Hi Paolo, thanks for your response.
> All of that should fall in the pre_tag_filter domain but I can > anticipate you none of the fields you are mentioning (ie. > post_nat_src_host, src_host_country or nat_event) are currently > supported. What would be your use-case? Feel free to say here or via > unicast email. We are collecting IPFIX NAT event records from a gateway device containing the 5 tupel, post_nat_src_host, post_nat_src_port, nat_event, and some counters. In this setup, I have two use cases: 1) While we are receiving both create events (nat_event=4) and destroy (nat_event=5), I only want to persist the destroy events in DB, as those carry all the information required. Hence, my intention was to somehow filter for nat_event=5. 2) In addition to that, depending on the NAT IP address, different retention policies apply. Hence, I want to filter for post_nat_src_host to be in a given a.b.c.d/e network and pass to a dedicated plugin, e.g. to persist in dedicated DB table. If I got you right, this is supposed to be done by using a pre_tag_map to tag the records and do the filtering by pre_tag_filter on the given tag. However, support for the particular attributes (post_nat_src_host, nat_event) to be used as match in pre_tag_map needs to be implemented. I guess, this would be straight forward, as it would be similar to the existing matches (dst_as, dst_mac, ...), right? Thanks in advance Timo > On Tue, Feb 28, 2017 at 01:54:14PM +0100, Timo Lindhorst wrote: >> Hi, >> >> we're currently digging into pmacct and friends and I'm quite happy >> about its feature set and extensibility. >> >> Now, I face a probably not so uncommon use case, which I'm not able >> to find a simple solution for: >> >> The `aggregate_filter` key allows to filter flows before passing them >> to a plugin. The filter syntax is supposed to be a pcap-filter: >> aggregate_filter[inbound]: dst net 192.168.0.0/16 >> >> However, is there a way to filter for non-pcap attributes, like >> src_host_country or nat_event? In my present case, I like to filter >> the post_nat_src_host to be in a given network, but I don't see >> a way to do this with aggregate_filter and pcap syntax. >> >> The documentation for aggregate_filter says: >> > This directive can be used in conjunction with 'pre_tag_filter' >> > (which, in turn, allows to filter tags). >> Hence, I guess it should be possible to filter for tags. However, >> trying `tag 1` as filter results in a "syntax error". >> >> I appreciate any help or hint how to approach this. >> >> Thanks in advance >> Timo >> >> >> >> >> >> -- >> Dipl.-Ing.-Inf. Timo Lindhorst >> >> email: timo.lindho...@travelping.com >> phone: +49-391-819099-236 >> >> ----------------------- enabling your networks ---------------------- >> >> Travelping GmbH phone: +49-391-81 90 99 0 >> Roentgenstr. 13, 39108 Magdeburg fax: +49-391-81 90 99 299 >> Koernerstr. 7-10, 10785 Berlin email: i...@travelping.com >> GERMANY web: http://www.travelping.com >> >> Company Registration: Amtsgericht Stendal Reg No.: HRB 10578 >> Geschaeftsfuehrer: Holger Winkelmann VAT ID No.: DE236673780 > > --------------------------------------------------------------------- _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
