Hi Jaroslav, To confirm this is currently not possible but actually would be a good idea for future support. I was going to sugget to use source MAC address instead but i note that also there you have the post-source MAC address. Please get in touch privately, a trace of your NetFlow would definitely help development.
Cheers, Paolo On Thu, May 19, 2016 at 03:47:06PM +0200, Jaroslav Jirásek wrote: > I'm receiving flows from mikrotik by nfacctd. > I want split inbound and outboud traffic to different tables. > > I'm using directives > > aggregate_filter[local.out]: src net 10.0.0.0/8 > aggregate_filter[local.in]: dst net 10.0.0.0/8 > > it works only for outbound traffic, because in flows is DstAddr > ip address of NAT (100.100.100.1), look here: > > Flow 2 > [Duration: 2.010000000 seconds] > StartTime: 12542.300000000 seconds > EndTime: 12544.310000000 seconds > Packets: 5 > Octets: 300 > InputInt: 15 > OutputInt: 2 > SrcAddr: 10.0.124.51 (10.0.124.51) > DstAddr: 8.8.8.8 (8.8.8.8) > Protocol: 1 > IP ToS: 0x00 > SrcPort: 0 > DstPort: 0 > NextHop: 172.20.3.73 (172.20.3.73) > DstMask: 0 > SrcMask: 0 > TCP Flags: 0x00 > Destination Mac Address: Routerbo_45:49:79 > (00:0c:42:45:49:79) > Post Source Mac Address: Routerbo_45:49:78 > (00:0c:42:45:49:78) > Post NAT Source IPv4 Address: 100.100.100.1 (100.100.100.1) > Post NAT Destination IPv4 Address: 8.8.8.8 (8.8.8.8) > Post NAPT Source Transport Port: 0 > Post NAPT Destination Transport Port: 0 > Flow 3 > [Duration: 3.010000000 seconds] > StartTime: 12542.300000000 seconds > EndTime: 12545.310000000 seconds > Packets: 5 > Octets: 300 > InputInt: 2 > OutputInt: 15 > SrcAddr: 8.8.8.8 (8.8.8.8) > DstAddr: 100.100.100.1 (100.100.100.1) > Protocol: 1 > IP ToS: 0x00 > SrcPort: 0 > DstPort: 0 > NextHop: 10.0.124.51 (10.0.124.51) > DstMask: 0 > SrcMask: 0 > TCP Flags: 0x00 > Destination Mac Address: Routerbo_45:49:78 > (00:0c:42:45:49:78) > Post Source Mac Address: Routerbo_45:49:79 > (00:0c:42:45:49:79) > Post NAT Source IPv4 Address: 8.8.8.8 (8.8.8.8) > Post NAT Destination IPv4 Address: 10.0.124.51 > (10.0.124.51) > Post NAPT Source Transport Port: 0 > Post NAPT Destination Transport Port: 0 > > user 10.0.124.51 is behind nat, nat makes router which sends flows too > > Is it possible to make filter on "Post NAT Destination IPv4 Address" ? > > Thank you for help > Jaroslav Jirasek > > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
