diff --git a/Makefile.in b/Makefile.in
index 30ebbfe..0a82c67 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,43 +1,73 @@
-#
+# Edit Makefile.in and run ./configure
KVERSION = @KVERSION@
KDIR = @KDIR@
+KINSTDIR = $(shell dirname @KDIR@)
IPTABLES_CFLAGS = @IPTABLES_CFLAGS@
IPTABLES_MODULES = @IPTABLES_MODULES@
+DEPMOD = depmod -a
+# https://www.kernel.org/doc/Documentation/kbuild/modules.txt
+# https://www.kernel.org/doc/Documentation/kbuild/makefiles.txt
obj-m = ipt_NETFLOW.o
-ipt_NETFLOW.ko: ipt_NETFLOW.c ipt_NETFLOW.h
+all: ipt_NETFLOW.ko libipt_NETFLOW.so libip6t_NETFLOW.so
+ipt_NETFLOW.ko: version.h ipt_NETFLOW.c ipt_NETFLOW.h Makefile
@echo Compiling for kernel $(KVERSION)
make -C $(KDIR) M=$(CURDIR) modules
-all: ipt_NETFLOW.ko libipt_NETFLOW.so
-minstall:
- make -C $(KDIR) M=$(CURDIR) modules_install
+ @touch $@
+sparse: | version.h ipt_NETFLOW.c ipt_NETFLOW.h Makefile
+ @rm -f ipt_NETFLOW.ko ipt_NETFLOW.o
+ @echo Compiling for kernel $(KVERSION)
+ make -C $(KDIR) M=$(CURDIR) modules C=1
+ @touch ipt_NETFLOW.ko
+minstall: | ipt_NETFLOW.ko
+ make -C $(KDIR) M=$(CURDIR) modules_install INSTALL_MOD_PATH=$(DESTDIR)
+ $(DEPMOD)
mclean:
make -C $(KDIR) M=$(CURDIR) clean
lclean:
-rm -f *.so *_sh.o
clean: mclean lclean
- -rm -f *.so *.o modules.order
+ -rm -f *.so *.o modules.order version.h
+
+%_sh.o: libipt_NETFLOW.c
+ gcc -O2 -Wall -Wunused $(IPTABLES_CFLAGS) -fPIC -o $@ -c libipt_NETFLOW.c
+
+%.so: %_sh.o
+ gcc -shared -o $@ $<
-libipt_NETFLOW.so: libipt_NETFLOW.c
- gcc -O2 -Wall -Wunused -I$(KDIR)/include $(IPTABLES_CFLAGS) -fPIC -o libipt_NETFLOW_sh.o -c libipt_NETFLOW.c
- gcc -shared -o libipt_NETFLOW.so libipt_NETFLOW_sh.o
+version.h: ipt_NETFLOW.c ipt_NETFLOW.h Makefile
+ @if [ -d .git ] && type git >/dev/null 2>&1; then \
+ echo "#define GITVERSION \"`git describe --dirty`\""; \
+ fi > version.h
-linstall: ipt_NETFLOW.ko libipt_NETFLOW.so
- cp -a libipt_NETFLOW.so $(IPTABLES_MODULES)
+linstall: | libipt_NETFLOW.so libip6t_NETFLOW.so
+ install -D libipt_NETFLOW.so $(DESTDIR)$(IPTABLES_MODULES)/libipt_NETFLOW.so
+ install -D libip6t_NETFLOW.so $(DESTDIR)$(IPTABLES_MODULES)/libip6t_NETFLOW.so
install: minstall linstall
+uninstall:
+ -rm -f $(DESTDIR)$(IPTABLES_MODULES)/libipt_NETFLOW.so
+ -rm -f $(DESTDIR)$(IPTABLES_MODULES)/libip6t_NETFLOW.so
+ -rm -f $(DESTDIR)$(KINSTDIR)/extra/ipt_NETFLOW.ko
+
Makefile: Makefile.in configure
./configure --make
load: all
- insmod ipt_NETFLOW.ko active_timeout=5
- iptables -A OUTPUT -d 0/0 -j NETFLOW
- iptables -A INPUT -d 0/0 -j NETFLOW
+ -insmod ipt_NETFLOW.ko active_timeout=5 protocol=9
+ -iptables -I OUTPUT -j NETFLOW
+ -iptables -I INPUT -j NETFLOW
+ -ip6tables -I OUTPUT -j NETFLOW
+ -ip6tables -I INPUT -j NETFLOW
unload:
- iptables -D OUTPUT -d 0/0 -j NETFLOW
- iptables -D INPUT -d 0/0 -j NETFLOW
- rmmod ipt_NETFLOW.ko
+ -iptables -D OUTPUT -j NETFLOW
+ -iptables -D INPUT -j NETFLOW
+ -ip6tables -D OUTPUT -j NETFLOW
+ -ip6tables -D INPUT -j NETFLOW
+ -rmmod ipt_NETFLOW.ko
+
+reload: unload load
diff --git a/README b/README
index 213f02c..56a4fde 100644
--- a/README
+++ b/README
@@ -1,10 +1,17 @@
-ipt_NETFLOW linux 2.6 kernel module by <abc@telekom.ru> -- 11 Feb 2008
+ipt_NETFLOW linux 2.6.x-3.x kernel module by <abc@telekom.ru> -- 2008-2013.
+
+ High performance NetFlow v5, v9, IPFIX flow data export module for Linux
+ kernel. Supporting IPv4 and IPv6. Created to be useful for highly loaded
+ linux router. It should be used as iptables target. Also can export NAT
+ translation events using NetFlow Event Logging (NEL) for v9, IPFIX, or
+ specially crafted v5 flows.
+
============================
= OBTAINING LATEST VERSION =
============================
- $ git clone git://ipt-netflow.git.sourceforge.net/gitroot/ipt-netflow/ipt-netflow
+ $ git clone git://git.code.sf.net/p/ipt-netflow/code ipt-netflow
$ cd ipt-netflow
@@ -12,94 +19,220 @@ ipt_NETFLOW linux 2.6 kernel module by <abc@telekom.ru> -- 11 Feb 2008
= INSTALLATION =
================
-1. Besides kernel you will need iptables/netfilter source matching your
- installation or just fresh install from there: ftp://ftp.netfilter.org/pub/iptables/snapshot/
- I have this: ftp://ftp.netfilter.org/pub/iptables/snapshot/iptables-1.3.7-20070329.tar.bz2
- Unpack it somewhere and build with make.
+ Four easy steps.
+
+** 1. Prepare Kernel source
+
+ If you have package system install kernel-devel package, otherwise install
+ raw kernel source from http://kernel.org matching _exactly_ version of your
+ installed kernel.
+
+ a) What to do for Centos:
+
+ ~# yum install kernel-devel
+
+ b) What to do for Debian:
+
+ ~# apt-get install module-assistant
+ ~# m-a prepare
+
+ c) Otherwise, if you downloaded raw kernel sources don't forget to create
+ .config by copying it from your distribution's kernel. Its copy could reside
+ in /boot or sometimes in /proc, examples:
+
+ kernel-src-dir/# cp /boot/config-`uname -r` .config
+ or
+ kernel-src-dir/# zcat /proc/config.gz > .config
+
+ Assuming you unpacked kernel source into `kernel-src-dir/' directory.
+ Then run:
+
+ kernel-src-dir/# make oldconfig
+
+ After that you'll need to prepare kernel for modules build:
+
+ kernel-src-dir/# make prepare modules_prepare
+
+ Note: Don't try to `make prepare' in Centos kernel-devel package directory
+ (which is usually something like /usr/src/kernels/2.6.32-431.el6.x86_64)
+ as this is wrong and meaningless.
+
+** 2. Prepare Iptables
+
+ Before this step it also would be useful to install pkg-config if don't
+ already have.
+
+ If you have package system just install iptables-devel (or iptables-dev)
+ package, otherwise install iptables source matching version of your
+ installation from ftp://ftp.netfilter.org/pub/iptables/
+
+ a) What to do for Centos:
+
+ # yum install iptables-devel
+
+ b) What to do for Debian:
+
+ # apt-get install iptables-dev pkg-config
-2. Run ./configure script and it will create Makefile
+ c) Otherwise, for raw iptables source build it and make install.
-3. make all install; depmod
- This will install kernel module and iptable specific library.
+** 3. Now, to actually build the module run:
-Troubleshooting:
- 1) Sometimes you will want to add CC=gcc-3 to make command.
- Example: make CC=gcc-3.3
+ ~/ipt-netflow# ./configure
+ ~/ipt-netflow# make all install
+ ~/ipt-netflow# depmod
- 2) Compile module with actual kernel source compiled.
- I.e. first compile kernel and boot into it, and then compile module.
+ This will install kernel module and iptables specific library.
- 3) For autoloading module after reboot: set net.netflow.destination (or load
- module, if idestination set on load) after interfaces are up. Becasue module
- needs exporting interface (usually lo) to establish export connection.
+ Troubleshooting:
-4. After this point you should be able to load module
- and use -j NETFLOW target in your iptables. See next section.
+ a) Sometimes you will want to add CC=gcc-3 to make command.
+ Example: make CC=gcc-3.3
+
+ b) Compile module with actual kernel source compiled.
+ I.e. first compile kernel and boot into it, and then compile module.
+ If you are using kernel-devel package check that its version matches
+ your kernel package.
+
+ c) If you have sources in non-standard places or configure isn't able to
+ find something run ./configure --help to see how to specify paths manually.
+
+** 4. After this point you should be able to load module and
+ use -j NETFLOW target in your iptables. See next section.
===========
= RUNNING =
===========
-1. You can load module by insmod like this:
- # insmod ipt_NETFLOW.ko destination=127.0.0.1:2055 debug=1
+1. You can load module directly by insmod like this:
+
+ # insmod ipt_NETFLOW.ko destination=127.0.0.1:2055 debug=1
Or if properly installed (make install; depmod) by this:
- # modprobe ipt_NETFLOW destination=127.0.0.1:2055
+
+ # modprobe ipt_NETFLOW destination=127.0.0.1:2055
See, you may add options in insmod/modprobe command line, or add
- them in /etc/ to modules.conf or modprobe.conf like thus:
- options ipt_NETFLOW destination=127.0.0.1:2055
+ them in /etc/modprobe.conf or /etc/modprobe.d/ipt_NETFLOW.conf
+ like thus:
+
+ options ipt_NETFLOW destination=127.0.0.1:2055 protocol=9 natevents=1
2. Statistics is in /proc/net/stat/ipt_netflow
- To view slab statistics: grep ipt_netflow /proc/slabinfo
+ To view boring slab statistics: grep ipt_netflow /proc/slabinfo
3. You can view parameters and control them via sysctl, example:
- # sysctl -w net.netflow.hashsize=32768
-4. Example of directing all traffic into module:
- # iptables -A FORWARD -j NETFLOW
- # iptables -A INPUT -j NETFLOW
- # iptables -A OUTPUT -j NETFLOW
+ # sysctl net.netflow
+ # sysctl net.netflow.hashsize=32768
+
+ Note: For after-reboot configuration I recommend to store module parameters
+ in modprobe configs instead of storing them in /etc/sysctl.conf, as it's
+ less clear when init process will apply sysctl.conf, before of after
+ module's load.
+
+4. Example of directing all IPv4 traffic into the module:
+
+ # iptables -I FORWARD -j NETFLOW
+ # iptables -I INPUT -j NETFLOW
+ # iptables -I OUTPUT -j NETFLOW
+
+ Note: It is preferable (because easier to understand) to _insert_
+ NETFLOW target at the top of the chain, otherwise not all traffic may
+ reach NETFLOW if your iptables configuration is complicated and some
+ other rule inadvertently consume the traffic (dropping or acepting before
+ NETFLOW is reached). It's always good to test your configuration.
+ Use iptables -L -nvx to check pkts/bytes counters on the rules.
+
+5. If you want to account IPv6 traffic you should use protocol 9 or 10.
+ Example of directing all IPv6 traffic into the module:
+ # sysctl net.netflow.protocol=10
+ # ip6tables -I FORWARD -j NETFLOW
+ # ip6tables -I INPUT -j NETFLOW
+ # ip6tables -I OUTPUT -j NETFLOW
+
+ Note: First enable right version of protocol and after that add ip6tables
+ rules, otherwise you will get errors in dmesg.
+
+6. If you want to account NAT events (NEL):
+
+ # sysctl net.netflow.natevents=1
+
+ Note that natevents feature is completely independent from traffic accounting
+ (it's using so called conntrack events), thus you don't need to set or change
+ any iptables rules to use that. You may need to enable kernel config option
+ CONFIG_NF_CONNTRACK_EVENTS though (if it isn't already enabled).
+ For details on how they are exported for different protocol versions see
+ below.
===========
= OPTIONS =
===========
+ protocol=5
+ - what version of NetFlow protocol to use. Default is 5.
+ You can choose from 5, 9, or 10 (where 10 is IPFIX). If you plan
+ to account IPv6 traffic you should use protocol 9 or 10 (IPFIX),
+ because NetFlow v5 isn't compatible with IPv6.
+
destination=127.0.0.1:2055
- where to export netflow, to this ip address
You will see this connection in netstat like this:
udp 0 0 127.0.0.1:32772 127.0.0.1:2055 ESTABLISHED
destination=127.0.0.1:2055,192.0.0.1:2055
- - mirror flows to two (can be more) addresses,
- separate addresses with comma.
+ - mirror flows to two (can be more) addresses, separate addresses
+ with comma.
+
+ natevents=1
+ - Collect and send NAT translation events as NetFlow Event Logging (NEL)
+ for NetFlow v9/IPFIX, or as dummy flows compatible with NetFlow v5.
+ Default is 0 (don't send).
+
+ For NetFlow v5 protocol meaning of fields in dummy flows are such:
+ Src IP, Src Port is Pre-nat source address.
+ Dst IP, Dst Port is Post-nat destination address.
+ - These two fields made equal to data flows catched in FORWARD chain.
+ Nexthop, Src AS is Post-nat source address for SNAT. Or,
+ Nexthop, Dst AS is Pre-nat destination address for DNAT.
