diff --git a/README b/README index 71a68e4..208fdf7 100644 --- a/README +++ b/README @@ -572,10 +572,21 @@ ipt_NETFLOW linux 2.6.x-4.x kernel module by -- 2008-2016. desirable to combine it with packet processing on very highly loaded routers. - This option also could be changed at runtime with: + This option could be changed at runtime with: # echo number > /sys/module/ipt_NETFLOW/parameters/exportcpu + engine_id=number + - Observation Domain ID (on IPFIX, Source Id on NetFlow v9, or Engine Id + on NetFlow v5) value to be exported. This may help your collector to + distinguish between multiple exporters. On Netflow v9 and IPFIX this + value is 32-bit on NetFlow v5 only 8 low bits are significant. + Default value is 0. + + This option could be changed at runtime with: + + # echo number > /sys/module/ipt_NETFLOW/parameters/engine_id + ==================== = HOW TO READ STAT = diff --git a/configure b/configure index caa4832..9e103df 100755 --- a/configure +++ b/configure @@ -312,7 +312,7 @@ do --disable-snmp-a*) SKIPSNMP=1 ;; --disable-net-snmp*) SKIPSNMP=1 ;; --disable-dkms*) SKIPDKMS=1 ;; - --from-dkms-conf) ;; + --from-dkms-conf*) ;; --make) echo called from make; CARGS=`echo $CARGS | sed s/--make//g` ;; -Werror) KOPTS="$KOPTS -Werror" ;; --help|-h) show_help ;; diff --git a/ipt_NETFLOW.c b/ipt_NETFLOW.c index 652b88a..d7e807c 100644 --- a/ipt_NETFLOW.c +++ b/ipt_NETFLOW.c @@ -209,6 +209,10 @@ MODULE_PARM_DESC(maxflows, "maximum number of flows"); static int peakflows = 0; static unsigned long peakflows_at; /* jfffies */ +static int engine_id = 0; +module_param(engine_id, int, 0644); +MODULE_PARM_DESC(engine_id, "Observation Domain ID"); + #ifdef ENABLE_AGGR #define AGGR_SIZE 1024 static char aggregation_buf[AGGR_SIZE] = ""; @@ -271,7 +275,6 @@ static union { struct netflow9_pdu v9; struct ipfix_pdu ipfix; } pdu; -static int engine_id = 0; /* Observation Domain */ static __u8 *pdu_data_used; static __u8 *pdu_high_wm; /* high watermark */ static struct flowset_data *pdu_flowset = NULL; /* current data flowset */ @@ -2532,7 +2535,7 @@ static void netflow_export_pdu_v5(void) pdu.v5.ts_unsecs = htonl(tv.tv_usec); pdu.v5.seq = htonl(pdu_seq); //pdu.v5.eng_type = 0; - pdu.v5.eng_id = engine_id; + pdu.v5.eng_id = (__u8)engine_id; #ifdef ENABLE_SAMPLER pdu.v5.sampling = htons(sampler_nf_v5()); #endif diff --git a/openwrt/Makefile b/openwrt/Makefile new file mode 100644 index 0000000..a29f312 --- /dev/null +++ b/openwrt/Makefile @@ -0,0 +1,126 @@ +include $(TOPDIR)/rules.mk +include $(INCLUDE_DIR)/kernel.mk + +PKG_NAME:=ipt-netflow +PKG_RELEASE:=2 + +PKG_SOURCE_URL:=https://github.com/aabc/$(PKG_NAME).git +PKG_VERSION:=2.2 +PKG_SOURCE_VERSION:=v$(PKG_VERSION) + +#TO BUILD development version uncomment 2 rows below and remove patches +#PKG_VERSION:=$(shell (git ls-remote $(PKG_SOURCE_URL) | grep refs/heads/master | cut -f 1 | head -c 7)) +#PKG_SOURCE_VERSION:=HEAD + +PKG_SOURCE_PROTO:=git +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz + +PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION) + +PKG_BUILD_DIR := $(KERNEL_BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) +PKG_DEPENDS:=iptables + +include $(INCLUDE_DIR)/package.mk + + +define KernelPackage/ipt-netflow + SECTION:=net + CATEGORY:=Network + SUBMENU:=Netflow + TITLE:=Netflow iptables module for Linux kernel + URL:=http://ipt-netflow.sourceforge.net/ + FILES:=$(PKG_BUILD_DIR)/ipt_NETFLOW.ko + DEPENDS:=+iptables +iptables-mod-netflow +endef + + +define Package/iptables-mod-netflow + SECTION:=net + CATEGORY:=Network + SUBMENU:=Netflow + TITLE:=Netflow iptables module for Linux kernel + URL:=http://ipt-netflow.sourceforge.net/ + #DEPENDS:=+kmod-ipt-netflow + DEPENDS:=+iptables +endef + +CONFIGURE_ARGS:= \ + --kdir="$(LINUX_DIR)" + +define Package/iptables-mod-netflow/config + menu "Configuration" + depends on PACKAGE_iptables-mod-netflow + config PACKAGE_iptables-mod-netflow_natevents + bool "enables natevents support" + default n + config PACKAGE_iptables-mod-netflow_snmp-rules + bool "enables SNMP-index conversion rules" + default n + config PACKAGE_iptables-mod-netflow_macaddress + bool "enables MAC address for v9/IPFIX" + default n + config PACKAGE_iptables-mod-netflow_vlan + bool "enables VLAN Ids for v9/IPFIX" + default n + config PACKAGE_iptables-mod-netflow_direction + bool "enables flowDirection(61) Element" + default n + config PACKAGE_iptables-mod-netflow_sampler + bool "enables Flow Sampling" + default n + config PACKAGE_iptables-mod-netflow_aggregation + bool "enables aggregation rules" + default n + config PACKAGE_iptables-mod-netflow_promisc + bool "enables promisc hack mode" + default n + config PACKAGE_iptables-mod-netflow_promisc-mpls + bool "decapsulate MPLS in promisc mode" + default n + config PACKAGE_iptables-mod-netflow_physdev + bool "enables physdev reporting" + default n + config PACKAGE_iptables-mod-netflow_physdev-override + bool "to override interfaces" + default n + config PACKAGE_iptables-mod-netflow_snmp-agent + bool "disables net-snmp agent" + default y + config PACKAGE_iptables-mod-netflow_dkms + bool "disables DKMS support completely" + default y + config PACKAGE_iptables-mod-netflow_dkms-install + bool "no DKMS install but still create dkms.conf" + default n + endmenu +endef + +CONFIGURE_ARGS += \ + $(if $(CONFIG_PACKAGE_iptables-mod-netflow_natevents),--enable-natevents) \ + $(if $(CONFIG_PACKAGE_iptables-mod-netflow_snmp-rules),--enable-snmp-rules) \ + $(if $(CONFIG_PACKAGE_iptables-mod-netflow_macaddress),--enable-macaddress) \ + $(if $(CONFIG_PACKAGE_iptables-mod-netflow_vlan),--enable-vlan) \ + $(if $(CONFIG_PACKAGE_iptables-mod-netflow_direction),--enable-direction) \ + $(if $(CONFIG_PACKAGE_iptables-mod-netflow_sampler),--enable-sampler) \ + $(if $(CONFIG_PACKAGE_iptables-mod-netflow_aggregation),--enable-aggregation) \ + $(if $(CONFIG_PACKAGE_iptables-mod-netflow_promisc),--enable-promisc) \ + $(if $(CONFIG_PACKAGE_iptables-mod-netflow_promisc-mpls),--promisc-mpls) \ + $(if $(CONFIG_PACKAGE_iptables-mod-netflow_physdev),--enable-physdev) \ + $(if $(CONFIG_PACKAGE_iptables-mod-netflow_physdev-override),--enable-physdev-override) \ + $(if $(CONFIG_PACKAGE_iptables-mod-netflow_snmp-agent),--disable-snmp-agent) \ + $(if $(CONFIG_PACKAGE_iptables-mod-netflow_dkms),--disable-dkms) \ + $(if $(CONFIG_PACKAGE_iptables-mod-netflow_dkms-install),--disable-dkms-install) + +#TODO: --enable-sampler=hash --promisc-mpls=N + + +$(eval $(call