/etc/defaults/rc.conf
==============================================================================
--- stable/11/etc/defaults/rc.conf Fri Mar 2 15:12:18 2018
(r330279)
+++ stable/11/etc/defaults/rc.conf Fri Mar 2 15:17:42 2018
(r330280)
@@ -167,6 +167,7 @@ firewall_nat_enable="NO" # Enable kernel NAT (if firew
firewall_nat_interface="" # Public interface or IPaddress to use
firewall_nat_flags="" # Additional configuration parameters
dummynet_enable="NO" # Load the dummynet(4) module
+ipfw_netflow_enable="NO" # Enable netflow logging via ng_netflow
ip_portrange_first="NO" # Set first dynamically allocated port
ip_portrange_last="NO" # Set last dynamically allocated port
ike_enable="NO" # Enable IKE daemon (usually racoon or
isakmpd)
Modified: stable/11/etc/rc.d/Makefile
==============================================================================
--- stable/11/etc/rc.d/Makefile Fri Mar 2 15:12:18 2018 (r330279)
+++ stable/11/etc/rc.d/Makefile Fri Mar 2 15:17:42 2018 (r330280)
@@ -47,7 +47,6 @@ FILES= DAEMON \
ip6addrctl \
ipfilter \
ipfs \
- ipfw \
ipmon \
ipnat \
ipsec \
@@ -212,6 +211,13 @@ HASTPACKAGE= hast
.if ${MK_INETD} != "no"
FILES+= inetd
+.endif
+
+.if ${MK_IPFW} != "no"
+FILES+= ipfw
+.if ${MK_NETGRAPH} != "no"
+FILES+= ipfw_netflow
+.endif
.endif
.if ${MK_ISCSI} != "no"
Modified: stable/11/etc/rc.d/ipfw
==============================================================================
--- stable/11/etc/rc.d/ipfw Fri Mar 2 15:12:18 2018 (r330279)
+++ stable/11/etc/rc.d/ipfw Fri Mar 2 15:17:42 2018 (r330280)
@@ -17,7 +17,9 @@ start_cmd="ipfw_start"
start_precmd="ipfw_prestart"
start_postcmd="ipfw_poststart"
stop_cmd="ipfw_stop"
+status_cmd="ipfw_status"
required_modules="ipfw"
+extra_commands="status"
set_rcvar_obsolete ipv6_firewall_enable
@@ -107,6 +109,18 @@ ipfw_stop()
${_coscript} quietstop
fi
done
+}
+
+ipfw_status()
+{
+ status=$(sysctl -n net.inet.ip.fw.enable)
+ if [ ${status} -eq 0 ]; then
+ echo "ipfw is not enabled"
+ exit 1
+ else
+ echo "ipfw is enabled"
+ exit 0
+ fi
}
load_rc_config $name
Copied and modified: stable/11/etc/rc.d/ipfw_netflow (from r320944,
head/etc/rc.d/ipfw_netflow)
==============================================================================
--- head/etc/rc.d/ipfw_netflow Thu Jul 13 13:40:18 2017 (r320944, copy
source)
+++ stable/11/etc/rc.d/ipfw_netflow Fri Mar 2 15:17:42 2018
(r330280)
@@ -54,7 +54,7 @@ ipfw_netflow_status()
ipfw_netflow_start()
{
ipfw_netflow_is_running && err 1 "ipfw_netflow is already active"
- ipfw add ${ipfw_netflow_rule} ngtee ${ipfw_netflow_hook} ip from any to
any
+ ipfw add ${ipfw_netflow_rule} ngtee ${ipfw_netflow_hook} ip from any to
any ${ipfw_netflow_fib:+fib ${ipfw_netflow_fib}}
ngctl -f - <<-EOF
mkpeer ipfw: netflow ${ipfw_netflow_hook} iface0
name ipfw:${ipfw_netflow_hook} netflow
Modified: stable/11/share/man/man5/rc.conf.5
==============================================================================
--- stable/11/share/man/man5/rc.conf.5 Fri Mar 2 15:12:18 2018
(r330279)
+++ stable/11/share/man/man5/rc.conf.5 Fri Mar 2 15:17:42 2018
(r330280)
@@ -594,6 +594,44 @@ module if
is also set to
.Dq Li YES .
.\" -------------------------------------------------------------------
+.It Va ipfw_netflow_enable
+.Pq Vt bool
+Setting this to
+.Dq Li YES
+will enable netflow logging via
+.Xr ng_netflow 4
+.Pp
+By default a ipfw rule is inserted and all packets are duplicated with
+the ngtee command and netflow packets are sent to 127.0.0.1 on the netflow
+port using protocol version 5.
+.It Va ipfw_netflow_hook
+.Pq Vt int
+netflow hook name, must be numerical
+(default
+.Pa 9995 ) .
+.It Va ipfw_netflow_rule
+.Pq Vt int
+ipfw rule number
+(default
+.Pa 1000 ) .
+.It Va ipfw_netflow_ip
+.Pq Vt str
+Destination server ip for receiving netflow data
+(default
+.Pa 127.0.0.1 ) .
+.It Va ipfw_netflow_port
+.Pq Vt int
+Destination server port for receiving netflow data
+(default
+.Pa 9995 ) .
+.It Va ipfw_netflow_version
+.Pq Vt int
+Do not set for using version 5 of the netflow protocol, set it to 9 for using
version 9.
+.It Va ipfw_netflow_fib
+.Pq Vt int
+Only match packet in FIB
+.Pa ipfw_netflow_fib
+(default is undefined meaning all FIBs).
.It Va natd_program
.Pq Vt str
Path to
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