+ TCP Flags is SYN+SCK for start event, RST+FIN for stop event.
+ Pkt/Traffic size is 0 (zero), so it won't interfere with accounting.
inactive_timeout=15
- export flow after it's inactive 15 seconds. Default value is 15.
active_timeout=1800
- - export flow after it's active 1800 seconds (30 minutes). Default value is 1800.
+ - export flow after it's active 1800 seconds (30 minutes). Default valuae
+ is 1800.
+
+ refresh-rate=20
+ - for NetFlow v9 and IPFIX it's rate how frequently to re-send templates
+ (per packets). You probably don't need to change default (which is 20).
+
+ timeout-rate=30
+ - for NetFlow v9 and IPFIX it's rate when to re-send old templates (in
+ minutes). No need to change it.
debug=0
- debug level (none).
sndbuf=number
- - size of output socket buffer in bytes. Recommend you to put
+ - size of output socket buffer in bytes. I recommend you to put
higher value if you experience netflow packet drops (can be
seen in statistics as 'sock: fail' number.)
Default value is system default.
hashsize=number
- Hash table bucket size. Used for performance tuning.
- Abstractly speaking, it should be two times bigger than flows
+ Abstractly speaking, it should be minimum two times bigger than flows
you usually have, but not need to.
Default is system memory dependent small enough value.
maxflows=2000000
- - Maximum number of flows to account. It's here to prevent DOS attacks. After
- this limit reached new flows will not be accounted. Default is
+ - Maximum number of flows to account. It's here to prevent DOS attacks.
+ After this limit reached new flows will not be accounted. Default is
2000000, zero is unlimited.
aggregation=string..
@@ -130,14 +263,15 @@ Troubleshooting:
= HOW TO READ STAT =
====================
- Statistics is your friend to fine tune and understand netflow module performance.
+ Statistics is your friend to fine tune and understand netflow module
+ performance.
To see stat:
# cat /proc/net/stat/ipt_netflow
How to interpret the data:
-> Flows: active 5187 (peak 83905 reached 0d0h1m ago, maxflows 2000000), mem 283K
+> Flows: active 5187 (peak 83905 reached 0d0h1m ago, maxflows 2000000), mem 283K, worker delay 100/1000.
active X: currently active flows in memory cache.
- for optimum CPU performance it is recommended to set hash table size to
@@ -146,8 +280,9 @@ Troubleshooting:
mem XK: how much kilobytes of memory currently taken by active flows.
- one active flow taking 56 bytes of memory.
- there is system limit on cache size too.
+ worker delay X/HZ: how frequently exporter scan flows table per second.
-> Hash: size 8192 (mem 32K), metric 1.0, 1.0, 1.0, 1.0. MemTraf: 1420 pkt, 364 K (pdu 0, 0).
+> Hash: size 8192 (mem 32K), metric 1.00, [1.00, 1.00, 1.00]. MemTraf: 1420 pkt, 364 K (pdu 0, 0).
Hash: size X: current hash size/limit.
- you can control this by sysctl net.netflow.hashsize variable.
@@ -156,18 +291,22 @@ Troubleshooting:
- optimal value is twice of average of active flows.
mem XK: how much memory occupied by hash table.
- hash table is fixed size by nature, taking 4 bytes per entry.
- metric X, X, X, X: how optimal is your hash table being used.
+ metric X, [X, X, X]: how optimal is your hash table being used.
- lesser value mean more optimal hash table use, min is 1.0.
- - this is moving average (EWMA) of hash table access divided
- by match rate (searches / matches) for 4sec, and 1, 5, 15 minutes.
- Sort of hash table load average.
+ - last three numbers in squares is moving average (EWMA) of hash table
+ access divided by match rate (searches / matches) for 4sec, and 1, 5, and
+ 15 minutes. Sort of hash table load average. First value is instantaneous.
+ You can try to increase hashsize if averages more than 1 (increase
+ certainly if >= 2).
MemTraf: X pkt, X K: how much traffic accounted for flows that are in memory.
- these flows that are residing in internal hash table.
pdu X, X: how much traffic in flows preparing to be exported.
- it is included already in aforementioned MemTraf total.
-> Timeout: active 1800, inactive 15. Maxflows 2000000
+> Protocol version 10 (ipfix), refresh-rate 20, timeout-rate 30, (templates 2, active 2). Timeouts: active 5, inactive 15. Maxflows 2000000
+ Protocol version currently in use. Refresh-rate and timeout-rate
+ for v9 and IPFIX. Total templates generated and currently active.
Timeout: active X: how much seconds to wait before exporting active flow.
- same as sysctl net.netflow.active_timeout variable.
inactive X: how much seconds to wait before exporting inactive flow.
@@ -180,20 +319,22 @@ Troubleshooting:
- Module throughput values for 1 second, 1 minute, and 5 minutes.
-> cpu# stat: <search found new, trunc frag alloc maxflows>, sock: <ok fail cberr, bytes>, traffic: <pkt, bytes>, drop: <pkt, bytes>
-> cpu0 stat: 980540 10473 180600, 0 0 0 0, sock: 4983 928 0, 7124 K, traffic: 188765, 14 MB, drop: 27863, 1142 K
+> cpu# stat: <search found new [metric], trunc frag alloc maxflows>, sock: <ok fail cberr, bytes>, traffic: <pkt, bytes>, drop: <pkt, bytes>
+> cpu0 stat: 980540 10473 180600 [1.03], 0 0 0 0, sock: 4983 928 0, 7124 K, traffic: 188765, 14 MB, drop: 27863, 1142 K
cpu#: this is Total and per CPU statistics for:
stat: <search found new, trunc frag alloc maxflows>: internal stat for:
search found new: hash table searched, found, and not found counters.
- trunc: how much truncated packets is ignored
+ [metric]: average hash metric since module load.
+ trunc: how much truncated packets are ignored
- these are that possible don't have valid IP header.
- accounted in drop packets counter but not in drop bytes.
frag: how much fragmented packets have seen.
- kernel always defragments INPUT/OUTPUT chains for us.
- these packets are not ignored but not reassembled either, so:
- - if there is no enough data in fragment (ex. tcp ports) it is considered zero.
- alloc: how much cache memory allocations is failed.
+ - if there is no enough data in fragment (ex. tcp ports) it is considered
+ zero.
+ alloc: how much cache memory allocations are failed.
- packets ignored and accounted in drop stat.
- probably increase system memory if this ever happen.
maxflows: how much packets ignored on maxflows (maximum active flows reached).
@@ -203,7 +344,8 @@ Troubleshooting:
sock: <ok fail cberr, bytes>: table of exporting stats for:
ok: how much Netflow PDUs are exported (i.e. UDP packets sent by module).
fail: how much socket errors (i.e. packets failed to be sent).
- - packets dropped and their internal statistics cumulatively accounted in drop stat.
+ - packets dropped and their internal statistics cumulatively accounted in
+ drop stat.
cberr: how much connection refused ICMP errors we got from export target.
- probably you not launched collector software on destination,
- or specified wrong destination address.
@@ -225,20 +367,34 @@ Troubleshooting:
packet is for new flow but maxflows is already reached,
all flows in export packets that got socket error.
-> sock0: 10.0.0.2:2055, sndbuf 106496, filled 0, peak 106848; err: sndbuf reached 928, other 0
+> Natevents disabled, count start 0, stop 0.
+
+ - Natevents mode disabled or enabled, and how much start or stop events
+ are reported.
+
+> sock0: 10.0.0.2:2055 unconnected (1 attempts).
+
+ If socket is unconnected (for example if module loaded before interfaces is
+ up) it shows now much connection attempts was failed. It will try to connect
+ until success.
+
+> sock0: 10.0.0.2:2055, sndbuf 106496, filled 0, peak 106848; err: sndbuf reached 928, connect 0, other 0
sockX: per destination stats for:
X.X.X.X:Y: destination ip address and port.
- controlled by sysctl net.netflow.destination variable.
sndbuf X: how much data socket can hold in buffers.
- controlled by sysctl net.netflow.sndbuf variable.
- - if you have packet drops due to sndbuf reached (error -11) increase this value.
+ - if you have packet drops due to sndbuf reached (error -11) increase this
+ value.
filled X: how much data in socket buffers right now.
peak X: peak value of how much data in socket buffers was.
- you will be interested to keep it below sndbuf value.
err: how much packets are dropped due to errors.
- all flows from them will be accounted in drop stat.
- sndbuf reached X: how much packets dropped due to sndbuf being too small (error -11).
+ sndbuf reached X: how much packets dropped due to sndbuf being too small
+ (error -11).
+ connect X: how much connection attempts was failed.
other X: dropped due to other possible errors.
> aggr0: ...
diff --git a/README.promisc b/README.promisc
index 60ca922..31d774f 100644
--- a/README.promisc
+++ b/README.promisc
@@ -2,9 +2,14 @@ Hello,
If you wish to account with netflow module traffic mirrored on switch you may follow this example:
-**************
-* Solution 1 *
-**************
+
+ Solution 1: General kernel patch.
+ Solution 2: Alternative w/o kernel patch.
+
+
+ **************
+ * Solution 1 *
+ **************
1. Patch your kernel with `raw_promisc.patch' to enable raw table to see promisc traffic.
@@ -33,17 +38,7 @@ If you wish to account with netflow module traffic mirrored on switch you may fo
# /sbin/vconfig add eth1 47
# /sbin/ifconfig eth1.47 up
-5. Recompile ipt_netflow module with #define RAW_PROMISC_HACK uncommented:
-
- Find this line in ipt_NETFLOW.c (should be line 7):
-
-//#define RAW_PROMISC_HACK
-
- And remove two slashes at beginning of the line, so it become like this:
-
-#define RAW_PROMISC_HACK
-
- Re-compile module:
+5. Compile module:
# make clean all install
@@ -55,13 +50,14 @@ If you wish to account with netflow module traffic mirrored on switch you may fo
# /sbin/iptables -A PREROUTING -t raw -i eth1.47 -j NETFLOW
-
Voila.
+ps. For Debian Squeeze instructions look at raw_promisc_debian_squeeze6.patch
-**************
-* Solution 2 *
-**************
+
+ **************
+ * Solution 2 *
+ **************
By Anonymous.
@@ -81,4 +77,3 @@ Sometimes you may need to run:
for this scheme to work.
-
diff --git a/configure b/configure
index 677dd7f..3f10e2a 100755
--- a/configure
+++ b/configure
@@ -3,7 +3,7 @@
PATH=$PATH:/bin:/usr/bin:/usr/sbin:/sbin:/usr/local/sbin
error() {
- echo "! Error: $@"
+ echo -e "! Error: $@"
exit 1
}
@@ -56,19 +56,20 @@ get_lib_from_lib() {
}
iptables_inc() {
- echo -n "Iptables include path: "
+ echo -n "Iptables include flags: "
if [ "$IPTINC" ]; then
- echo "$IPTINC (user specified)"
IPTINC="-I$IPTINC"
+ echo "$IPTINC (user specified)"
+ elif [ "$PKGVER" ]; then
+ IPTINC="$PKGINC"
+ echo "$IPTINC (pkg-config)"
+ elif [ "$NOIPTSRC" ]; then
+ IPTINC=
+ echo "none (default)"
else
- if [ "$PKGINC" ]; then
- IPTINC="$PKGINC"
- echo "$IPTINC (pkg-config)"
- else
- IPTINC="$IPTSRC/include"
- echo "$IPTINC (from source)"
- IPTINC="-I$IPTINC"
- fi
+ IPTINC="$IPTSRC/include"
+ IPTINC="-I$IPTINC"
+ echo "$IPTINC (from source)"
fi
}
@@ -109,7 +110,16 @@ try_dir2() {
test -d "$1" && try_dir `dirname $1` && return 0
}
-iptables_ver() {
+check_pkg_config() {
+ test "$PKGWARN" && return 1
+ if ! which pkg-config >/dev/null 2>&1; then
+ echo "! You don't have pkg-config, it may be useful to install it."
+ PKGWARN=1
+ return 1
+ fi
+ return 0
+}
+iptables_find_version() {
echo -n "Iptables binary version: "
if [ "$IPTVER" ]; then
echo "$IPTVER (user specified)"
@@ -121,6 +131,7 @@ iptables_ver() {
else
echo "no iptables binary found"
fi
+ check_pkg_config
PKGVER=`pkg-config --modversion xtables 2>/dev/null`
if [ "$PKGVER" ]; then
IPTVER="$PKGVER"
@@ -131,44 +142,90 @@ iptables_ver() {
fi
}
-iptables_dir() {
- test "$IPTINC" && return 1
- test "$PKGINC" && return 1
-
- VER="iptables-$IPTVER"
- if [ "$IPTSRC" ]; then
- echo "User specified source directory: $IPTSRC"
- try_dir $IPTSRC || error "Specified directory is not iptables source.."
+compile_libitp_test() {
+ echo -n "Checking for presence of $@... "
+ echo "
+#define __EXPORTED_HEADERS__
+#include <$*>" > test.c
+ gcc -c test.c >/dev/null 2>&1
+ RET=$?
+ if [ $RET = 0 ]; then
+ echo Yes;
else
- echo "Searching for $VER sources.."
- try_dir "./$VER" && return 0
- try_dir "../$VER" && return 0
- try_dir "/usr/src/$VER" && return 0
- try_dirg "iptables" && return 0
- try_dirg "../iptables" && return 0
- try_dirg "/usr/src/iptables" && return 0
- try_dir2 `locate $VER/extensions | head -1` && return 0
- error "Can not find iptables source directory, try setting it with --ipt-src="
+ echo No;
fi
+ rm -f test.c test.o
+ return $RET
}
-iptables_pkg_config() {
+iptables_try_pkgconfig() {
if [ ! "$PKGVER" ]; then
+ check_pkg_config
+ PKGVER=`pkg-config --modversion xtables 2>/dev/null`
+ TRYPKGVER=`pkg-config --modversion xtables 2>/dev/null`
echo -n "pkg-config for version $IPTVER exists: "
- PKGVER=`pkg-config --exact-version=$IPTVER --modversion xtables 2>/dev/null`
+ pkg-config --exact-version=$IPTVER xtables 2>/dev/null
if [ $? = 0 ]; then
echo "Yes"
+ PKGVER=$TRYPKGVER
else
- echo "No (reported: $PKGVER)"
- unset PKGVER
+ if [ "$TRYPKGVER" ]; then
+ echo "No (reported: $TRYPKGVER)"
+ else
+ echo "No"
+ fi
fi
fi
if [ "$PKGVER" ]; then
+ check_pkg_config
+ PKGVER=`pkg-config --modversion xtables 2>/dev/null`
PKGINC=`pkg-config --cflags xtables`
PKGLIB=`pkg-config --variable=xtlibdir xtables`
- IPTCFLAGS="-DXTABLES"
else
- IPTCFLAGS="-DIPTABLES_VERSION=\\\\\"$IPTVER\\\\\""
+ # Newer versions of iptables should not have -I/kernel/include!
