On Fri, Jul 25, 2008 at 03:13:01PM +0100, Stuart Henderson wrote:
> On 2008/07/25 09:55, Stuart Henderson wrote:
> > On 2008/07/24 23:05, Sean Malloy wrote:
> > > Tested on i386 July 16th snapshot. Seems to work fine.
> >
> > thanks Sean!
>
> can I ask you to try this instead please?
> thanks very much!
>
> ? pfflowd.diff.canacar
> cvs server: Diffing .
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/net/pfflowd/Makefile,v
> retrieving revision 1.8
> diff -u -p -r1.8 Makefile
> --- Makefile 28 Jun 2008 08:30:00 -0000 1.8
> +++ Makefile 25 Jul 2008 14:12:07 -0000
> @@ -1,7 +1,5 @@
> # $OpenBSD: Makefile,v 1.8 2008/06/28 08:30:00 ajacoutot Exp $
>
> -BROKEN= needs to cope with recent network changes
> -
> COMMENT= PF to NetFlow converter
>
> DISTNAME= pfflowd-0.7
> cvs server: Diffing patches
> Index: patches/patch-pfflowd_c
> ===================================================================
> RCS file: patches/patch-pfflowd_c
> diff -N patches/patch-pfflowd_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-pfflowd_c 25 Jul 2008 14:12:07 -0000
> @@ -0,0 +1,182 @@
> +$OpenBSD$
> +--- pfflowd.c.orig Fri Jun 13 02:40:21 2008
> ++++ pfflowd.c Fri Jun 13 02:56:30 2008
> +@@ -210,14 +210,14 @@ connsock(struct sockaddr *addr, socklen_t len)
> + }
> +
> + static void
> +-format_pf_host(char *buf, size_t n, struct pf_state_host *h, sa_family_t af)
> ++format_pf_addr(char *buf, size_t n, const struct pf_addr *h, sa_family_t af)
> + {
> + const char *err = NULL;
> +
> + switch (af) {
> + case AF_INET:
> + case AF_INET6:
> +- if (inet_ntop(af, &h->addr, buf, n) == NULL)
> ++ if (inet_ntop(af, h, buf, n) == NULL)
> + err = strerror(errno);
> + break;
> + default:
> +@@ -253,7 +253,8 @@ send_netflow_v1(const struct pfsync_state *st, u_int n
> +
> + hdr = (struct NF1_HEADER *)packet;
> + for(num_packets = offset = j = i = 0; i < n; i++) {
> +- struct pf_state_host src, dst;
> ++ const struct pf_addr *src, *dst;
> ++ u_int16_t src_port, dst_port;
> + u_int32_t bytes_in, bytes_out;
> + u_int32_t packets_in, packets_out;
> + char src_s[64], dst_s[64], rt_s[64], pbuf[16], creation_s[64];
> +@@ -300,19 +301,23 @@ send_netflow_v1(const struct pfsync_state *st, u_int n
> + creation = uptime_ms; /* Avoid u_int wrap */
> +
> + if (st[i].direction == PF_OUT) {
> +- memcpy(&src, &st[i].lan, sizeof(src));
> +- memcpy(&dst, &st[i].ext, sizeof(dst));
> ++ src = &st[i].key[PF_SK_WIRE].addr[1];
> ++ dst = &st[i].key[PF_SK_WIRE].addr[0];
> ++ src_port = st[i].key[PF_SK_WIRE].port[1];
> ++ dst_port = st[i].key[PF_SK_WIRE].port[0];
> + } else {
> +- memcpy(&src, &st[i].ext, sizeof(src));
> +- memcpy(&dst, &st[i].lan, sizeof(dst));
> ++ src = &st[i].key[PF_SK_STACK].addr[0];
> ++ dst = &st[i].key[PF_SK_STACK].addr[1];
> ++ src_port = st[i].key[PF_SK_STACK].port[0];
> ++ dst_port = st[i].key[PF_SK_STACK].port[1];
> + }
> +
> + flw = (struct NF1_FLOW *)(packet + offset);