KernelPackage,ipt-netflow)) + +$(eval $(call Package,kmod-ipt-netflow)) + +define Package/iptables-mod-netflow/install + $(MAKE) -C $(PKG_BUILD_DIR) DESTDIR=$(1) linstall + #TODO: snmp install, dkms install +endef + +$(eval $(call BuildPackage,iptables-mod-netflow)) diff --git a/openwrt/Readme.md b/openwrt/Readme.md new file mode 100644 index 0000000..7d0520f --- /dev/null +++ b/openwrt/Readme.md @@ -0,0 +1,69 @@ +Cross-compiling and packages for openwrt +=== + +Place Makefile in `packages/network/ipt-netflow` directory in OpenWRT bouldroot. +Run `make menuconfig` and select package in Network/Netflow menu. Configure args partially supported. + +Run `make` to build full firmware or `make package/network/ipt-netflow/{clean,prepare,configure,compile,install}` to rebuild packages. + +To make git version uncomment two lines in Makefile. + +Tested to work on Chaos Calmer and Designated Driver with Atheros AR7xxx/AR9xxx target. + +For ipt-netflow 2.2 patches are needed, drop it for next version or git master to build. + +Making and installilng +=== + +```shell +mkdir debian-toolchain +sudo debootstrap jessie debian-toolchain +sudo chroot debian-toolchain + +. /etc/profile +apt update +apt install git ssh-client build-essential mercurial subversion \ + binutils flex bzip2 asciidoc ncurses-dev libssl-dev gawk zlib1g-dev fastjar + +adduser user +su user +. /etc/profile +cd ~ + +git clone https://github.com/openwrt/openwrt.git openwrt-trunk +git clone https://github.com/aabc/ipt-netflow.git + +cd openwrt-trunk +./scripts/feeds update -a +ln -s ~/ipt-netflow/openwrt/ package/network/ipt-netflow + + +make menuconfig + #select target and device + #go to network/netflow and check both + +make + #and go for dinner or a walk ;) + #after five hours + +scp bin/ar71xx/packages/kernel/kmod-ipt-netflow_4.4.14+2.2-2_ar71xx.ipk \ + root@192.168.236.79:/tmp/ +scp bin/ar71xx/packages/base/iptables-mod-netflow_2.2-2_ar71xx.ipk \ + root@192.168.236.79:/tmp/ +scp bin/ar71xx/packages/base/kernel_4.4.14-1-abf9cc6feb410252d667326556dae184_ar71xx.ipk \ + root@192.168.236.79:/tmp/ + + #goto router +ssh root@192.168.236.79 + +opkg install /tmp/*.ipk + +insmod /lib/modules/4.4.14/ipt_NETFLOW.ko +sysctl -w net.netflow.protocol=5 +sysctl -w net.netflow.destination=192.168.236.34:2055 + +iptables -I FORWARD -j NETFLOW +iptables -I INPUT -j NETFLOW +iptables -I OUTPUT -j NETFLOW + +``` diff --git a/openwrt/patches/310-Makefile_crosscompile.patch b/openwrt/patches/310-Makefile_crosscompile.patch new file mode 100644 index 0000000..22ebd52 --- /dev/null +++ b/openwrt/patches/310-Makefile_crosscompile.patch @@ -0,0 +1,17 @@ +Index: ipt-netflow-2.2/Makefile.in +=================================================================== +--- ipt-netflow-2.2.orig/Makefile.in ++++ ipt-netflow-2.2/Makefile.in +@@ -64,10 +64,10 @@ sinstall: | snmp_NETFLOW.so IPT-NETFLOW- + fi + + %_sh.o: libipt_NETFLOW.c +- gcc -O2 -Wall -Wunused $(IPTABLES_CFLAGS) -fPIC -o $@ -c libipt_NETFLOW.c ++ $(CC) $(CFLAGS) -O2 -Wall -Wunused $(IPTABLES_CFLAGS) -fPIC -o $@ -c libipt_NETFLOW.c + + %.so: %_sh.o +- gcc -shared -o $@ $< ++ $(CC) -shared -o $@ $< + + version.h: ipt_NETFLOW.c ipt_NETFLOW.h compat.h Makefile + @./version.sh --define > version.h