+ # So I assume that newer version will have correct pkg-config set up
+ # and if not, then it's older who need it.
+ IPTCFLAGS="-I$KDIR/include -DIPTABLES_VERSION=\\\\\"$IPTVER\\\\\""
+ fi
+ if compile_libitp_test xtables.h; then
+ IPTCFLAGS="-DXTABLES $IPTCFLAGS"
+ elif ! compile_libitp_test iptables.h; then
+ echo "! Iptables headers not found. You may need to specify --ipt-inc=..."
+ if [ -s /etc/debian_version ]; then
+ echo "! "
+ echo "! Under Debian simply run this:"
+ echo "! root# apt-get install iptables-dev pkg-config"
+ elif [ -s /etc/redhat-release ]; then
+ echo "! "
+ arch=.`uname -m`
+ echo "! Under Centos simply run this:"
+ echo "! root# yum install iptables-devel$arch pkgconfig"
+ fi
+ exit 1
+ fi
+
+}
+
+iptables_find_src() {
+ test "$IPTINC" && return 1
+ test "$PKGVER" && return 1
+
+ VER="iptables-$IPTVER"
+ if [ "$IPTSRC" ]; then
+ echo "User specified source directory: $IPTSRC"
+ try_dir $IPTSRC || error "Specified directory is not iptables source.."
+ else
+ echo "Searching for $VER sources.."
+ try_dir "./$VER" && return 0
+ try_dir "../$VER" && return 0
+ try_dir "/usr/src/$VER" && return 0
+ try_dirg "iptables" && return 0
+ try_dirg "../iptables" && return 0
+ try_dirg "/usr/src/iptables" && return 0
+ try_dir2 `locate $VER/extensions 2>/dev/null | head -1` && return 0
+ echo "! Can not find iptables source directory, you may try setting it with --ipt-src="
+ echo "! This is not fatal error, yet. Will be just using default include dir."
+ NOIPTSRC=1
fi
}
@@ -206,18 +263,110 @@ do
esac
done
-test "$KVERSION" || KVERSION=`uname -r`
-echo Kernel version: $KVERSION
+kernel_find_version() {
+ KHOW=requested
+ test "$KVERSION" && return 0
+
+ if grep -q '#.*Debian' /proc/version; then
+ KHOW=proc
+ KVERSION=`sed -n 's/.*#.*Debian \([0-9\.]\+\)-.*/\1/p' /proc/version`
+ KLIBMOD=`uname -r`
+ else
+ KHOW=uname
+ KVERSION=`uname -r`
+ fi
+ test "$KDIR" || return 0
+
+ test -s $KDIR/Makefile || return 1
+ test -s $KDIR/include/config/kernel.release || return 1
+ KVERSION=`cat $KDIR/include/config/kernel.release`
+ KHOW=sources
+}
+
+kernel_check_src() {
+ if [ -s "$1/Makefile" ]; then
+ KDIR="$1"
+ return 0
+ fi
+ return 1
+}
+
+kernel_find_source() {
+ KSHOW=requested
+ test "$KDIR" && return 0
+ KSHOW=found
+ kernel_check_src /lib/modules/$KLIBMOD/build && return 0
+ kernel_check_src /lib/modules/$KVERSION/build && return 0
+ kernel_check_src /usr/src/kernels/$KVERSION && return 0
+ kernel_check_src /usr/src/linux-$KVERSION && return 0
+ echo "! Linux source not found. Don't panic. You may specify kernel source"
+ echo "! directory with --kdir=..., or try to install kernel-devel package,"
+ echo "! or just raw sources for linux-$KVERSION from kernel.org."
+ if grep -q -i centos /proc/version 2>/dev/null; then
+ echo "! "
+ arch=.`uname -m`
+ echo "! Under Centos simply run this:"
+ echo "! root# yum install kernel-devel iptables-devel$arch pkgconfig"
+ fi
+ if grep -q -i debian /proc/version 2>/dev/null; then
+ echo "! "
+ echo "! Under Debian simply run this:"
+ echo "! root# apt-get install module-assistant iptables-dev pkg-config"
+ echo "! root# m-a prepare"
+ fi
+ exit 1
+}
+
+kernel_check_consistency() {
+ if test -s $KDIR/include/config/kernel.release; then
+ SRCVER=`cat $KDIR/include/config/kernel.release`
+ test "$KVERSION" != "$SRCVER" && error "$KHOW kernel version ($KVERSION) and $KSHOW version of kernel source ($SRCVER) doesn't match!\n!" \
+ "You may try to specify only kernel source tree with --kdir=$KDIR\n!" \
+ "and configure will pick up version properly."
+ else
+ test -e "$KDIR/.config" || error ".config in kernel source not found, run make menuconfig in $KDIR"
+ test -d "$KDIR/include/config" || error "kernel is not prepared, run make prepare modules_prepare in $KDIR"
+ fi
+}
+
+kconfig() {
+ KCONFIG=$KDIR/.config
+ if ! grep -q "^$1=" $KCONFIG 2>/dev/null; then
+ if [ "$KCONFIGREPORTED" != true ]; then
+ KCONFIGREPORTED=true
+ echo Kernel config file checked: $KCONFIG
+ echo
+ fi
+ echo "! Attention: $1 is undefined in your kernel configuration"
+ echo "! Without this option enabled $2 will not work."
+ echo
+ fi
+}
+
+kernel_check_config() {
+ kconfig CONFIG_SYSCTL "sysctl interface"
+ kconfig CONFIG_PROC_FS "proc interface"
+ kconfig CONFIG_NF_NAT_NEEDED "natevents"
+ kconfig CONFIG_NF_CONNTRACK_EVENTS "natevents"
+ kconfig CONFIG_NF_CONNTRACK_MARK "connmark tracking"
+ kconfig CONFIG_IPV6 "IPv6"
+ kconfig CONFIG_IP6_NF_IPTABLES "ip6tables target"
+}
-test "$KDIR" || KDIR=/lib/modules/$KVERSION/build
-echo Kernel sources: $KDIR
+kernel_find_version #KVERSION
+test "$KLIBMOD" || KLIBMOD=$KVERSION
+echo "Kernel version: $KVERSION ($KHOW)"
+kernel_find_source #KDIR
+echo "Kernel sources: $KDIR ($KSHOW)"
+kernel_check_consistency
+kernel_check_config
test "$IPTBIN" || IPTBIN=`which iptables`
-iptables_ver #IPTVER
-iptables_pkg_config
-iptables_dir #IPTSRC
-iptables_src_version #check IPTSRC match to IPTVER
+iptables_find_version #IPTVER
+iptables_try_pkgconfig #try to configure from pkg-config
+iptables_find_src #IPTSRC
+iptables_src_version #check that IPTSRC match to IPTVER
iptables_inc #IPTINC
iptables_modules #IPTLIB
@@ -225,7 +374,6 @@ REPLACE="\
s!@KVERSION@!$KVERSION!;\
s!@KDIR@!$KDIR!;\
s!@IPTABLES_VERSION@!$IPTVER!;\
-s!@IPTABLES_INCLUDES@!$IPTINC!;\
s!@IPTABLES_CFLAGS@!$IPTCFLAGS $IPTINC!;\
s!@IPTABLES_MODULES@!$IPTLIB!"
diff --git a/ipt_NETFLOW.c b/ipt_NETFLOW.c
index d4c91e1..ad974c5 100644
--- a/ipt_NETFLOW.c
+++ b/ipt_NETFLOW.c
@@ -1,6 +1,6 @@
/*
* This is NetFlow exporting module (NETFLOW target) for linux
- * (c) 2008-2012 <abc@telekom.ru>
+ * (c) 2008-2013 <abc@telekom.ru>
*
*
* This program is free software: you can redistribute it and/or modify
@@ -18,8 +18,6 @@
*
*/
-//#define RAW_PROMISC_HACK
-
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/proc_fs.h>
@@ -31,16 +29,26 @@
#include <linux/icmp.h>
#include <linux/igmp.h>
#include <linux/inetdevice.h>
-#include <linux/jhash.h>
+#include <linux/hash.h>
+#include <linux/delay.h>
+#include <linux/spinlock_types.h>
#include <net/icmp.h>
#include <net/ip.h>
+#include <net/ipv6.h>
#include <net/tcp.h>
#include <net/route.h>
+#include <net/ip6_fib.h>
#include <net/dst.h>
#include <linux/netfilter_ipv4/ip_tables.h>
+#if defined(CONFIG_NF_NAT_NEEDED) || defined(CONFIG_NF_CONNTRACK_MARK)
+#include <linux/notifier.h>
+#include <net/netfilter/nf_conntrack.h>
+#include <net/netfilter/nf_conntrack_core.h>
+#endif
#include <linux/version.h>
#include <asm/unaligned.h>
#include "ipt_NETFLOW.h"
+#include "murmur3.h"
#ifdef CONFIG_BRIDGE_NETFILTER
#include <linux/netfilter_bridge.h>
#endif
@@ -74,41 +82,66 @@
#define ipt_target xt_target
#endif
-#define IPT_NETFLOW_VERSION "1.8"
+#define IPT_NETFLOW_VERSION "1.8.2" /* Note that if you are using git, you
+ will see version in other format. */
+#include "version.h"
+#ifdef GITVERSION
+#undef IPT_NETFLOW_VERSION
+#define IPT_NETFLOW_VERSION GITVERSION
+#endif
MODULE_LICENSE("GPL");
MODULE_AUTHOR("<abc@telekom.ru>");
MODULE_DESCRIPTION("iptables NETFLOW target module");
MODULE_VERSION(IPT_NETFLOW_VERSION);
+MODULE_ALIAS("ip6t_NETFLOW");
#define DST_SIZE 256
static char destination_buf[DST_SIZE] = "127.0.0.1:2055";
static char *destination = destination_buf;
-module_param(destination, charp, 0400);
+module_param(destination, charp, 0444);
MODULE_PARM_DESC(destination, "export destination ipaddress:port");
static int inactive_timeout = 15;
-module_param(inactive_timeout, int, 0600);
+module_param(inactive_timeout, int, 0644);
MODULE_PARM_DESC(inactive_timeout, "inactive flows timeout in seconds");
static int active_timeout = 30 * 60;
-module_param(active_timeout, int, 0600);
+module_param(active_timeout, int, 0644);
MODULE_PARM_DESC(active_timeout, "active flows timeout in seconds");
static int debug = 0;
-module_param(debug, int, 0600);
+module_param(debug, int, 0644);
MODULE_PARM_DESC(debug, "debug verbosity level");
static int sndbuf;
-module_param(sndbuf, int, 0400);
+module_param(sndbuf, int, 0444);
MODULE_PARM_DESC(sndbuf, "udp socket SNDBUF size");
+static int protocol = 5;
+module_param(protocol, int, 0444);
+MODULE_PARM_DESC(protocol, "netflow protocol version (5, 9, 10)");
+
+static unsigned int refresh_rate = 20;
+module_param(refresh_rate, uint, 0644);
+MODULE_PARM_DESC(refresh_rate, "NetFlow v9/IPFIX refresh rate (packets)");
+
+static unsigned int timeout_rate = 30;
+module_param(timeout_rate, uint, 0644);
+MODULE_PARM_DESC(timeout_rate, "NetFlow v9/IPFIX timeout rate (minutes)");
+
+#ifdef CONFIG_NF_NAT_NEEDED
+static int natevents = 0;
+module_param(natevents, int, 0444);
+MODULE_PARM_DESC(natevents, "send NAT Events");
+#endif
+
static int hashsize;
-module_param(hashsize, int, 0400);
+module_param(hashsize, int, 0444);
MODULE_PARM_DESC(hashsize, "hash table size");
static int maxflows = 2000000;
-module_param(maxflows, int, 0600);
+module_param(maxflows, int, 0644);
MODULE_PARM_DESC(maxflows, "maximum number of flows");
static int peakflows = 0;
static unsigned long peakflows_at;
@@ -121,22 +154,52 @@ MODULE_PARM_DESC(aggregation, "aggregation ruleset");
static DEFINE_PER_CPU(struct ipt_netflow_stat, ipt_netflow_stat);
static LIST_HEAD(usock_list);
-static DEFINE_RWLOCK(sock_lock);
+static DEFINE_MUTEX(sock_lock);
+#define LOCK_COUNT (1<<8)
+#define LOCK_COUNT_MASK (LOCK_COUNT-1)
+static spinlock_t htable_locks[LOCK_COUNT] = {
+ [0 ... LOCK_COUNT - 1] = __SPIN_LOCK_UNLOCKED(htable_locks)
+};
+static DEFINE_RWLOCK(htable_rwlock); /* global lock to protect htable_locks change */
static unsigned int ipt_netflow_hash_rnd;
-struct hlist_head *ipt_netflow_hash __read_mostly; /* hash table memory */
+static struct hlist_head *ipt_netflow_hash __read_mostly; /* hash table memory */
static unsigned int ipt_netflow_hash_size __read_mostly = 0; /* buckets */
static LIST_HEAD(ipt_netflow_list); /* all flows */
+static DEFINE_SPINLOCK(hlist_lock); /* should almost always be locked w/o _bh */
static LIST_HEAD(aggr_n_list);
static LIST_HEAD(aggr_p_list);
static DEFINE_RWLOCK(aggr_lock);