> + if (netflow_socket != -1 && st[i].packets[0][0] != 0) {
> +- flw->src_ip = src.addr.v4.s_addr;
> +- flw->dest_ip = dst.addr.v4.s_addr;
> +- flw->src_port = src.port;
> +- flw->dest_port = dst.port;
> ++ flw->src_ip = src->v4.s_addr;
> ++ flw->dest_ip = dst->v4.s_addr;
> ++ flw->src_port = src_port;
> ++ flw->dest_port = dst_port;
> + flw->flow_packets = st[i].packets[0][0];
> + flw->flow_octets = st[i].bytes[0][0];
> + flw->flow_start = htonl(uptime_ms - creation);
> +@@ -325,10 +330,10 @@ send_netflow_v1(const struct pfsync_state *st, u_int n
> + }
> + flw = (struct NF1_FLOW *)(packet + offset);
> + if (netflow_socket != -1 && st[i].packets[1][0] != 0) {
> +- flw->src_ip = dst.addr.v4.s_addr;
> +- flw->dest_ip = src.addr.v4.s_addr;
> +- flw->src_port = dst.port;
> +- flw->dest_port = src.port;
> ++ flw->src_ip = dst->v4.s_addr;
> ++ flw->dest_ip = src->v4.s_addr;
> ++ flw->src_port = dst_port;
> ++ flw->dest_port = src_port;
> + flw->flow_packets = st[i].packets[1][0];
> + flw->flow_octets = st[i].bytes[1][0];
> + flw->flow_start = htonl(uptime_ms - creation);
> +@@ -352,17 +357,17 @@ send_netflow_v1(const struct pfsync_state *st, u_int n
> + strftime(creation_s, sizeof(creation_s),
> + "%Y-%m-%dT%H:%M:%S", &creation_tm);
> +
> +- format_pf_host(src_s, sizeof(src_s), &src, st[i].af);
> +- format_pf_host(dst_s, sizeof(dst_s), &dst, st[i].af);
> ++ format_pf_addr(src_s, sizeof(src_s), src, st[i].af);
> ++ format_pf_addr(dst_s, sizeof(dst_s), dst, st[i].af);
> + inet_ntop(st[i].af, &st[i].rt_addr, rt_s, sizeof(rt_s));
> +
> + if (st[i].proto == IPPROTO_TCP ||
> + st[i].proto == IPPROTO_UDP) {
> + snprintf(pbuf, sizeof(pbuf), ":%d",
> +- ntohs(src.port));
> ++ ntohs(src_port));
> + strlcat(src_s, pbuf, sizeof(src_s));
> + snprintf(pbuf, sizeof(pbuf), ":%d",
> +- ntohs(dst.port));
> ++ ntohs(dst_port));
> + strlcat(dst_s, pbuf, sizeof(dst_s));
> + }
> +
> +@@ -425,9 +430,10 @@ send_netflow_v5(const struct pfsync_state *st, u_int n
> +
> + hdr = (struct NF5_HEADER *)packet;
> + for(num_packets = offset = j = i = 0; i < n; i++) {
> +- struct pf_state_host src, dst;
> ++ const struct pf_addr *src, *dst;
> + u_int32_t bytes_in, bytes_out, packets_in, packets_out;
> + u_int32_t creation;
> ++ u_int16_t src_port, dst_port;
> + char src_s[64], dst_s[64], rt_s[64], pbuf[16], creation_s[64];
> + time_t creation_tt;
> + struct tm creation_tm;
> +@@ -472,20 +478,25 @@ send_netflow_v5(const struct pfsync_state *st, u_int n
> + if (creation > uptime_ms)
> + creation = uptime_ms; /* Avoid u_int wrap */
> +
> ++
> + if (st[i].direction == PF_OUT) {
> +- memcpy(&src, &st[i].lan, sizeof(src));
> +- memcpy(&dst, &st[i].ext, sizeof(dst));
> ++ src = &st[i].key[PF_SK_WIRE].addr[1];
> ++ dst = &st[i].key[PF_SK_WIRE].addr[0];
> ++ src_port = st[i].key[PF_SK_WIRE].port[1];
> ++ dst_port = st[i].key[PF_SK_WIRE].port[0];
> + } else {
> +- memcpy(&src, &st[i].ext, sizeof(src));
