Hello again, I think I managed to get the iptables part working by using nftables:
$ cat /etc/nftables.conf ------------ #!/usr/sbin/nft -f flush ruleset table netdev test { chain testchain { type filter hook ingress device ens224 priority 0; log group 5 } } .... ------------ At least I see traffic using: $ sudo tcpdump -i nflog:5 However, when I start uacctd as follows: $ sudo uacctd -P print -o /tmp/test.log -M -O json -g 5 -d -L 1500 It does not write a log file. Also, it sometimes fails to start up with one of the following error messages: - ERROR ( default/core ): Failed to set threshold to 1 - ERROR ( default/core ): Failed to set receive buffer size to 131072 When it manages to start up, it produces output like the following: > $ sudo uacctd -P print -o /tmp/test.log -M -O json -g 5 -d -L 1500 > DEBUG: [cmdline] plugin name/type: 'default'/'core'. > DEBUG: [cmdline] plugin name/type: 'default_print'/'print'. > DEBUG: [cmdline] print_output_file:/tmp/test.log > DEBUG: [cmdline] print_markers:true > DEBUG: [cmdline] print_output:json > DEBUG: [cmdline] uacctd_group:5 > DEBUG: [cmdline] debug:true > DEBUG: [cmdline] snaplen:1500 > INFO ( default/core ): Linux NetFilter NFLOG Accounting Daemon, uacctd > (RELEASE) > INFO ( default/core ): '--build=x86_64-linux-gnu' '--prefix=/usr' > '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' > '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' > '--disable-option-checking' '--disable-silent-rules' > '--libdir=${prefix}/lib/x86_64-linux-gnu' > '--libexecdir=${prefix}/lib/x86_64-linux-gnu' '--disable-maintainer-mode' > '--disable-dependency-tracking' > '--with-pgsql-includes=/usr/include/postgresql' '--enable-l2' '--enable-ipv6' > '--enable-plabel' '--enable-mysql' '--enable-pgsql' '--enable-sqlite3' > '--enable-rabbitmq' '--enable-zmq' '--enable-kafka' '--enable-geoipv2' > '--enable-jansson' '--enable-64bit' '--enable-threads' > '--enable-traffic-bins' '--enable-bgp-bins' '--enable-bmp-bins' > '--enable-st-bins' '--enable-nflog' 'build_alias=x86_64-linux-gnu' > 'CFLAGS=-fcommon' 'LDFLAGS=-Wl,-z,relro' 'CPPFLAGS=-Wdate-time > -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 > -ffile-prefix-map=/build/pmacct-UhNuxu/pmacct-1.7.6=. > -fstack-protector-strong -Wformat -Werror=format-security' > INFO ( default/core ): Reading configuration from cmdline. > WARN ( default_print/print ): defaulting to SRC HOST aggregation. > INFO ( default_print/print ): plugin_pipe_size=4096000 bytes > plugin_buffer_size=344 bytes > INFO ( default_print/print ): ctrl channel: obtained=212992 bytes > target=95248 bytes > INFO ( default_print/print ): cache entries=16411 base cache memory=66431728 > bytes > INFO ( default/core ): Successfully connected Netlink NFLOG socket > INFO ( default_print/print ): JSON: setting object handlers. > ^CINFO ( default_print/print ): *** Purging cache - START (PID: 2811834) *** > INFO ( default_print/print ): *** Purging cache - END (PID: 2811834, QN: 0/0, > ET: X) *** > WARN ( default_print/print ): Failed during write: Connection refused > INFO ( default/core ): OK, Exiting ... In strace, I can see that uacctd receives data. Using nfprobe plugin also does not result in uacct sending Netflow data. Thanks again. Klaus On 15.01.24 09:49, Klaus Conrad wrote: > Hi Paolo, > > thanks a lot for taking the time to respond! > > I'm using pmacctd 1.7.6: > > --------------------- > $ pmacctd -V > Promiscuous Mode Accounting Daemon, pmacctd 1.7.6-git [RELEASE] > > Arguments: > '--build=x86_64-linux-gnu' '--prefix=/usr' > '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' > '--infodir=${prefix}/share/info' '--sysconfdir=/etc' > '--localstatedir=/var' '--disable-option-checking' > '--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu' > '--libexecdir=${prefix}/lib/x86_64-linux-gnu' > '--disable-maintainer-mode' '--disable-dependency-tracking' > '--with-pgsql-includes=/usr/include/postgresql' '--enable-l2' > '--enable-ipv6' '--enable-plabel' '--enable-mysql' '--enable-pgsql' > '--enable-sqlite3' '--enable-rabbitmq' '--enable-zmq' '--enable-kafka' > '--enable-geoipv2' '--enable-jansson' '--enable-64bit' > '--enable-threads' '--enable-traffic-bins' '--enable-bgp-bins' > '--enable-bmp-bins' '--enable-st-bins' '--enable-nflog' > 'build_alias=x86_64-linux-gnu' 'CFLAGS=-fcommon' 'LDFLAGS=-Wl,-z,relro' > 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 > -ffile-prefix-map=/build/pmacct-UhNuxu/pmacct-1.7.6=. > -fstack-protector-strong -Wformat -Werror=format-security' > > Libs: > cdada 0.3.2 > libpcap version 1.10.0 (with TPACKET_V3) > MariaDB 10.5.8 > PostgreSQL 130013 > sqlite3 3.34.1 > rabbimq-c 0.10.0 > rdkafka 1.6.0 > jansson 2.13.1 > MaxmindDB 1.5.2 > ZeroMQ 4.3.4 > netfilter_log > > System: > Linux 5.10.0-27-amd64 #1 SMP Debian 5.10.205-2 (2023-12-31) x86_64 > > Compiler: > gcc 10.2.1 > > For suggestions, critics, bugs, contact me: Paolo Lucente > <pa...