+#ifdef CONFIG_NF_NAT_NEEDED
+static LIST_HEAD(nat_list); /* nat events */
+static DEFINE_SPINLOCK(nat_lock);
+static unsigned long nat_events_start = 0;
+static unsigned long nat_events_stop = 0;
+#endif
static struct kmem_cache *ipt_netflow_cachep __read_mostly; /* ipt_netflow memory */
static atomic_t ipt_netflow_count = ATOMIC_INIT(0);
-static DEFINE_SPINLOCK(ipt_netflow_lock); /* hash table lock */
-static long long pdu_packets = 0, pdu_traf = 0;
-static struct netflow5_pdu pdu;
-static unsigned long pdu_ts_mod;
+static long long pdu_packets = 0, pdu_traf = 0; /* how much accounted traffic in pdu */
+static unsigned int pdu_count = 0;
+static unsigned int pdu_seq = 0;
+static unsigned int pdu_data_records = 0;
+static unsigned int pdu_tpl_records = 0;
+static unsigned long pdu_ts_mod; /* ts of last flow */
+static union {
+ struct netflow5_pdu v5;
+ struct netflow9_pdu v9;
+ struct ipfix_pdu ipfix;
+} pdu;
+static int engine_id = 0; /* Observation Domain */
+static __u8 *pdu_data_used;
+static __u8 *pdu_high_wm; /* high watermark */
+static unsigned int pdu_max_size; /* sizeof pdu */
+static struct flowset_data *pdu_flowset = NULL; /* current data flowset */
+
+static void (*netflow_export_flow)(struct ipt_netflow *nf);
+static void (*netflow_export_pdu)(void); /* called on timeout */
+static void netflow_switch_version(int ver);
+
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,20)
static void netflow_work_fn(void *work);
static DECLARE_WORK(netflow_work, netflow_work_fn, NULL);
@@ -146,19 +209,26 @@ static DECLARE_DELAYED_WORK(netflow_work, netflow_work_fn);
#endif
static struct timer_list rate_timer;
+#define TCP_SYN_ACK 0x12
#define TCP_FIN_RST 0x05
static long long sec_prate = 0, sec_brate = 0;
static long long min_prate = 0, min_brate = 0;
static long long min5_prate = 0, min5_brate = 0;
-static unsigned int metric = 10, min15_metric = 10, min5_metric = 10, min_metric = 10; /* hash metrics */
+static unsigned int metric = 100, min15_metric = 100, min5_metric = 100, min_metric = 100; /* hash metrics */
static int set_hashsize(int new_size);
static void destination_removeall(void);
static int add_destinations(char *ptr);
static void aggregation_remove(struct list_head *list);
static int add_aggregation(char *ptr);
-static void netflow_scan_and_export(int flush);
+static int netflow_scan_and_export(int flush);
+enum {
+ DONT_FLUSH, AND_FLUSH
+};
+static int template_ids = FLOWSET_DATA_FIRST;
+static int tpl_count = 0; /* how much active templates */
+
static inline __be32 bits2mask(int bits) {
return (bits? 0xffffffff << (32 - bits) : 0);
@@ -175,28 +245,46 @@ static inline int mask2bits(__be32 mask) {
/* under that lock worker is always stopped and not rescheduled,
* and we can call worker sub-functions manually */
static DEFINE_MUTEX(worker_lock);
-static inline void __start_scan_worker(void)
+#define MIN_DELAY 1
+#define MAX_DELAY (HZ / 10)
+static int worker_delay = HZ / 10;
+static inline void _schedule_scan_worker(const int status)
{
- schedule_delayed_work(&netflow_work, HZ / 10);
+ /* rudimentary congestion avoidance */
+ if (status > 0)
+ worker_delay -= status;
+ else if (status < 0)
+ worker_delay /= 2;
+ else
+ worker_delay++;
+ if (worker_delay < MIN_DELAY)
+ worker_delay = MIN_DELAY;
+ else if (worker_delay > MAX_DELAY)
+ worker_delay = MAX_DELAY;
+ schedule_delayed_work(&netflow_work, worker_delay);
}
-static inline void start_scan_worker(void)
+/* This is only called soon after pause_scan_worker. */
+static inline void cont_scan_worker(void)
{
- __start_scan_worker();
+ _schedule_scan_worker(0);
mutex_unlock(&worker_lock);
}
-/* we always stop scanner before write_lock(&sock_lock)
- * to let it never hold that spin lock */
-static inline void __stop_scan_worker(void)
+static inline void _unschedule_scan_worker(void)
{
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,23)
+ cancel_rearming_delayed_work(&netflow_work);
+#else
cancel_delayed_work_sync(&netflow_work);
+#endif
}
-static inline void stop_scan_worker(void)
+/* This is only used for quick pause (in procctl). */
+static inline void pause_scan_worker(void)
{
mutex_lock(&worker_lock);
- __stop_scan_worker();
+ _unschedule_scan_worker();
}
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,24)
@@ -223,11 +311,14 @@ static int nf_seq_show(struct seq_file *seq, void *v)
int snum = 0;
int peak = (jiffies - peakflows_at) / HZ;
- seq_printf(seq, "Flows: active %u (peak %u reached %ud%uh%um ago), mem %uK\n",
+ seq_printf(seq, "ipt_NETFLOW version " IPT_NETFLOW_VERSION ", srcversion %s\n",
+ THIS_MODULE->srcversion);
+ seq_printf(seq, "Flows: active %u (peak %u reached %ud%uh%um ago), mem %uK, worker delay %d/%d.\n",
nr_flows,
peakflows,
peak / (60 * 60 * 24), (peak / (60 * 60)) % 24, (peak / 60) % 60,
- (unsigned int)((nr_flows * sizeof(struct ipt_netflow)) >> 10));
+ (unsigned int)((nr_flows * sizeof(struct ipt_netflow)) >> 10),
+ worker_delay, HZ);
for_each_present_cpu(cpu) {
struct ipt_netflow_stat *st = &per_cpu(ipt_netflow_stat, cpu);
@@ -252,93 +343,123 @@ static int nf_seq_show(struct seq_file *seq, void *v)
}
#define FFLOAT(x, prec) (int)(x) / prec, (int)(x) % prec
- seq_printf(seq, "Hash: size %u (mem %uK), metric %d.%d, %d.%d, %d.%d, %d.%d. MemTraf: %llu pkt, %llu K (pdu %llu, %llu).\n",
- ipt_netflow_hash_size,
- (unsigned int)((ipt_netflow_hash_size * sizeof(struct hlist_head)) >> 10),
- FFLOAT(metric, 10),
- FFLOAT(min_metric, 10),
- FFLOAT(min5_metric, 10),
- FFLOAT(min15_metric, 10),
- pkt_total - pkt_out + pdu_packets,
- (traf_total - traf_out + pdu_traf) >> 10,
- pdu_packets,
- pdu_traf);
-
- seq_printf(seq, "Timeout: active %d, inactive %d. Maxflows %u\n",
- active_timeout,
- inactive_timeout,
- maxflows);
-
- seq_printf(seq, "Rate: %llu bits/sec, %llu packets/sec; Avg 1 min: %llu bps, %llu pps; 5 min: %llu bps, %llu pps\n",
- sec_brate, sec_prate, min_brate, min_prate, min5_brate, min5_prate);
-
- seq_printf(seq, "cpu# stat: <search found new, trunc frag alloc maxflows>, sock: <ok fail cberr, bytes>, traffic: <pkt, bytes>, drop: <pkt, bytes>\n");
-
- seq_printf(seq, "Total stat: %6llu %6llu %6llu, %4u %4u %4u %4u, sock: %6u %u %u, %llu K, traffic: %llu, %llu MB, drop: %llu, %llu K\n",
- (unsigned long long)searched,
- (unsigned long long)found,
- (unsigned long long)notfound,
- truncated, frags, alloc_err, maxflows_err,
- send_success, send_failed, sock_errors,
- (unsigned long long)exported_size >> 10,
- (unsigned long long)pkt_total, (unsigned long long)traf_total >> 20,
- (unsigned long long)pkt_drop, (unsigned long long)traf_drop >> 10);
+ seq_printf(seq, "Hash: size %u (mem %uK), metric %d.%02d [%d.%02d, %d.%02d, %d.%02d]."
+ " MemTraf: %llu pkt, %llu K (pdu %llu, %llu), Out %llu pkt, %llu K.\n",
+ ipt_netflow_hash_size,
+ (unsigned int)((ipt_netflow_hash_size * sizeof(struct hlist_head)) >> 10),
+ FFLOAT(metric, 100),
+ FFLOAT(min_metric, 100),
+ FFLOAT(min5_metric, 100),
+ FFLOAT(min15_metric, 100),
+ pkt_total - pkt_out + pdu_packets,
+ (traf_total - traf_out + pdu_traf) >> 10,
+ pdu_packets,
+ pdu_traf,
+ pkt_out,
+ traf_out >> 10);
+
+ seq_printf(seq, "Rate: %llu bits/sec, %llu packets/sec;"
+ " Avg 1 min: %llu bps, %llu pps; 5 min: %llu bps, %llu pps\n",
+ sec_brate, sec_prate, min_brate, min_prate, min5_brate, min5_prate);
+
+ seq_printf(seq, "cpu# stat: <search found new [metric], trunc frag alloc maxflows>,"
+ " sock: <ok fail cberr, bytes>, traffic: <pkt, bytes>, drop: <pkt, bytes>\n");
+
+#define SAFEDIV(x,y) ((y)? ({ u64 __tmp = x; do_div(__tmp, y); (int)__tmp; }) : 0)
+ seq_printf(seq, "Total stat: %6llu %6llu %6llu [%d.%02d], %4u %4u %4u %4u,"
+ " sock: %6u %u %u, %llu K, traffic: %llu, %llu MB, drop: %llu, %llu K\n",
+ searched,
+ (unsigned long long)found,
+ (unsigned long long)notfound,
+ FFLOAT(SAFEDIV(100LL * (searched + found + notfound), (found + notfound)), 100),
+ truncated, frags, alloc_err, maxflows_err,
+ send_success, send_failed, sock_errors,
+ (unsigned long long)exported_size >> 10,
+ (unsigned long long)pkt_total, (unsigned long long)traf_total >> 20,
+ (unsigned long long)pkt_drop, (unsigned long long)traf_drop >> 10);
if (num_present_cpus() > 1) {
for_each_present_cpu(cpu) {
struct ipt_netflow_stat *st;
st = &per_cpu(ipt_netflow_stat, cpu);
- seq_printf(seq, "cpu%u stat: %6llu %6llu %6llu, %4u %4u %4u %4u, sock: %6u %u %u, %llu K, traffic: %llu, %llu MB, drop: %llu, %llu K\n",
- cpu,
- (unsigned long long)st->searched,
- (unsigned long long)st->found,
- (unsigned long long)st->notfound,
- st->truncated, st->frags, st->alloc_err, st->maxflows_err,
- st->send_success, st->send_failed, st->sock_errors,
- (unsigned long long)st->exported_size >> 10,
- (unsigned long long)st->pkt_total, (unsigned long long)st->traf_total >> 20,
- (unsigned long long)st->pkt_drop, (unsigned long long)st->traf_drop >> 10);
+ seq_printf(seq, "cpu%u stat: %6llu %6llu %6llu [%d.%02d], %4u %4u %4u %4u,"
+ " sock: %6u %u %u, %llu K, traffic: %llu, %llu MB, drop: %llu, %llu K\n",
+ cpu,
+ (unsigned long long)st->searched,
+ (unsigned long long)st->found,
+ (unsigned long long)st->notfound,
+ FFLOAT(SAFEDIV(100LL * (st->searched + st->found + st->notfound), (st->found + st->notfound)), 100),
+ st->truncated, st->frags, st->alloc_err, st->maxflows_err,
+ st->send_success, st->send_failed, st->sock_errors,
+ (unsigned long long)st->exported_size >> 10,
+ (unsigned long long)st->pkt_total, (unsigned long long)st->traf_total >> 20,
+ (unsigned long long)st->pkt_drop, (unsigned long long)st->traf_drop >> 10);
}
}
- read_lock(&sock_lock);
+ seq_printf(seq, "Protocol version %d", protocol);
+ if (protocol == 10)
+ seq_printf(seq, " (ipfix)");
+ else
+ seq_printf(seq, " (netflow)");
+ if (protocol >= 9)
+ seq_printf(seq, ", refresh-rate %u, timeout-rate %u, (templates %d, active %d)",
+ refresh_rate, timeout_rate, template_ids - FLOWSET_DATA_FIRST, tpl_count);
+
+ seq_printf(seq, ". Timeouts: active %d, inactive %d. Maxflows %u\n",
+ active_timeout,
+ inactive_timeout,
+ maxflows);
+
+#ifdef CONFIG_NF_NAT_NEEDED