> +- memcpy(&dst, &st[i].lan, sizeof(dst));
> ++ src = &st[i].key[PF_SK_STACK].addr[0];
> ++ dst = &st[i].key[PF_SK_STACK].addr[1];
> ++ src_port = st[i].key[PF_SK_STACK].port[0];
> ++ dst_port = st[i].key[PF_SK_STACK].port[1];
> + }
> +
> + flw = (struct NF5_FLOW *)(packet + offset);
> + if (netflow_socket != -1 && st[i].packets[0][0] != 0) {
> +- flw->src_ip = src.addr.v4.s_addr;
> +- flw->dest_ip = dst.addr.v4.s_addr;
> +- flw->src_port = src.port;
> +- flw->dest_port = dst.port;
> ++ flw->src_ip = src->v4.s_addr;
> ++ flw->dest_ip = dst->v4.s_addr;
> ++ flw->src_port = src_port;
> ++ flw->dest_port = dst_port;
> + flw->flow_packets = st[i].packets[0][0];
> + flw->flow_octets = st[i].bytes[0][0];
> + flw->flow_start = htonl(uptime_ms - creation);
> +@@ -498,10 +509,10 @@ send_netflow_v5(const struct pfsync_state *st, u_int n
> + }
> + flw = (struct NF5_FLOW *)(packet + offset);
> + if (netflow_socket != -1 && st[i].packets[1][0] != 0) {
> +- flw->src_ip = dst.addr.v4.s_addr;
> +- flw->dest_ip = src.addr.v4.s_addr;
> +- flw->src_port = dst.port;
> +- flw->dest_port = src.port;
> ++ flw->src_ip = dst->v4.s_addr;
> ++ flw->dest_ip = src->v4.s_addr;
> ++ flw->src_port = dst_port;
> ++ flw->dest_port = src_port;
> + flw->flow_packets = st[i].packets[1][0];
> + flw->flow_octets = st[i].bytes[1][0];
> + flw->flow_start = htonl(uptime_ms - creation);
> +@@ -525,17 +536,17 @@ send_netflow_v5(const struct pfsync_state *st, u_int n
> + strftime(creation_s, sizeof(creation_s),
> + "%Y-%m-%dT%H:%M:%S", &creation_tm);
> +
> +- format_pf_host(src_s, sizeof(src_s), &src, st[i].af);
> +- format_pf_host(dst_s, sizeof(dst_s), &dst, st[i].af);
> ++ format_pf_addr(src_s, sizeof(src_s), src, st[i].af);
> ++ format_pf_addr(dst_s, sizeof(dst_s), dst, st[i].af);
> + inet_ntop(st[i].af, &st[i].rt_addr, rt_s, sizeof(rt_s));
> +
> + if (st[i].proto == IPPROTO_TCP ||
> + st[i].proto == IPPROTO_UDP) {
> + snprintf(pbuf, sizeof(pbuf), ":%d",
> +- ntohs(src.port));
> ++ ntohs(src_port));
> + strlcat(src_s, pbuf, sizeof(src_s));
> + snprintf(pbuf, sizeof(pbuf), ":%d",
> +- ntohs(dst.port));
> ++ ntohs(dst_port));
> + strlcat(dst_s, pbuf, sizeof(dst_s));
> + }
> +
> cvs server: Diffing pkg
Thanks for the new patch. I tested it on the July 16th i386 snapshot.
The patch applies cleanly and the following make targets work fine ...
$ make fetch
$ make checksum
$ make depends
$ make extract
$ make patch
$ make configure
$ make build
$ make fake
$ make package
$ make install
When I try starting pfflowd it complains about an unsupported pfsync
version. For example ...
$ sudo pfflowd -Dn 127.0.0.1:12345
Password:
pfflowd[12161]: pfflowd listening on pfsync0
pfflowd[12161]: Unsupported pfsync version 4, exiting
I also noticed that the syslog messages report the wrong time when run
without the -D option. The clock seems to jump ahead five hours when only
run with the -n option. For example ...
