Hello again,
I think I managed to get the iptables part working by using nftables:
$ cat /etc/nftables.conf
------------
#!/usr/sbin/nft -f
flush ruleset
table netdev test {
chain testchain {
type filter hook ingress device ens224 priority 0;
log group 5
}
}
....
------------
At least I see traffic using:
$ sudo tcpdump -i nflog:5
However, when I start uacctd as follows:
$ sudo uacctd -P print -o /tmp/test.log -M -O json -g 5 -d -L 1500
It does not write a log file.
Also, it sometimes fails to start up with one of the following error
messages:
- ERROR ( default/core ): Failed to set threshold to 1
- ERROR ( default/core ): Failed to set receive buffer size to 131072
When it manages to start up, it produces output like the following:
> $ sudo uacctd -P print -o /tmp/test.log -M -O json -g 5 -d -L 1500
> DEBUG: [cmdline] plugin name/type: 'default'/'core'.
> DEBUG: [cmdline] plugin name/type: 'default_print'/'print'.
> DEBUG: [cmdline] print_output_file:/tmp/test.log
> DEBUG: [cmdline] print_markers:true
> DEBUG: [cmdline] print_output:json
> DEBUG: [cmdline] uacctd_group:5
> DEBUG: [cmdline] debug:true
> DEBUG: [cmdline] snaplen:1500
> INFO ( default/core ): Linux NetFilter NFLOG Accounting Daemon, uacctd
> (RELEASE)
> INFO ( default/core ): '--build=x86_64-linux-gnu' '--prefix=/usr'
> '--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
> '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var'
> '--disable-option-checking' '--disable-silent-rules'
> '--libdir=${prefix}/lib/x86_64-linux-gnu'
> '--libexecdir=${prefix}/lib/x86_64-linux-gnu' '--disable-maintainer-mode'
> '--disable-dependency-tracking'
> '--with-pgsql-includes=/usr/include/postgresql' '--enable-l2' '--enable-ipv6'
> '--enable-plabel' '--enable-mysql' '--enable-pgsql' '--enable-sqlite3'
> '--enable-rabbitmq' '--enable-zmq' '--enable-kafka' '--enable-geoipv2'
> '--enable-jansson' '--enable-64bit' '--enable-threads'
> '--enable-traffic-bins' '--enable-bgp-bins' '--enable-bmp-bins'
> '--enable-st-bins' '--enable-nflog' 'build_alias=x86_64-linux-gnu'
> 'CFLAGS=-fcommon' 'LDFLAGS=-Wl,-z,relro' 'CPPFLAGS=-Wdate-time
> -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2
> -ffile-prefix-map=/build/pmacct-UhNuxu/pmacct-1.7.6=.
> -fstack-protector-strong -Wformat -Werror=format-security'
> INFO ( default/core ): Reading configuration from cmdline.
> WARN ( default_print/print ): defaulting to SRC HOST aggregation.
> INFO ( default_print/print ): plugin_pipe_size=4096000 bytes
> plugin_buffer_size=344 bytes
> INFO ( default_print/print ): ctrl channel: obtained=212992 bytes
> target=95248 bytes
> INFO ( default_print/print ): cache entries=16411 base cache memory=66431728
> bytes
> INFO ( default/core ): Successfully connected Netlink NFLOG socket
> INFO ( default_print/print ): JSON: setting object handlers.
> ^CINFO ( default_print/print ): *** Purging cache - START (PID: 2811834) ***
> INFO ( default_print/print ): *** Purging cache - END (PID: 2811834, QN: 0/0,
> ET: X) ***
> WARN ( default_print/print ): Failed during write: Connection refused
> INFO ( default/core ): OK, Exiting ...
In strace, I can see that uacctd receives data. Using nfprobe plugin
also does not result in uacct sending Netflow data.
Thanks again.
Klaus
On 15.01.24 09:49, Klaus Conrad wrote:
> Hi Paolo,
>
> thanks a lot for taking the time to respond!
>
> I'm using pmacctd 1.7.6:
>
> ---------------------
> $ pmacctd -V
> Promiscuous Mode Accounting Daemon, pmacctd 1.7.6-git [RELEASE]
>
> Arguments:
> '--build=x86_64-linux-gnu' '--prefix=/usr'
> '--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
> '--infodir=${prefix}/share/info' '--sysconfdir=/etc'
> '--localstatedir=/var' '--disable-option-checking'
> '--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu'
> '--libexecdir=${prefix}/lib/x86_64-linux-gnu'
> '--disable-maintainer-mode' '--disable-dependency-tracking'
> '--with-pgsql-includes=/usr/include/postgresql' '--enable-l2'
> '--enable-ipv6' '--enable-plabel' '--enable-mysql' '--enable-pgsql'
> '--enable-sqlite3' '--enable-rabbitmq' '--enable-zmq' '--enable-kafka'
> '--enable-geoipv2' '--enable-jansson' '--enable-64bit'
> '--enable-threads' '--enable-traffic-bins' '--enable-bgp-bins'
> '--enable-bmp-bins' '--enable-st-bins' '--enable-nflog'
> 'build_alias=x86_64-linux-gnu' 'CFLAGS=-fcommon' 'LDFLAGS=-Wl,-z,relro'
> 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2
> -ffile-prefix-map=/build/pmacct-UhNuxu/pmacct-1.7.6=.