+ seq_printf(seq, "Natevents %s, count start %lu, stop %lu.\n", natevents? "enabled" : "disabled",
+ nat_events_start, nat_events_stop);
+#endif
+
+ mutex_lock(&sock_lock);
list_for_each_entry(usock, &usock_list, list) {
- struct sock *sk = usock->sock->sk;
-
- seq_printf(seq, "sock%d: %u.%u.%u.%u:%u, sndbuf %u, filled %u, peak %u; err: sndbuf reached %u, other %u\n",
- snum,
- usock->ipaddr >> 24,
- (usock->ipaddr >> 16) & 255,
- (usock->ipaddr >> 8) & 255,
- usock->ipaddr & 255,
- usock->port,
- sk->sk_sndbuf,
- atomic_read(&sk->sk_wmem_alloc),
- atomic_read(&usock->wmem_peak),
- atomic_read(&usock->err_full),
- atomic_read(&usock->err_other));
+ seq_printf(seq, "sock%d: %u.%u.%u.%u:%u",
+ snum,
+ HIPQUAD(usock->ipaddr),
+ usock->port);
+ if (usock->sock) {
+ struct sock *sk = usock->sock->sk;
+
+ seq_printf(seq, ", sndbuf %u, filled %u, peak %u;"
+ " err: sndbuf reached %u, connect %u, other %u\n",
+ sk->sk_sndbuf,
+ atomic_read(&sk->sk_wmem_alloc),
+ atomic_read(&usock->wmem_peak),
+ atomic_read(&usock->err_full),
+ atomic_read(&usock->err_connect),
+ atomic_read(&usock->err_other));
+ } else
+ seq_printf(seq, " unconnected (%u attempts).\n",
+ atomic_read(&usock->err_connect));
snum++;
}
- read_unlock(&sock_lock);
+ mutex_unlock(&sock_lock);
read_lock_bh(&aggr_lock);
snum = 0;
list_for_each_entry(aggr_n, &aggr_n_list, list) {
- seq_printf(seq, "aggr#%d net: match %u.%u.%u.%u/%d strip %d\n",
- snum,
- HIPQUAD(aggr_n->addr),
- mask2bits(aggr_n->mask),
- mask2bits(aggr_n->aggr_mask));
+ seq_printf(seq, "aggr#%d net: match %u.%u.%u.%u/%d strip %d (usage %u)\n",
+ snum,
+ HIPQUAD(aggr_n->addr),
+ mask2bits(aggr_n->mask),
+ mask2bits(aggr_n->aggr_mask),
+ atomic_read(&aggr_n->usage));
snum++;
}
snum = 0;
list_for_each_entry(aggr_p, &aggr_p_list, list) {
- seq_printf(seq, "aggr#%d port: ports %u-%u replace %u\n",
- snum,
- aggr_p->port1,
- aggr_p->port2,
- aggr_p->aggr_port);
+ seq_printf(seq, "aggr#%d port: ports %u-%u replace %u (usage %u)\n",
+ snum,
+ aggr_p->port1,
+ aggr_p->port2,
+ aggr_p->aggr_port,
+ atomic_read(&aggr_p->usage));
snum++;
}
read_unlock_bh(&aggr_lock);
@@ -367,8 +488,13 @@ static struct file_operations nf_seq_fops = {
#define BEFORE2632(x,y)
#endif
+/* PAX need to know that we are allowed to write */
+#ifndef CONSTIFY_PLUGIN
+#define ctl_table_no_const ctl_table
+#endif
+
/* sysctl /proc/sys/net/netflow */
-static int hsize_procctl(ctl_table *ctl, int write, BEFORE2632(struct file *filp,)
+static int hsize_procctl(ctl_table_no_const *ctl, int write, BEFORE2632(struct file *filp,)
void __user *buffer, size_t *lenp, loff_t *fpos)
{
void *orig = ctl->data;
@@ -386,20 +512,21 @@ static int hsize_procctl(ctl_table *ctl, int write, BEFORE2632(struct file *filp
return ret;
}
-static int sndbuf_procctl(ctl_table *ctl, int write, BEFORE2632(struct file *filp,)
+static int sndbuf_procctl(ctl_table_no_const *ctl, int write, BEFORE2632(struct file *filp,)
void __user *buffer, size_t *lenp, loff_t *fpos)
{
int ret;
struct ipt_netflow_sock *usock;
-
- read_lock(&sock_lock);
+
+ mutex_lock(&sock_lock);
if (list_empty(&usock_list)) {
- read_unlock(&sock_lock);
+ mutex_unlock(&sock_lock);
return -ENOENT;
}
usock = list_first_entry(&usock_list, struct ipt_netflow_sock, list);
- sndbuf = usock->sock->sk->sk_sndbuf;
- read_unlock(&sock_lock);
+ if (usock->sock)
+ sndbuf = usock->sock->sk->sk_sndbuf;
+ mutex_unlock(&sock_lock);
ctl->data = &sndbuf;
ret = proc_dointvec(ctl, write, BEFORE2632(filp,) buffer, lenp, fpos);
@@ -407,13 +534,14 @@ static int sndbuf_procctl(ctl_table *ctl, int write, BEFORE2632(struct file *fil
return ret;
if (sndbuf < SOCK_MIN_SNDBUF)
sndbuf = SOCK_MIN_SNDBUF;
- stop_scan_worker();
- write_lock(&sock_lock);
+ pause_scan_worker();
+ mutex_lock(&sock_lock);
list_for_each_entry(usock, &usock_list, list) {
- usock->sock->sk->sk_sndbuf = sndbuf;
+ if (usock->sock)
+ usock->sock->sk->sk_sndbuf = sndbuf;
}
- write_unlock(&sock_lock);
- start_scan_worker();
+ mutex_unlock(&sock_lock);
+ cont_scan_worker();
return ret;
}
@@ -424,10 +552,10 @@ static int destination_procctl(ctl_table *ctl, int write, BEFORE2632(struct file
ret = proc_dostring(ctl, write, BEFORE2632(filp,) buffer, lenp, fpos);
if (ret >= 0 && write) {
- stop_scan_worker();
+ pause_scan_worker();
destination_removeall();
add_destinations(destination_buf);
- start_scan_worker();
+ cont_scan_worker();
}
return ret;
}
@@ -446,13 +574,12 @@ static int aggregation_procctl(ctl_table *ctl, int write, BEFORE2632(struct file
return ret;
}
-static int flush_procctl(ctl_table *ctl, int write, BEFORE2632(struct file *filp,)
+static int flush_procctl(ctl_table_no_const *ctl, int write, BEFORE2632(struct file *filp,)
void __user *buffer, size_t *lenp, loff_t *fpos)
{
int ret;
- int val;
+ int val = 0;
- val = 0;
ctl->data = &val;
ret = proc_dointvec(ctl, write, BEFORE2632(filp,) buffer, lenp, fpos);
@@ -461,14 +588,67 @@ static int flush_procctl(ctl_table *ctl, int write, BEFORE2632(struct file *filp
if (val > 0) {
printk(KERN_INFO "ipt_NETFLOW: forced flush\n");
- stop_scan_worker();
- netflow_scan_and_export(1);
- start_scan_worker();
+ pause_scan_worker();
+ netflow_scan_and_export(AND_FLUSH);
+ cont_scan_worker();
+ }
+
+ return ret;
+}
+
+static int protocol_procctl(ctl_table *ctl, int write, BEFORE2632(struct file *filp,)
+ void __user *buffer, size_t *lenp, loff_t *fpos)
+{
+ int ret;
+ int ver = protocol;
+
+ ctl->data = &ver;
+ ret = proc_dointvec(ctl, write, BEFORE2632(filp,) buffer, lenp, fpos);
+
+ if (!write)
+ return ret;
+
+ switch (ver) {
+ case 5:
+ case 9:
+ case 10:
+ printk(KERN_INFO "ipt_NETFLOW: forced flush (protocol version change)\n");
+ pause_scan_worker();
+ netflow_scan_and_export(AND_FLUSH);
+ netflow_switch_version(ver);
+ cont_scan_worker();
+ break;
+ default:
+ return -EPERM;
}
return ret;
}
+#ifdef CONFIG_NF_NAT_NEEDED
+static void register_ct_events(void);
+static void unregister_ct_events(void);
+static int natevents_procctl(ctl_table *ctl, int write, BEFORE2632(struct file *filp,)
+ void __user *buffer, size_t *lenp, loff_t *fpos)
+{
+ int ret;
+ int val = natevents;
+
+ ctl->data = &val;
+ ret = proc_dointvec(ctl, write, BEFORE2632(filp,) buffer, lenp, fpos);
+
+ if (!write)
+ return ret;
+
+ if (natevents && !val)
+ unregister_ct_events();
+ else if (!natevents && val)
+ register_ct_events();
+
+ return ret;
+}
+#endif
+
static struct ctl_table_header *netflow_sysctl_header;
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,20)
@@ -547,6 +727,38 @@ static struct ctl_table netflow_sysctl_table[] = {
.maxlen = sizeof(int),
.proc_handler = &flush_procctl,
},
+ {
+ _CTL_NAME(10)
+ .procname = "protocol",
+ .mode = 0644,
+ .maxlen = sizeof(int),
+ .proc_handler = &protocol_procctl,
+ },
+ {
+ _CTL_NAME(11)
+ .procname = "refresh-rate",
+ .mode = 0644,
+ .data = &refresh_rate,
+ .maxlen = sizeof(int),
+ .proc_handler = &proc_dointvec,
+ },
+ {
+ _CTL_NAME(12)
+ .procname = "timeout-rate",
+ .mode = 0644,
+ .data = &timeout_rate,
+ .maxlen = sizeof(int),
+ .proc_handler = &proc_dointvec,
+ },
+#ifdef CONFIG_NF_NAT_NEEDED
+ {
+ _CTL_NAME(13)
+ .procname = "natevents",
+ .mode = 0644,
+ .maxlen = sizeof(int),
+ .proc_handler = &natevents_procctl,
+ },
+#endif
{ }
};
@@ -588,18 +800,69 @@ static struct ctl_path netflow_sysctl_path[] = {
static void sk_error_report(struct sock *sk)
{
/* clear connection refused errors if any */
- write_lock_bh(&sk->sk_callback_lock);
if (debug > 1)
- printk(KERN_INFO "NETFLOW: socket error <%d>\n", sk->sk_err);
+ printk(KERN_INFO "ipt_NETFLOW: socket error <%d>\n", sk->sk_err);
sk->sk_err = 0;
NETFLOW_STAT_INC(sock_errors);
- write_unlock_bh(&sk->sk_callback_lock);
return;
}
+static struct socket *_usock_alloc(const __be32 ipaddr, const unsigned short port)
+{
+ struct sockaddr_in sin;
+ struct socket *sock;
+ int error;
+
+ if ((error = sock_create_kern(PF_INET, SOCK_DGRAM, IPPROTO_UDP, &sock)) < 0) {
+ printk(KERN_ERR "ipt_NETFLOW: sock_create_kern error %d\n", -error);
+ return NULL;
+ }
+ sock->sk->sk_allocation = GFP_ATOMIC;
+ sock->sk->sk_prot->unhash(sock->sk); /* hidden from input */
+ sock->sk->sk_error_report = &sk_error_report; /* clear ECONNREFUSED */
+ if (sndbuf)
+ sock->sk->sk_sndbuf = sndbuf;
+ else
+ sndbuf = sock->sk->sk_sndbuf;
+ memset(&sin, 0, sizeof(sin));
+ sin.sin_family = AF_INET;
+ sin.sin_addr.s_addr = htonl(ipaddr);
+ sin.sin_port = htons(port);
+ if ((error = sock->ops->connect(sock, (struct sockaddr *)&sin,
+ sizeof(sin), 0)) < 0) {
+ printk(KERN_ERR "ipt_NETFLOW: error connecting UDP socket %d,"
+ " don't worry, will try reconnect later.\n", -error);
+ /* ENETUNREACH when no interfaces */
+ sock_release(sock);
+ return NULL;
+ }
+ return sock;
+}
+
+static void usock_connect(struct ipt_netflow_sock *usock, const int sendmsg)
+{
+ usock->sock = _usock_alloc(usock->ipaddr, usock->port);
+ if (usock->sock) {
+ if (sendmsg || debug)
+ printk(KERN_INFO "ipt_NETFLOW: connected %u.%u.%u.%u:%u\n",
+ HIPQUAD(usock->ipaddr),
+ usock->port);
+ } else {
+ atomic_inc(&usock->err_connect);
+ if (debug)
+ printk(KERN_INFO "ipt_NETFLOW: connect to %u.%u.%u.%u:%u failed%s.\n",
+ HIPQUAD(usock->ipaddr),
+ usock->port,
+ (sendmsg)? " (pdu lost)" : "");
+ }
+ atomic_set(&usock->wmem_peak, 0);
+ atomic_set(&usock->err_full, 0);
+ atomic_set(&usock->err_other, 0);
+}
+
// return numbers of sends succeded, 0 if none
/* only called in scan worker path */
-static int netflow_send_pdu(void *buffer, int len)
+static void netflow_sendmsg(void *buffer, const int len)
{
struct msghdr msg = { .msg_flags = MSG_DONTWAIT|MSG_NOSIGNAL };
struct kvec iov = { buffer, len };
@@ -607,9 +870,16 @@ static int netflow_send_pdu(void *buffer, int len)
int snum = 0;
struct ipt_netflow_sock *usock;
+ mutex_lock(&sock_lock);
list_for_each_entry(usock, &usock_list, list) {
+ if (!usock->sock)
+ usock_connect(usock, 1);
+ if (!usock->sock) {
+ NETFLOW_STAT_INC_ATOMIC(send_failed);
+ continue;
+ }
if (debug)
- printk(KERN_INFO "netflow_send_pdu: sendmsg(%d, %d) [%u %u]\n",
+ printk(KERN_INFO "netflow_sendmsg: sendmsg(%d, %d) [%u %u]\n",
snum,
len,