$ date
Sat Jul 26 01:21:22 CDT 2008
$ sudo pfflowd -Dn 127.0.0.1:12345
pfflowd[29215]: pfflowd listening on pfsync0
pfflowd[29215]: Unsupported pfsync version 4, exiting
$ sudo pfflowd -n 127.0.0.1:12345
and the corresponding /var/log/messages entries ...
Jul 26 01:21:39 testbox0 pfflowd[29215]: pfflowd listening on pfsync0
Jul 26 01:21:40 testbox0 pfflowd[29215]: Unsupported pfsync version 4, exiting
Jul 26 06:21:45 testbox0 pfflowd[31021]: pfflowd listening on pfsync0
Jul 26 06:21:46 testbox0 pfflowd[31021]: Unsupported pfsync version 4, exiting
I am using flowd as the NetFlow collector it listens on localhost port
12345. Here is some more information about my setup ...
$ sudo cat /etc/pf.conf
set skip on lo
pass log all
$ ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33204
groups: lo
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:48:54:67:22:f3
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.2.202 netmask 0xffffff00 broadcast 192.168.2.255
inet6 fe80::248:54ff:fe67:22f3%rl0 prefixlen 64 scopeid 0x1
enc0: flags=0<> mtu 1536
pfsync0: flags=41<UP,RUNNING> mtu 1460
groups: carp pfsync
OpenBSD 4.4-beta (GENERIC) #979: Wed Jul 16 09:40:32 MDT 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium III ("GenuineIntel" 686-class) 502 MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,SER,MMX,FXSR,SSE
real mem = 267939840 (255MB)
avail mem = 250863616 (239MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 10/25/99, BIOS32 rev. 0 @ 0xfb240, SMBIOS
rev. 2.2 @ 0xf0800 (29 entries)
bios0: vendor Award Software International, Inc. version "4.60 PGMA" date
10/25/99
apm0 at bios0: Power Management spec V1.2 (slowidle)
apm0: AC on, battery charge unknown
acpi at bios0 function 0x0 not configured
pcibios0 at bios0: rev 2.1 @ 0xf0000/0xb6b8
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdc80/144 (7 entries)
pcibios0: PCI Exclusive IRQs: 10 11
pcibios0: PCI Interrupt Router at 000:07:0 ("VIA VT82C596A ISA" rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc0000/0x10000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "VIA VT82C691 PCI" rev 0x44
ppb0 at pci0 dev 1 function 0 "VIA VT82C598 AGP" rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "NVIDIA GeForce256" rev 0x10
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
agp0 at vga1: v2, aperture at 0xe8000000, size 0x10000000
pcib0 at pci0 dev 7 function 0 "VIA VT82C596A ISA" rev 0x12
pciide0 at pci0 dev 7 function 1 "VIA VT82C571 IDE" rev 0x06: ATA66, channel 0
configured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0: <Maxtor 6Y080P0>
wd0: 16-sector PIO, LBA, 78166MB, 160084415 sectors
wd1 at pciide0 channel 0 drive 1: <ST380011A>
wd1: 16-sector PIO, LBA48, 76319MB, 156301488 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4
wd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 4
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets, initiator 7
cd0 at scsibus0 targ 0 lun 0: <HITACHI, DVD-ROM GD-2500, A012> ATAPI 5/cdrom
removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
uhci0 at pci0 dev 7 function 2 "VIA VT83C572 USB" rev 0x08: irq 11
"VIA VT82C596 Power" rev 0x20 at pci0 dev 7 function 3 not configured
rl0 at pci0 dev 9 function 0 "Realtek 8139" rev 0x10: irq 11, address
00:48:54:67:22:f3
rlphy0 at rl0 phy 0: RTL internal PHY
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb0 at uhci0: USB revision 1.0
uhub0 at usb0 "VIA UHCI root hub" rev 1.00/1.00 addr 1
biomask ff65 netmask ff65 ttymask ffff
mtrr: Pentium Pro MTRR support
softraid0 at root
root on wd0a swap on wd0b dump on wd0b
I will try to update to a newer snapshot and test on amd64 and macppc
soon.
--
Sean Malloy
www.spmalloy.com
GPG KeyID: 0x13EEB747
GPG Fingerprint: D059 5076 ABB3 1E08 9965 1958 F820 CE83 13EE B747