> -fstack-protector-strong -Wformat -Werror=format-security'
>
> Libs:
> cdada 0.3.2
> libpcap version 1.10.0 (with TPACKET_V3)
> MariaDB 10.5.8
> PostgreSQL 130013
> sqlite3 3.34.1
> rabbimq-c 0.10.0
> rdkafka 1.6.0
> jansson 2.13.1
> MaxmindDB 1.5.2
> ZeroMQ 4.3.4
> netfilter_log
>
> System:
> Linux 5.10.0-27-amd64 #1 SMP Debian 5.10.205-2 (2023-12-31) x86_64
>
> Compiler:
> gcc 10.2.1
>
> For suggestions, critics, bugs, contact me: Paolo Lucente
> <pa...@pmacct.net>.
> ---------------------
>
> It's a Debian 11 system, and I'm using the pmacct version that comes
> with Debian 11.
>
>
> To further describe our setup: we're mirroring all traffic from our
> routers to a Linux VM (the pmacctd system) and I'd like to capture it
> there and transform it into Netflow v9.
>
> Unfortunately I do not quite understand the basics behind how InputInt
> and OutputInt are supposed to be populated; basically we have the
> following requirement:
>
> InputInt and OutputInt should be populated as if the Netflow was
> directly being created directly on our routers, so basically it should
> be based on the VLAN tag or populated automatically (if that is possible).
>
>
> I tried setting up uacctd but I'm currently struggling with capturing
> the traffic with iptables; I did the following:
>
> - sudo apt install iptables
> - sudo iptables -i ens224 -t raw -I PREROUTING -j NFLOG --nflog-group 5
>
> However, this does not seem to match any packets:
>
> - sudo iptables -L -v -n -t raw
>> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
>> pkts bytes target prot opt in out source
>> destination
>> 0 0 NFLOG all -- ens224 * 0.0.0.0/0
>> 0.0.0.0/0 nflog-group 5
>>
>> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
>> pkts bytes target prot opt in out source
>> destination
>
>
> I'm sorry, I realize that this is probably outside the scope of the
> uacctd / pmacctd discussion but maybe someone can point me into the
> right direction?
>
> Thanks again
>
> Klaus
>
> On 14.01.24 16:47, Paolo Lucente wrote:
>>
>> Hi Klaus,
>>
>> Can you confirm what version of pmacct are you using? A 'pmacctd -V'
>> would do.
>>
>> I would like essentially to confirm that, for the first issue you are
>> hitting, you are running either 1.7.8 or a recent code that includes
>> this patch from Dec 15th:
>> https://github.com/pmacct/pmacct/commit/547e24171b0da2775ad35aeb2997d586003cb674
>>
>> .
>>
>> For the second issue you mention, ie. setting both input and output
>> interface given a direction, let me confirm that the current mechanism
>> does not support that -- the use case has been so far using src/dst IP
>> address/prefix or src/dst MAC address to determine direction, and given
>> that, set input OR output interface but not both.
>>
>> You could use ULOG / uacctd, which should already return you both
>> interfaces, just an idea if you are running Linux, it seems the system
>> you are monitoring is passing traffic through. Otherwise to use the
>> tagging mechanism, some dev would be required.
>>
>> Paolo
>>
>>
>> On 11/1/24 11:11, Klaus Conrad wrote:
>>> Hello everybody,
>>>
>>> I'm currently struggling with properly setting up pmacct for the follow
>>> scenario:
>>>
>>> I need InputInt and OutputInt as well as Direction to be set in the
>>> generated Netflow.
>>>
>>> By default, InputInt/OutputInt are set to 0.
>>>
>>> The traffic I'm capturing is VLAN tagged.
>>>
>>> Now I want to set InputInt and OutputInt and Direction depending on the
>>> VLAN tag of the captured traffic.
>>>
>>> My pretag.map looks like this:
>>>
>>> set_tag=2 vlan=10 jeq=eval_ifindexes
>>> set_tag=1 vlan=11 jeq=eval_ifindexes
>>> set_tag=2 vlan=20 jeq=eval_ifindexes
>>> set_tag=1 vlan=21 jeq=eval_ifindexes
>>> ...
>>> set_tag=999 filter='net 0.0.0.0/0'
>>>
>>>
>>> set_tag2=62 vlan=10 label=eval_ifindexes
>>> set_tag2=62 vlan=11
>>> set_tag2=60 vlan=20
>>> set_tag2=60 vlan=21
>>> ...
>>> set_tag2=52 filter='net 0.0.0.0/0'
>>>
>>>
>>>
>>> My pmacct.conf looks like this:
>>>
>>> ...
>>> aggregate: src_host,dst_host,src_port,dst_port,proto,sampling_rate,vlan
>>> nfprobe_ifindex_override[prod]: true
>>> nfprobe_direction[prod]: tag
>>> nfprobe_ifindex[prod]: tag2
>>> pre_tag_map: /etc/pmacct/pretag.map
>>>
>>>
>>> The problem I'm facing is as follows:
>>>
>>> It appears that the first set_tag and set_tag2 rules always apply. So
>>> all flows are tagged as "egress" and OutputInt is always set to 62,
>>> regardless of the vlan tag of the captured traffic.
>>>
>>>
>>> Also I do not understand how I could set both InputInt and OutputInt to
>>> a non-zero value.
>>>
>>> Thanks a lot in advance for any insight you can provide!
>>>
>>> Klaus
>>>
>
--
Klaus Conrad
mailto:k...@ilk.net
ILK Internet GmbH
Am Sandfeld 15
76149 Karlsruhe
Deutschland
Tel. +49 (0) 721 9100 0
Fax +49 (0) 721 9100 191
http://www.ilk.net/
Geschäftsführer: Matthias Felger
AG Mannheim, HRB 107037
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