atomic_read(&usock->sock->sk->sk_wmem_alloc),
@@ -624,7 +894,7 @@ static int netflow_send_pdu(void *buffer, int len)
suggestion = ": increase sndbuf!";
} else
atomic_inc(&usock->err_other);
- printk(KERN_ERR "netflow_send_pdu[%d]: sendmsg error %d: data loss %llu pkt, %llu bytes%s\n",
+ printk(KERN_ERR "ipt_NETFLOW: sendmsg[%d] error %d: data loss %llu pkt, %llu bytes%s\n",
snum, ret, pdu_packets, pdu_traf, suggestion);
} else {
unsigned int wmem = atomic_read(&usock->sock->sk->sk_wmem_alloc);
@@ -636,98 +906,67 @@ static int netflow_send_pdu(void *buffer, int len)
}
snum++;
}
- return retok;
+ mutex_unlock(&sock_lock);
+ if (retok == 0) {
+ /* not least one send succeded, account stat for dropped packets */
+ NETFLOW_STAT_ADD_ATOMIC(pkt_drop, pdu_packets);
+ NETFLOW_STAT_ADD_ATOMIC(traf_drop, pdu_traf);
+ }
}
-static void usock_free(struct ipt_netflow_sock *usock)
+static void usock_close_free(struct ipt_netflow_sock *usock)
{
- printk(KERN_INFO "netflow: remove destination %u.%u.%u.%u:%u (%p)\n",
+ printk(KERN_INFO "ipt_NETFLOW: removed destination %u.%u.%u.%u:%u\n",
HIPQUAD(usock->ipaddr),
- usock->port,
- usock->sock);
+ usock->port);
if (usock->sock)
sock_release(usock->sock);
usock->sock = NULL;
- vfree(usock);
+ vfree(usock);
}
static void destination_removeall(void)
{
- write_lock(&sock_lock);
+ mutex_lock(&sock_lock);
while (!list_empty(&usock_list)) {
struct ipt_netflow_sock *usock;
usock = list_entry(usock_list.next, struct ipt_netflow_sock, list);
list_del(&usock->list);
- write_unlock(&sock_lock);
- usock_free(usock);
- write_lock(&sock_lock);
+ mutex_unlock(&sock_lock);
+ usock_close_free(usock);
+ mutex_lock(&sock_lock);
}
- write_unlock(&sock_lock);
+ mutex_unlock(&sock_lock);
}
static void add_usock(struct ipt_netflow_sock *usock)
{
struct ipt_netflow_sock *sk;
- /* don't need empty sockets */
- if (!usock->sock) {
- usock_free(usock);
- return;
- }
-
- write_lock(&sock_lock);
+ mutex_lock(&sock_lock);
/* don't need duplicated sockets */
list_for_each_entry(sk, &usock_list, list) {
if (sk->ipaddr == usock->ipaddr &&
sk->port == usock->port) {
- write_unlock(&sock_lock);
- usock_free(usock);
+ mutex_unlock(&sock_lock);
+ usock_close_free(usock);
return;
}
}
list_add_tail(&usock->list, &usock_list);
- printk(KERN_INFO "netflow: added destination %u.%u.%u.%u:%u\n",
+ printk(KERN_INFO "ipt_NETFLOW: added destination %u.%u.%u.%u:%u%s\n",
HIPQUAD(usock->ipaddr),
- usock->port);
- write_unlock(&sock_lock);
-}
-
-static struct socket *usock_alloc(__be32 ipaddr, unsigned short port)
-{
- struct sockaddr_in sin;
- struct socket *sock;
- int error;
-
- if ((error = sock_create_kern(PF_INET, SOCK_DGRAM, IPPROTO_UDP, &sock)) < 0) {
- printk(KERN_ERR "netflow: sock_create_kern error %d\n", error);
- return NULL;
- }
- sock->sk->sk_allocation = GFP_ATOMIC;
- sock->sk->sk_prot->unhash(sock->sk); /* hidden from input */
- sock->sk->sk_error_report = &sk_error_report; /* clear ECONNREFUSED */
- if (sndbuf)
- sock->sk->sk_sndbuf = sndbuf;
- else
- sndbuf = sock->sk->sk_sndbuf;
- memset(&sin, 0, sizeof(sin));
- sin.sin_family = AF_INET;
- sin.sin_addr.s_addr = htonl(ipaddr);
- sin.sin_port = htons(port);
- if ((error = sock->ops->connect(sock, (struct sockaddr *)&sin,
- sizeof(sin), 0)) < 0) {
- printk(KERN_ERR "netflow: error connecting UDP socket %d\n", error);
- sock_release(sock);
- return NULL;
- }
- return sock;
+ usock->port,
+ (!usock->sock)? " (unconnected)" : "");
+ mutex_unlock(&sock_lock);
}
#define SEPARATORS " ,;\t\n"
static int add_destinations(char *ptr)
{
while (ptr) {
- unsigned char ip[4];
+ unsigned char ip[4];
unsigned short port;
ptr += strspn(ptr, SEPARATORS);
@@ -737,17 +976,15 @@ static int add_destinations(char *ptr)
struct ipt_netflow_sock *usock;
if (!(usock = vmalloc(sizeof(*usock)))) {
- printk(KERN_ERR "netflow: can't vmalloc socket\n");
+ printk(KERN_ERR "ipt_NETFLOW: can't vmalloc socket\n");
return -ENOMEM;
}
memset(usock, 0, sizeof(*usock));
+ atomic_set(&usock->err_connect, 0);
usock->ipaddr = ntohl(*(__be32 *)ip);
usock->port = port;
- usock->sock = usock_alloc(usock->ipaddr, port);
- atomic_set(&usock->wmem_peak, 0);
- atomic_set(&usock->err_full, 0);
- atomic_set(&usock->err_other, 0);
+ usock_connect(usock, 0);
add_usock(usock);
} else
break;
@@ -781,7 +1018,7 @@ static int add_aggregation(char *ptr)
LIST_HEAD(old_aggr_list);
while (ptr && *ptr) {
- unsigned char ip[4];
+ unsigned char ip[4];
unsigned int mask;
unsigned int port1, port2;
unsigned int aggr_to;
@@ -792,16 +1029,16 @@ static int add_aggregation(char *ptr)
ip, ip + 1, ip + 2, ip + 3, &mask, &aggr_to) == 6) {
if (!(aggr_n = vmalloc(sizeof(*aggr_n)))) {
- printk(KERN_ERR "netflow: can't vmalloc aggr\n");
+ printk(KERN_ERR "ipt_NETFLOW: can't vmalloc aggr\n");
return -ENOMEM;
}
memset(aggr_n, 0, sizeof(*aggr_n));
- aggr_n->addr = ntohl(*(__be32 *)ip);
aggr_n->mask = bits2mask(mask);
+ aggr_n->addr = ntohl(*(__be32 *)ip) & aggr_n->mask;
aggr_n->aggr_mask = bits2mask(aggr_to);
aggr_n->prefix = mask;
- printk(KERN_INFO "netflow: add aggregation [%u.%u.%u.%u/%u=%u]\n",
+ printk(KERN_INFO "ipt_NETFLOW: add aggregation [%u.%u.%u.%u/%u=%u]\n",
HIPQUAD(aggr_n->addr), mask, aggr_to);
list_add_tail(&aggr_n->list, &new_aggr_n_list);
@@ -809,7 +1046,7 @@ static int add_aggregation(char *ptr)
sscanf(ptr, "%u=%u", &port2, &aggr_to) == 2) {
if (!(aggr_p = vmalloc(sizeof(*aggr_p)))) {
- printk(KERN_ERR "netflow: can't vmalloc aggr\n");
+ printk(KERN_ERR "ipt_NETFLOW: can't vmalloc aggr\n");
return -ENOMEM;
}
memset(aggr_p, 0, sizeof(*aggr_p));
@@ -817,11 +1054,11 @@ static int add_aggregation(char *ptr)
aggr_p->port1 = port1;
aggr_p->port2 = port2;
aggr_p->aggr_port = aggr_to;
- printk(KERN_INFO "netflow: add aggregation [%u-%u=%u]\n",
+ printk(KERN_INFO "ipt_NETFLOW: add aggregation [%u-%u=%u]\n",
port1, port2, aggr_to);
list_add_tail(&aggr_p->list, &new_aggr_p_list);
} else {
- printk(KERN_ERR "netflow: bad aggregation rule: %s (ignoring)\n", ptr);
+ printk(KERN_ERR "ipt_NETFLOW: bad aggregation rule: %s (ignoring)\n", ptr);
break;
}
@@ -846,17 +1083,23 @@ static int add_aggregation(char *ptr)
static inline u_int32_t hash_netflow(const struct ipt_netflow_tuple *tuple)
{
- /* tuple is rounded to u32s */
- return jhash2((u32 *)tuple, NETFLOW_TUPLE_SIZE, ipt_netflow_hash_rnd) % ipt_netflow_hash_size;
+ return murmur3(tuple, sizeof(struct ipt_netflow_tuple), ipt_netflow_hash_rnd) % ipt_netflow_hash_size;
}
static struct ipt_netflow *
-ipt_netflow_find(const struct ipt_netflow_tuple *tuple, unsigned int hash)
+ipt_netflow_find(const struct ipt_netflow_tuple *tuple, const unsigned int hash)
{
struct ipt_netflow *nf;
+#if LINUX_VERSION_CODE < KERNEL_VERSION(3,9,0)
+#define compat_hlist_for_each_entry hlist_for_each_entry
+#define compat_hlist_for_each_entry_safe hlist_for_each_entry_safe
struct hlist_node *pos;
+#else /* since 3.9.0 */
+#define compat_hlist_for_each_entry(a,pos,c,d) hlist_for_each_entry(a,c,d)
+#define compat_hlist_for_each_entry_safe(a,pos,c,d,e) hlist_for_each_entry_safe(a,c,d,e)
+#endif
- hlist_for_each_entry(nf, pos, &ipt_netflow_hash[hash], hlist) {
+ compat_hlist_for_each_entry(nf, pos, &ipt_netflow_hash[hash], hlist) {
if (ipt_netflow_tuple_equal(tuple, &nf->tuple) &&
nf->nr_bytes < FLOW_FULL_WATERMARK) {
NETFLOW_STAT_INC(found);
@@ -868,7 +1111,7 @@ ipt_netflow_find(const struct ipt_netflow_tuple *tuple, unsigned int hash)
return NULL;
}
-static struct hlist_head *alloc_hashtable(int size)
+static struct hlist_head *alloc_hashtable(const int size)
{
struct hlist_head *hash;
@@ -879,19 +1122,18 @@ static struct hlist_head *alloc_hashtable(int size)
for (i = 0; i < size; i++)
INIT_HLIST_HEAD(&hash[i]);
} else
- printk(KERN_ERR "netflow: unable to vmalloc hash table.\n");
+ printk(KERN_ERR "ipt_NETFLOW: unable to vmalloc hash table.\n");
return hash;
}
-static int set_hashsize(int new_size)
+static int set_hashsize(const int new_size)
{
struct hlist_head *new_hash, *old_hash;
- unsigned int hash;
struct ipt_netflow *nf;
int rnd;
- printk(KERN_INFO "netflow: allocating new hash table %u -> %u buckets\n",
+ printk(KERN_INFO "ipt_NETFLOW: allocating new hash table %u -> %u buckets\n",
ipt_netflow_hash_size, new_size);
new_hash = alloc_hashtable(new_size);
if (!new_hash)
@@ -900,19 +1142,24 @@ static int set_hashsize(int new_size)
get_random_bytes(&rnd, 4);
/* rehash */
- spin_lock_bh(&ipt_netflow_lock);
+ write_lock_bh(&htable_rwlock);
old_hash = ipt_netflow_hash;
ipt_netflow_hash = new_hash;
ipt_netflow_hash_size = new_size;
ipt_netflow_hash_rnd = rnd;
/* hash_netflow() is dependent on ipt_netflow_hash_* values */
+ spin_lock(&hlist_lock);
list_for_each_entry(nf, &ipt_netflow_list, list) {
+ unsigned int hash;
+
hash = hash_netflow(&nf->tuple);
/* hlist_add_head overwrites hlist pointers for this node
* so it's good */
hlist_add_head(&nf->hlist, &new_hash[hash]);
+ nf->lock = &htable_locks[hash & LOCK_COUNT_MASK];
}
- spin_unlock_bh(&ipt_netflow_lock);
+ spin_unlock(&hlist_lock);
+ write_unlock_bh(&htable_rwlock);
vfree(old_hash);
@@ -920,14 +1167,14 @@ static int set_hashsize(int new_size)
}
static struct ipt_netflow *
-ipt_netflow_alloc(struct ipt_netflow_tuple *tuple)
+ipt_netflow_alloc(const struct ipt_netflow_tuple *tuple)
{
struct ipt_netflow *nf;
long count;
nf = kmem_cache_alloc(ipt_netflow_cachep, GFP_ATOMIC);
if (!nf) {
- printk(KERN_ERR "Can't allocate netflow.\n");
+ printk(KERN_ERR "ipt_NETFLOW: Can't allocate flow.\n");
return NULL;
}
@@ -945,13 +1192,15 @@ ipt_netflow_alloc(struct ipt_netflow_tuple *tuple)
static void ipt_netflow_free(struct ipt_netflow *nf)
{
+ if (IS_DUMMY_FLOW(nf))
+ return;
atomic_dec(&ipt_netflow_count);
kmem_cache_free(ipt_netflow_cachep, nf);
}
static struct ipt_netflow *
-init_netflow(struct ipt_netflow_tuple *tuple,
- struct sk_buff *skb, unsigned int hash)
+init_netflow(const struct ipt_netflow_tuple *tuple,
+ const struct sk_buff *skb, const unsigned int hash)
{
struct ipt_netflow *nf;
@@ -959,93 +1208,774 @@ init_netflow(struct ipt_netflow_tuple *tuple,
if (!nf)
return NULL;
+ nf->lock = &htable_locks[hash & LOCK_COUNT_MASK];
hlist_add_head(&nf->hlist, &ipt_netflow_hash[hash]);
+ spin_lock(&hlist_lock);
list_add(&nf->list, &ipt_netflow_list);
+ spin_unlock(&hlist_lock);
return nf;
}
/* cook pdu, send, and clean */
/* only called in scan worker path */
-static void netflow_export_pdu(void)
+static void netflow_export_pdu_v5(void)
{
struct timeval tv;
int pdusize;
- if (!pdu.nr_records)
+ if (!pdu_data_records)
return;
if (debug > 1)
- printk(KERN_INFO "netflow_export_pdu with %d records\n", pdu.nr_records);
- do_gettimeofday(&tv);
-
- pdu.version = htons(5);
- pdu.ts_uptime = htonl(jiffies_to_msecs(jiffies));
- pdu.ts_usecs = htonl(tv.tv_sec);
- pdu.ts_unsecs = htonl(tv.tv_usec);
- //pdu.eng_type = 0;
- //pdu.eng_id = 0;
- //pdu.padding = 0;
+ printk(KERN_INFO "netflow_export_pdu_v5 with %d records\n", pdu_data_records);
- pdusize = NETFLOW5_HEADER_SIZE + sizeof(struct netflow5_record) * pdu.nr_records;
-
- /* especially fix nr_records before export */
- pdu.nr_records = htons(pdu.nr_records);
+ pdu.v5.version = htons(5);
+ pdu.v5.nr_records = htons(pdu_data_records);
+ pdu.v5.ts_uptime = htonl(jiffies_to_msecs(jiffies));
+ do_gettimeofday(&tv);
+ pdu.v5.ts_usecs = htonl(tv.tv_sec);
+ pdu.v5.ts_unsecs = htonl(tv.tv_usec);
+ pdu.v5.seq = htonl(pdu_seq);
+ //pdu.v5.eng_type = 0;
+ pdu.v5.eng_id = engine_id;
+ //pdu.v5.padding = 0;
- if (netflow_send_pdu(&pdu, pdusize) == 0) {
- /* not least one send succeded, account stat for dropped packets */
- NETFLOW_STAT_ADD_ATOMIC(pkt_drop, pdu_packets);
- NETFLOW_STAT_ADD_ATOMIC(traf_drop, pdu_traf);
- }
+ pdusize = NETFLOW5_HEADER_SIZE + sizeof(struct netflow5_record) * pdu_data_records;
- pdu.seq = htonl(ntohl(pdu.seq) + ntohs(pdu.nr_records));
+ netflow_sendmsg(&pdu.v5, pdusize);
- pdu.nr_records = 0;
pdu_packets = 0;
- pdu_traf = 0;
+ pdu_traf = 0;
+
+ pdu_seq += pdu_data_records;
+ pdu_count++;
+ pdu_data_records = 0;
}
/* only called in scan worker path */
-static void netflow_export_flow(struct ipt_netflow *nf)
+static void netflow_export_flow_v5(struct ipt_netflow *nf)
{
struct netflow5_record *rec;
- if (debug > 2)
- printk(KERN_INFO "adding flow to export (%d)\n", pdu.nr_records);
+ if (unlikely(debug > 2))
+ printk(KERN_INFO "adding flow to export (%d)\n", pdu_data_records);
pdu_packets += nf->nr_packets;
pdu_traf += nf->nr_bytes;
pdu_ts_mod = jiffies;
- rec = &pdu.flow[pdu.nr_records++];
+ rec = &pdu.v5.flow[pdu_data_records++];
/* make V5 flow record */
- rec->s_addr = nf->tuple.s_addr;
- rec->d_addr = nf->tuple.d_addr;
- //rec->nexthop = 0;
+ rec->s_addr = nf->tuple.src.ip;
+ rec->d_addr = nf->tuple.dst.ip;
+ rec->nexthop = nf->nh.ip;
rec->i_ifc = htons(nf->tuple.i_ifc);
rec->o_ifc = htons(nf->o_ifc);
rec->nr_packets = htonl(nf->nr_packets);
rec->nr_octets = htonl(nf->nr_bytes);
- rec->ts_first = htonl(jiffies_to_msecs(nf->ts_first));
- rec->ts_last = htonl(jiffies_to_msecs(nf->ts_last));
+ rec->first_ms = htonl(jiffies_to_msecs(nf->ts_first));
+ rec->last_ms = htonl(jiffies_to_msecs(nf->ts_last));
rec->s_port = nf->tuple.s_port;
rec->d_port = nf->tuple.d_port;
- //rec->reserved = 0;
+ //rec->reserved = 0; /* pdu is always zeroized for v5 in netflow_switch_version */
rec->tcp_flags = nf->tcp_flags;
rec->protocol = nf->tuple.protocol;
rec->tos = nf->tuple.tos;
- //rec->s_as = 0;
- //rec->d_as = 0;
+#ifdef CONFIG_NF_NAT_NEEDED
+ rec->s_as = nf->s_as;
+ rec->d_as = nf->d_as;
+#endif
rec->s_mask = nf->s_mask;
rec->d_mask = nf->d_mask;
//rec->padding = 0;
ipt_netflow_free(nf);
- if (pdu.nr_records == NETFLOW5_RECORDS_MAX)
+ if (pdu_data_records == NETFLOW5_RECORDS_MAX)
+ netflow_export_pdu_v5();
+}
+
+/* pdu is initially blank, export current pdu, and prepare next for filling. */
+static void netflow_export_pdu_v9(void)
+{
+ struct timeval tv;
+ int pdusize;
+
+ if (pdu_data_used <= pdu.v9.data)
+ return;
+
+ if (debug > 1)
+ printk(KERN_INFO "netflow_export_pdu_v9 with %d records\n",
+ pdu_data_records + pdu_tpl_records);
+
+ pdu.v9.version = htons(9);
+ pdu.v9.nr_records = htons(pdu_data_records + pdu_tpl_records);
+ pdu.v9.sys_uptime_ms = htonl(jiffies_to_msecs(jiffies));
+ do_gettimeofday(&tv);
+ pdu.v9.export_time_s = htonl(tv.tv_sec);
+ pdu.v9.seq = htonl(pdu_seq);
+ pdu.v9.source_id = engine_id;
+
+ pdusize = pdu_data_used - (unsigned char *)&pdu.v9;
+
+ netflow_sendmsg(&pdu.v9, pdusize);
+
+ pdu_packets = 0;
+ pdu_traf = 0;
+
+ pdu_seq++;
+ pdu_count++;
+ pdu_data_records = pdu_tpl_records = 0;
+ pdu_data_used = pdu.v9.data;
+ pdu_flowset = NULL;
+}
+
+static void netflow_export_pdu_ipfix(void)
+{
+ struct timeval tv;
+ int pdusize;
+
+ if (pdu_data_used <= pdu.ipfix.data)
+ return;
+
+ if (debug > 1)
+ printk(KERN_INFO "netflow_export_pduX with %d records\n",
+ pdu_data_records);
+
+ pdu.ipfix.version = htons(10);
+ do_gettimeofday(&tv);
+ pdu.ipfix.export_time_s = htonl(tv.tv_sec);
+ pdu.ipfix.seq = htonl(pdu_seq);
+ pdu.ipfix.odomain_id = engine_id;
+ pdusize = pdu_data_used - (unsigned char *)&pdu;
+ pdu.ipfix.length = htons(pdusize);
+
+ netflow_sendmsg(&pdu.ipfix, pdusize);
+
+ pdu_packets = 0;
+ pdu_traf = 0;
+
+ pdu_seq += pdu_data_records;
+ pdu_count++;
+ pdu_data_records = pdu_tpl_records = 0;
+ pdu_data_used = pdu.ipfix.data;
+ pdu_flowset = NULL;
+}
+
+static inline int pdu_have_space(const size_t size)
+{
+ return ((pdu_data_used + size) <= pdu_high_wm);
+}
+
+static inline unsigned char *pdu_grab_space(const size_t size)
+{
+ unsigned char *ptr = pdu_data_used;
+ pdu_data_used += size;
+ return ptr;
+}
+
+// allocate data space in pdu, or fail if pdu is reallocated.
+static inline unsigned char *pdu_alloc_fail(const size_t size)
+{
+ if (!pdu_have_space(size)) {
netflow_export_pdu();
+ return NULL;
+ }
+ return pdu_grab_space(size);
+}
+
+/* doesn't fail, but can provide empty pdu. */
+static unsigned char *pdu_alloc(const size_t size)
+{
+ return pdu_alloc_fail(size) ?: pdu_grab_space(size);
+}
+
+/* global table of sizes of template field types */
+static u_int8_t tpl_element_sizes[] = {
+ [IN_BYTES] = 4,
+ [IN_PKTS] = 4,
+ [PROTOCOL] = 1,
+ [TOS] = 1,
+ [TCP_FLAGS] = 1,
+ [L4_SRC_PORT] = 2,
+ [IPV4_SRC_ADDR] = 4,
+ [SRC_MASK] = 1,
+ [INPUT_SNMP] = 2,
+ [L4_DST_PORT] = 2,
+ [IPV4_DST_ADDR] = 4,
+ [DST_MASK] = 1,
+ [OUTPUT_SNMP] = 2,
+ [IPV4_NEXT_HOP] = 4,
+ //[SRC_AS] = 2,
+ //[DST_AS] = 2,
+ //[BGP_IPV4_NEXT_HOP] = 4,
+ //[MUL_DST_PKTS] = 4,
+ //[MUL_DST_BYTES] = 4,
+ [LAST_SWITCHED] = 4,
+ [FIRST_SWITCHED]= 4,
+ [IPV6_SRC_ADDR] = 16,
+ [IPV6_DST_ADDR] = 16,
+ [IPV6_FLOW_LABEL] = 3,
+ [ICMP_TYPE] = 2,
+ [MUL_IGMP_TYPE] = 1,
+ //[TOTAL_BYTES_EXP] = 4,
+ //[TOTAL_PKTS_EXP] = 4,
+ //[TOTAL_FLOWS_EXP] = 4,
+ [IPV6_NEXT_HOP] = 16,
+ [IPV6_OPTION_HEADERS] = 2,
+ [commonPropertiesId] = 4,
+ [ipv4Options] = 4,
+ [tcpOptions] = 4,
+ [postNATSourceIPv4Address] = 4,
+ [postNATDestinationIPv4Address] = 4,
+ [postNAPTSourceTransportPort] = 2,
+ [postNAPTDestinationTransportPort] = 2,
+ [natEvent] = 1,
+ [postNATSourceIPv6Address] = 16,
+ [postNATDestinationIPv6Address] = 16,
+ [IPSecSPI] = 4,
+ [observationTimeMilliseconds] = 8,
+ [observationTimeMicroseconds] = 8,
+ [observationTimeNanoseconds] = 8,
+};
+
+#define TEMPLATES_HASH_BSIZE 8
+#define TEMPLATES_HASH_SIZE (1<<TEMPLATES_HASH_BSIZE)
+static struct hlist_head templates_hash[TEMPLATES_HASH_SIZE];
+
+struct base_template {
+ int length; /* number of elements in template */
+ u_int16_t types[]; /* {type, size} pairs */
+};
+
+/* base templates */
+#define BTPL_BASE 0x00000001 /* base stat */
+#define BTPL_IP4 0x00000002 /* IPv4 */
+#define BTPL_MASK4 0x00000004 /* Aggregated */
+#define BTPL_PORTS 0x00000008 /* UDP&TCP */
+#define BTPL_IP6 0x00000010 /* IPv6 */
+#define BTPL_ICMP 0x00000020 /* ICMP */
+#define BTPL_IGMP 0x00000040 /* IGMP */
+#define BTPL_IPSEC 0x00000080 /* AH&ESP */
+#define BTPL_NAT4 0x00000100 /* NAT IPv4 */
+#define BTPL_MARK 0x00000400 /* connmark */
+#define BTPL_LABEL6 0x00000800 /* IPv6 flow label */
+#define BTPL_OPTIONS4 0x00001000 /* IPv4 Options */
+#define BTPL_OPTIONS6 0x00002000 /* IPv6 Options */
+#define BTPL_TCPOPTIONS 0x00004000 /* TCP Options */
+#define BTPL_MAX 32
+
+static struct base_template template_base = {
+ .types = {
+ INPUT_SNMP,
+ OUTPUT_SNMP,
+ IN_PKTS,
+ IN_BYTES,
+ FIRST_SWITCHED,
+ LAST_SWITCHED,
+ PROTOCOL,
+ TOS,
+ 0
+ }
+};
+static struct base_template template_ipv4 = {
+ .types = {
+ IPV4_SRC_ADDR,
+ IPV4_DST_ADDR,
+ IPV4_NEXT_HOP,
+ 0
+ }
+};
+static struct base_template template_options4 = {
+ .types = { ipv4Options, 0 }
+};
+static struct base_template template_tcpoptions = {
+ .types = { tcpOptions, 0 }
+};
+static struct base_template template_ipv6 = {
+ .types = {
+ IPV6_SRC_ADDR,
+ IPV6_DST_ADDR,
+ IPV6_NEXT_HOP,
+ 0
+ }
+};
+static struct base_template template_options6 = {
+ .types = { IPV6_OPTION_HEADERS, 0 }
+};
+static struct base_template template_label6 = {
+ .types = { IPV6_FLOW_LABEL, 0 }
+};
+static struct base_template template_ipv4_mask = {
+ .types = {
+ SRC_MASK,
+ DST_MASK,
+ 0
+ }
+};
+static struct base_template template_ports = {
+ .types = {
+ L4_SRC_PORT,
+ L4_DST_PORT,
+ TCP_FLAGS,
+ 0
+ }
+};
+static struct base_template template_icmp = {
+ .types = { ICMP_TYPE, 0 }
+};
+static struct base_template template_igmp = {
+ .types = { MUL_IGMP_TYPE, 0 }
+};
+static struct base_template template_ipsec = {
+ .types = { IPSecSPI, 0 }
+};
+static struct base_template template_nat4 = {
+ .types = {
+ observationTimeMilliseconds,
+ IPV4_SRC_ADDR,
+ IPV4_DST_ADDR,
+ postNATSourceIPv4Address,
+ postNATDestinationIPv4Address,
+ L4_SRC_PORT,
+ L4_DST_PORT,
+ postNAPTSourceTransportPort,
+ postNAPTDestinationTransportPort,
+ PROTOCOL,
+ natEvent,
+ 0
+ }
+};
+static struct base_template template_mark = {
+ .types = { commonPropertiesId, 0 }
+};
+
+struct data_template {
+ struct hlist_node hlist;
+ int tpl_mask;
+
+ int length; /* number of elements in template */
+ int tpl_size; /* summary size of template with flowset header */
+ int rec_size; /* summary size of all recods of template (w/o flowset header) */
+ int template_id_n; /* assigned from template_ids, network order. */