@pmacct.net>. > --------------------- > > It's a Debian 11 system, and I'm using the pmacct version that comes > with Debian 11. > > > To further describe our setup: we're mirroring all traffic from our > routers to a Linux VM (the pmacctd system) and I'd like to capture it > there and transform it into Netflow v9. > > Unfortunately I do not quite understand the basics behind how InputInt > and OutputInt are supposed to be populated; basically we have the > following requirement: > > InputInt and OutputInt should be populated as if the Netflow was > directly being created directly on our routers, so basically it should > be based on the VLAN tag or populated automatically (if that is possible). > > > I tried setting up uacctd but I'm currently struggling with capturing > the traffic with iptables; I did the following: > > - sudo apt install iptables > - sudo iptables -i ens224 -t raw -I PREROUTING -j NFLOG --nflog-group 5 > > However, this does not seem to match any packets: > > - sudo iptables -L -v -n -t raw >> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) >> pkts bytes target prot opt in out source >> destination >> 0 0 NFLOG all -- ens224 * 0.0.0.0/0 >> 0.0.0.0/0 nflog-group 5 >> >> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) >> pkts bytes target prot opt in out source >> destination > > > I'm sorry, I realize that this is probably outside the scope of the > uacctd / pmacctd discussion but maybe someone can point me into the > right direction? > > Thanks again > > Klaus > > On 14.01.24 16:47, Paolo Lucente wrote: >> >> Hi Klaus, >> >> Can you confirm what version of pmacct are you using? A 'pmacctd -V' >> would do. >> >> I would like essentially to confirm that, for the first issue you are >> hitting, you are running either 1.7.8 or a recent code that includes >> this patch from Dec 15th: >> https://github.com/pmacct/pmacct/commit/547e24171b0da2775ad35aeb2997d586003cb674 >> >> . >> >> For the second issue you mention, ie. setting both input and output >> interface given a direction, let me confirm that the current mechanism >> does not support that -- the use case has been so far using src/dst IP >> address/prefix or src/dst MAC address to determine direction, and given >> that, set input OR output interface but not both. >> >> You could use ULOG / uacctd, which should already return you both >> interfaces, just an idea if you are running Linux, it seems the system >> you are monitoring is passing traffic through. Otherwise to use the >> tagging mechanism, some dev would be required. >> >> Paolo >> >> >> On 11/1/24 11:11, Klaus Conrad wrote: >>> Hello everybody, >>> >>> I'm currently struggling with properly setting up pmacct for the follow >>> scenario: >>> >>> I need InputInt and OutputInt as well as Direction to be set in the >>> generated Netflow. >>> >>> By default, InputInt/OutputInt are set to 0. >>> >>> The traffic I'm capturing is VLAN tagged. >>> >>> Now I want to set InputInt and OutputInt and Direction depending on the >>> VLAN tag of the captured traffic. >>> >>> My pretag.map looks like this: >>> >>> set_tag=2 vlan=10 jeq=eval_ifindexes >>> set_tag=1 vlan=11 jeq=eval_ifindexes >>> set_tag=2 vlan=20 jeq=eval_ifindexes >>> set_tag=1 vlan=21 jeq=eval_ifindexes >>> ... >>> set_tag=999 filter='net 0.0.0.0/0' >>> >>> >>> set_tag2=62 vlan=10 label=eval_ifindexes >>> set_tag2=62 vlan=11 >>> set_tag2=60 vlan=20 >>> set_tag2=60 vlan=21 >>> ... >>> set_tag2=52 filter='net 0.0.0.0/0' >>> >>> >>> >>> My pmacct.conf looks like this: >>> >>> ... >>> aggregate: src_host,dst_host,src_port,dst_port,proto,sampling_rate,vlan >>> nfprobe_ifindex_override[prod]: true >>> nfprobe_direction[prod]: tag >>> nfprobe_ifindex[prod]: tag2 >>> pre_tag_map: /etc/pmacct/pretag.map >>> >>> >>> The problem I'm facing is as follows: >>> >>> It appears that the first set_tag and set_tag2 rules always apply. So >>> all flows are tagged as "egress" and OutputInt is always set to 62, >>> regardless of the vlan tag of the captured traffic. >>> >>> >>> Also I do not understand how I could set both InputInt and OutputInt to >>> a non-zero value. >>> >>> Thanks a lot in advance for any insight you can provide! >>> >>> Klaus >>> > -- Klaus Conrad mailto:k...@ilk.net ILK Internet GmbH Am Sandfeld 15 76149 Karlsruhe Deutschland Tel. +49 (0) 721 9100 0 Fax +49 (0) 721 9100 191 http://www.ilk.net/ Geschäftsführer: Matthias Felger AG Mannheim, HRB 107037 _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists