nfprobe flow tree does not take interface index into consideration
when searching/aggregating the flow data.
This means that for the case multiple pcap interfaces are being
monitored and same src/dst ip/port traffic pattern is being handled
over several of those interfaces, this will all land in the same
FLOW entry.
This leads to the issues that flows being handled by one network
interface are actually reported via NetFlow (via Flow InputInt
and OutputInt fields)as being handled by another network interface
(held by the FLOW entry originally created for matching the given
src/dst ip/port traffic pattern).
Introduce a new nfprobe_per_interface_flows config variable to
allow taking flow interface indexes into consideration when
matching/searching for the FLOW entries in the flow cache tree.
Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovs...@cloud.ionos.com>
---
src/cfg.c | 1 +
src/cfg.h | 1 +
src/cfg_handlers.c | 22 ++++++++++++++++++++++
src/cfg_handlers.h | 1 +
src/nfprobe_plugin/nfprobe_plugin.c | 8 ++++++++
5 files changed, 33 insertions(+)
diff --git a/src/cfg.c b/src/cfg.c
index ddad54c..2b102bd 100644
--- a/src/cfg.c
+++ b/src/cfg.c
@@ -414,6 +414,7 @@ static const struct _dictionary_line dictionary[] = {
{"sfprobe_ifindex", cfg_key_nfprobe_ifindex},
{"sfprobe_ifspeed", cfg_key_sfprobe_ifspeed},
{"sfprobe_ifindex_override", cfg_key_nfprobe_ifindex_override},
+ {"nfprobe_per_interface_flows", cfg_key_nfprobe_per_interface_flows},
{"tee_receivers", cfg_key_tee_receivers},
{"tee_source_ip", cfg_key_nfprobe_source_ip},
{"tee_transparent", cfg_key_tee_transparent},
diff --git a/src/cfg.h b/src/cfg.h
index 631b19b..d652a59 100644
--- a/src/cfg.h
+++ b/src/cfg.h
@@ -550,6 +550,7 @@ struct configuration {
int nfprobe_ifindex_type;
int nfprobe_dont_cache;
int nfprobe_tstamp_usec;
+ int nfprobe_per_interface_flows;
char *sfprobe_receiver;
char *sfprobe_agentip;
int sfprobe_agentsubid;
diff --git a/src/cfg_handlers.c b/src/cfg_handlers.c
index eac176c..3fa6ed5 100644
--- a/src/cfg_handlers.c
+++ b/src/cfg_handlers.c
@@ -5859,6 +5859,28 @@ int cfg_key_nfprobe_dont_cache(char *filename, char
*name, char *value_ptr)
return changes;
}
+int cfg_key_nfprobe_per_interface_flows(char *filename, char *name, char
*value_ptr)
+{
+ struct plugins_list_entry *list = plugins_list;
+ int value, changes = 0;
+
+ value = parse_truefalse(value_ptr);
+ if (value < 0) return ERR;
+
+ if (!name) for (; list; list = list->next, changes++)
list->cfg.nfprobe_per_interface_flows = value;
+ else {
+ for (; list; list = list->next) {
+ if (!strcmp(name, list->name)) {
+ list->cfg.nfprobe_per_interface_flows = value;
+ changes++;
+ break;
+ }
+ }
+ }
+
+ return changes;
+}
+
int cfg_key_sfprobe_receiver(char *filename, char *name, char *value_ptr)
{
struct plugins_list_entry *list = plugins_list;
diff --git a/src/cfg_handlers.h b/src/cfg_handlers.h
index 5ab0585..5d90a9c 100644
--- a/src/cfg_handlers.h
+++ b/src/cfg_handlers.h
@@ -288,6 +288,7 @@ extern int cfg_key_nfprobe_ifindex(char *, char *, char *);
extern int cfg_key_nfprobe_ifindex_override(char *, char *, char *);
extern int cfg_key_nfprobe_tstamp_usec(char *, char *, char *);
extern int cfg_key_nfprobe_dont_cache(char *, char *, char *);
+extern int cfg_key_nfprobe_per_interface_flows(char *, char *, char *);
extern int cfg_key_sfprobe_receiver(char *, char *, char *);
extern int cfg_key_sfprobe_agentip(char *, char *, char *);
extern int cfg_key_sfprobe_agentsubid(char *, char *, char *);
diff --git a/src/nfprobe_plugin/nfprobe_plugin.c
b/src/nfprobe_plugin/nfprobe_plugin.c
index f7b0dc6..46a8166 100644
--- a/src/nfprobe_plugin/nfprobe_plugin.c
+++ b/src/nfprobe_plugin/nfprobe_plugin.c
@@ -150,6 +150,14 @@ flow_compare(struct FLOW *a, struct FLOW *b)
if (a->port[1] != b->port[1])
return (ntohs(a->port[1]) > ntohs(b->port[1]) ? 1 : -1);
+ if (config.nfprobe_per_interface_flows) {
+ if (a->ifindex[0] != b->ifindex[0])
+ return (a->ifindex[0] > b->ifindex[0] ? 1 : -1);
+
+ if (a->ifindex[1] != b->ifindex[1])
+ return (a->ifindex[1] > b->ifindex[1] ? 1 : -1);
+ }
+
return (0);
}
--
2.7.4
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
