Hi Paolo, > I would make one exception > which did not raise from your email: the potential need for IP addresses > (in the IPFIX flow) to be masked with a given netmask for comparison > against a prefix in the map -
>From browsing the documentation, I assumed that 'ip' as pretag match might be a template for matching IP addresses against a net prefix. > If we are in-sync, i guess we can pass to private email for two things: > 1) get from you some sample data that i can replay in lab and 2) agree > some timelines. Or alternatively, should you feel to be in the position > of contribute some code, that would be fantastic. In principle, I would like to contribute myself. However, if I face any trouble, I will address to you privately. Thanks for now for your kind support! Best Timo > > Paolo > > On Wed, Mar 01, 2017 at 04:25:26PM +0100, Timo Lindhorst wrote: >> Hi Paolo, >> >> thanks for your response. >> >> > All of that should fall in the pre_tag_filter domain but I can >> > anticipate you none of the fields you are mentioning (ie. >> > post_nat_src_host, src_host_country or nat_event) are currently >> > supported. What would be your use-case? Feel free to say here or via >> > unicast email. >> >> We are collecting IPFIX NAT event records from a gateway device >> containing the 5 tupel, post_nat_src_host, post_nat_src_port, >> nat_event, and some counters. In this setup, I have two use cases: >> >> 1) While we are receiving both create events (nat_event=4) and destroy >> (nat_event=5), I only want to persist the destroy events in DB, as >> those carry all the information required. Hence, my intention was >> to somehow filter for nat_event=5. >> >> 2) In addition to that, depending on the NAT IP address, different >> retention policies apply. Hence, I want to filter for post_nat_src_host >> to be in a given a.b.c.d/e network and pass to a dedicated plugin, >> e.g. to persist in dedicated DB table. >> >> If I got you right, this is supposed to be done by using a pre_tag_map >> to tag the records and do the filtering by pre_tag_filter on the given >> tag. However, support for the particular attributes (post_nat_src_host, >> nat_event) to be used as match in pre_tag_map needs to be implemented. >> I guess, this would be straight forward, as it would be similar to the >> existing matches (dst_as, dst_mac, ...), right? >> >> Thanks in advance >> Timo >> >> >> >> >> > On Tue, Feb 28, 2017 at 01:54:14PM +0100, Timo Lindhorst wrote: >> >> Hi, >> >> >> >> we're currently digging into pmacct and friends and I'm quite happy >> >> about its feature set and extensibility. >> >> >> >> Now, I face a probably not so uncommon use case, which I'm not able >> >> to find a simple solution for: >> >> >> >> The `aggregate_filter` key allows to filter flows before passing them >> >> to a plugin. The filter syntax is supposed to be a pcap-filter: >> >> aggregate_filter[inbound]: dst net 192.168.0.0/16 >> >> >> >> However, is there a way to filter for non-pcap attributes, like >> >> src_host_country or nat_event? In my present case, I like to filter >> >> the post_nat_src_host to be in a given network, but I don't see >> >> a way to do this with aggregate_filter and pcap syntax. >> >> >> >> The documentation for aggregate_filter says: >> >> > This directive can be used in conjunction with 'pre_tag_filter' >> >> > (which, in turn, allows to filter tags). >> >> Hence, I guess it should be possible to filter for tags. However, >> >> trying `tag 1` as filter results in a "syntax error". >> >> >> >> I appreciate any help or hint how to approach this. >> >> >> >> Thanks in advance >> >> Timo >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> Dipl.-Ing.-Inf. Timo Lindhorst >> >> >> >> email: [email protected] >> >> phone: +49-391-819099-236 >> >> >> >> ----------------------- enabling your networks ---------------------- >> >> >> >> Travelping GmbH phone: +49-391-81 90 99 0 >> >> Roentgenstr. 13, 39108 Magdeburg fax: +49-391-81 90 99 299 >> >> Koernerstr. 7-10, 10785 Berlin email: [email protected] >> >> GERMANY web: http://www.travelping.com >> >> >> >> Company Registration: Amtsgericht Stendal Reg No.: HRB 10578 >> >> Geschaeftsfuehrer: Holger Winkelmann VAT ID No.: DE236673780 > > > > --------------------------------------------------------------------- _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