+ int exported_cnt;
+ unsigned long exported_ts; /* jiffies */
+ u_int16_t fields[]; /* {type, size} pairs */
+} __attribute__ ((packed));
+
+#define TPL_FIELD_NSIZE 4 /* one complete template field's network size */
+
+static void free_templates(void)
+{
+ int i;
+#if LINUX_VERSION_CODE < KERNEL_VERSION(3,9,0)
+ struct hlist_node *pos;
+#endif
+ struct hlist_node *tmp;
+
+ for (i = 0; i < TEMPLATES_HASH_SIZE; i++) {
+ struct hlist_head *thead = &templates_hash[i];
+ struct data_template *tpl;
+
+ compat_hlist_for_each_entry_safe(tpl, pos, tmp, thead, hlist)
+ kfree(tpl);
+ INIT_HLIST_HEAD(thead);
+ }
+ tpl_count = 0;
+}
+
+/* create combined template from mask */
+static struct data_template *get_template(const int tmask)
+{
+ struct base_template *tlist[BTPL_MAX];
+ struct data_template *tpl;
+ int tnum;
+ int length;
+ int i, j, k;
+#if LINUX_VERSION_CODE < KERNEL_VERSION(3,9,0)
+ struct hlist_node *pos;
+#endif
+ int hash = hash_long(tmask, TEMPLATES_HASH_BSIZE);
+
+ compat_hlist_for_each_entry(tpl, pos, &templates_hash[hash], hlist)
+ if (tpl->tpl_mask == tmask)
+ return tpl;
+
+ tnum = 0;
+ if (tmask & BTPL_IP4) {
+ tlist[tnum++] = &template_ipv4;
+ if (tmask & BTPL_OPTIONS4)
+ tlist[tnum++] = &template_options4;
+ if (tmask & BTPL_MASK4)
+ tlist[tnum++] = &template_ipv4_mask;
+ } else if (tmask & BTPL_IP6) {
+ tlist[tnum++] = &template_ipv6;
+ if (tmask & BTPL_LABEL6)
+ tlist[tnum++] = &template_label6;
+ if (tmask & BTPL_OPTIONS6)
+ tlist[tnum++] = &template_options6;
+ } else if (tmask & BTPL_NAT4)
+ tlist[tnum++] = &template_nat4;
+ if (tmask & BTPL_PORTS)
+ tlist[tnum++] = &template_ports;
+ if (tmask & BTPL_BASE)
+ tlist[tnum++] = &template_base;
+ if (tmask & BTPL_TCPOPTIONS)
+ tlist[tnum++] = &template_tcpoptions;
+ if (tmask & BTPL_ICMP)
+ tlist[tnum++] = &template_icmp;
+ if (tmask & BTPL_IGMP)
+ tlist[tnum++] = &template_igmp;
+ if (tmask & BTPL_IPSEC)
+ tlist[tnum++] = &template_ipsec;
+ if (tmask & BTPL_MARK)
+ tlist[tnum++] = &template_mark;
+
+ /* calc memory size */
+ length = 0;
+ for (i = 0; i < tnum; i++) {
+ if (!tlist[i]->length) {
+ for (k = 0; tlist[i]->types[k]; k++);
+ tlist[i]->length = k;
+ }
+ length += tlist[i]->length;
+ }
+ /* elements are pairs + one termiantor */
+ tpl = kmalloc(sizeof(struct data_template) + (length * 2 + 1) * sizeof(u_int16_t), GFP_KERNEL);
+ if (!tpl) {
+ printk(KERN_ERR "ipt_NETFLOW: unable to kmalloc template.\n");
+ return NULL;
+ }
+ tpl->tpl_mask = tmask;
+ tpl->length = length;
+ tpl->tpl_size = sizeof(struct flowset_template);
+ tpl->rec_size = 0;
+ tpl->template_id_n = htons(template_ids++);
+ tpl->exported_cnt = 0;
+ tpl->exported_ts = 0;
+
+ j = 0;
+ for (i = 0; i < tnum; i++) {
+ struct base_template *btpl = tlist[i];
+
+ for (k = 0; k < btpl->length; k++) {
+ int size;
+ int type = btpl->types[k];
+
+ tpl->fields[j++] = type;
+ size = tpl_element_sizes[type];
+ tpl->fields[j++] = size;
+ tpl->rec_size += size;
+ }
+ tpl->tpl_size += btpl->length * TPL_FIELD_NSIZE;
+ }
+ tpl->fields[j++] = 0;
+
+ hlist_add_head(&tpl->hlist, &templates_hash[hash]);
+ tpl_count++;
+
+ return tpl;
+}
+
+static void pdu_add_template(struct data_template *tpl)
+{
+ int i;
+ unsigned char *ptr;
+ struct flowset_template *ntpl;
+ __be16 *sptr;
+
+ ptr = pdu_alloc(tpl->tpl_size);
+ ntpl = (struct flowset_template *)ptr;
+ ntpl->flowset_id = protocol == 9? htons(FLOWSET_TEMPLATE) : htons(IPFIX_TEMPLATE);
+ ntpl->length = htons(tpl->tpl_size);
+ ntpl->template_id = tpl->template_id_n;
+ ntpl->field_count = htons(tpl->length);
+ ptr += sizeof(struct flowset_template);
+ sptr = (__be16 *)ptr;
+ for (i = 0; ; ) {
+ int type = tpl->fields[i++];
+ if (!type)
+ break;
+ *sptr++ = htons(type);
+ *sptr++ = htons(tpl->fields[i++]);
+ }
+
+ tpl->exported_cnt = pdu_count;
+ tpl->exported_ts = jiffies;
+
+ pdu_flowset = NULL;
+ pdu_tpl_records++;
+}
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,35)
+static inline s64 portable_ktime_to_ms(const ktime_t kt)
+{
+ struct timeval tv = ktime_to_timeval(kt);
+ return (s64) tv.tv_sec * MSEC_PER_SEC + tv.tv_usec / USEC_PER_MSEC;
+}
+#define ktime_to_ms portable_ktime_to_ms
+#endif
+
+/* encode one field */
+typedef struct in6_addr in6_t;
+static inline void add_ipv4_field(__u8 *ptr, const int type, const struct ipt_netflow *nf)
+{
+ switch (type) {
+ case IN_BYTES: *(__be32 *)ptr = htonl(nf->nr_bytes); break;
+ case IN_PKTS: *(__be32 *)ptr = htonl(nf->nr_packets); break;
+ case FIRST_SWITCHED: *(__be32 *)ptr = htonl(jiffies_to_msecs(nf->ts_first)); break;
+ case LAST_SWITCHED: *(__be32 *)ptr = htonl(jiffies_to_msecs(nf->ts_last)); break;
+ case IPV4_SRC_ADDR: *(__be32 *)ptr = nf->tuple.src.ip; break;
+ case IPV4_DST_ADDR: *(__be32 *)ptr = nf->tuple.dst.ip; break;
+ case IPV4_NEXT_HOP: *(__be32 *)ptr = nf->nh.ip; break;
+ case L4_SRC_PORT: *(__be16 *)ptr = nf->tuple.s_port; break;
+ case L4_DST_PORT: *(__be16 *)ptr = nf->tuple.d_port; break;
+ case INPUT_SNMP: *(__be16 *)ptr = htons(nf->tuple.i_ifc); break;
+ case OUTPUT_SNMP: *(__be16 *)ptr = htons(nf->o_ifc); break;
+ case PROTOCOL: *ptr = nf->tuple.protocol; break;
+ case TCP_FLAGS: *ptr = nf->tcp_flags; break;
+ case TOS: *ptr = nf->tuple.tos; break;
+ case IPV6_SRC_ADDR: *(in6_t *)ptr = nf->tuple.src.in6; break;
+ case IPV6_DST_ADDR: *(in6_t *)ptr = nf->tuple.dst.in6; break;
+ case IPV6_NEXT_HOP: *(in6_t *)ptr = nf->nh.in6; break;
+ case IPV6_FLOW_LABEL: *ptr++ = nf->flow_label >> 16;
+ *(__be16 *)ptr = nf->flow_label;
+ break;
+ case tcpOptions: *(__be32 *)ptr = htonl(nf->tcpoptions); break;
+ case ipv4Options: *(__be32 *)ptr = htonl(nf->options); break;
+ case IPV6_OPTION_HEADERS: *(__be16 *)ptr = htons(nf->options); break;
+#ifdef CONFIG_NF_CONNTRACK_MARK
+ case commonPropertiesId:
+ *(__be32 *)ptr = htonl(nf->mark); break;
+#endif
+ case SRC_MASK: *ptr = nf->s_mask; break;
+ case DST_MASK: *ptr = nf->d_mask; break;
+ case ICMP_TYPE: *(__be16 *)ptr = nf->tuple.d_port; break;
+ case MUL_IGMP_TYPE: *ptr = nf->tuple.d_port; break;
+#ifdef CONFIG_NF_NAT_NEEDED
+ case postNATSourceIPv4Address: *(__be32 *)ptr = nf->nat->post.s_addr; break;
+ case postNATDestinationIPv4Address: *(__be32 *)ptr = nf->nat->post.d_addr; break;
+ case postNAPTSourceTransportPort: *(__be16 *)ptr = nf->nat->post.s_port; break;
+ case postNAPTDestinationTransportPort: *(__be16 *)ptr = nf->nat->post.d_port; break;
+ case natEvent: *ptr = nf->nat->nat_event; break;
+#endif
+ case IPSecSPI: *(__u32 *)ptr = (nf->tuple.s_port << 16) | nf->tuple.d_port; break;
+ case observationTimeMilliseconds:
+ *(__be64 *)ptr = cpu_to_be64(ktime_to_ms(nf->ts_obs)); break;
+ case observationTimeMicroseconds:
+ *(__be64 *)ptr = cpu_to_be64(ktime_to_us(nf->ts_obs)); break;
+ case observationTimeNanoseconds:
+ *(__be64 *)ptr = cpu_to_be64(ktime_to_ns(nf->ts_obs)); break;
+ default:
+ memset(ptr, 0, tpl_element_sizes[type]);
+ }
+}
+
+#define PAD_SIZE 4 /* rfc prescribes flowsets to be padded */
+
+/* cache timeout_rate in jiffies */
+static inline unsigned long timeout_rate_j(void)
+{
+ static unsigned int t_rate = 0;
+ static unsigned long t_rate_j = 0;
+
+ if (unlikely(timeout_rate != t_rate)) {
+ struct timeval tv = { .tv_sec = timeout_rate * 60, .tv_usec = 0 };
+
+ t_rate = timeout_rate;
+ t_rate_j = timeval_to_jiffies(&tv);
+ }
+ return t_rate_j;
+}
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,20)
+#define IPPROTO_UDPLITE 136
+#endif
+
+#ifndef time_is_before_jiffies
+#define time_is_before_jiffies(a) time_after(jiffies, a)
+#endif
+
+static void netflow_export_flow_tpl(struct ipt_netflow *nf)
+{
+ unsigned char *ptr;
+ int i;
+ struct data_template *tpl;
+ int tpl_mask = BTPL_BASE;
+
+ if (unlikely(debug > 2))
+ printk(KERN_INFO "adding flow to export (%d)\n",
+ pdu_data_records + pdu_tpl_records);
+
+ if (likely(nf->tuple.l3proto == AF_INET)) {
+ tpl_mask |= BTPL_IP4;
+ if (unlikely(nf->options))
+ tpl_mask |= BTPL_OPTIONS4;
+ } else {
+ tpl_mask |= BTPL_IP6;
+ if (unlikely(nf->options))
+ tpl_mask |= BTPL_OPTIONS6;
+ if (unlikely(nf->flow_label))
+ tpl_mask |= BTPL_LABEL6;
+ }
+ if (unlikely(nf->tcpoptions))
+ tpl_mask |= BTPL_TCPOPTIONS;
+ if (unlikely(nf->s_mask || nf->d_mask))
+ tpl_mask |= BTPL_MASK4;
+ if (likely(nf->tuple.protocol == IPPROTO_TCP ||
+ nf->tuple.protocol == IPPROTO_UDP ||
+ nf->tuple.protocol == IPPROTO_SCTP ||
+ nf->tuple.protocol == IPPROTO_UDPLITE))
+ tpl_mask |= BTPL_PORTS;
+ else if (nf->tuple.protocol == IPPROTO_ICMP)
+ tpl_mask |= BTPL_ICMP;
+ else if (nf->tuple.protocol == IPPROTO_IGMP)
+ tpl_mask |= BTPL_IGMP;
+#ifdef CONFIG_NF_CONNTRACK_MARK
+ if (nf->mark)
+ tpl_mask |= BTPL_MARK;
+#endif
+#ifdef CONFIG_NF_NAT_NEEDED
+ if (nf->nat)
+ tpl_mask = BTPL_NAT4;
+#endif
+
+ tpl = get_template(tpl_mask);
+ if (unlikely(!tpl)) {
+ printk(KERN_INFO "ipt_NETFLOW: template allocation failed.\n");
+ NETFLOW_STAT_INC(alloc_err);
+ NETFLOW_STAT_ADD_ATOMIC(pkt_drop, nf->nr_packets);
+ NETFLOW_STAT_ADD_ATOMIC(traf_drop, nf->nr_bytes);
+ ipt_netflow_free(nf);
+ return;
+ }
+
+ if (unlikely(!pdu_flowset ||
+ pdu_flowset->flowset_id != tpl->template_id_n ||
+ !(ptr = pdu_alloc_fail(tpl->rec_size)))) {
+
+ /* if there was previous data template we should pad it to 4 bytes */
+ if (pdu_flowset) {
+ int padding = (PAD_SIZE - ntohs(pdu_flowset->length) % PAD_SIZE) % PAD_SIZE;
+ if (padding && (ptr = pdu_alloc_fail(padding))) {
+ pdu_flowset->length = htons(ntohs(pdu_flowset->length) + padding);
+ for (; padding; padding--)
+ *ptr++ = 0;
+ }
+ }
+
+ if (!tpl->exported_ts ||
+ pdu_count > (tpl->exported_cnt + refresh_rate) ||
+ time_is_before_jiffies(tpl->exported_ts + timeout_rate_j())) {
+ pdu_add_template(tpl);
+ }
+
+ ptr = pdu_alloc(sizeof(struct flowset_data) + tpl->rec_size);
+ pdu_flowset = (struct flowset_data *)ptr;
+ pdu_flowset->flowset_id = tpl->template_id_n;
+ pdu_flowset->length = htons(sizeof(struct flowset_data));
+ ptr += sizeof(struct flowset_data);
+ }
+
+ /* encode all fields */
+ for (i = 0; ; ) {
+ int type = tpl->fields[i++];
+
+ if (!type)
+ break;
+ add_ipv4_field(ptr, type, nf);
+ ptr += tpl->fields[i++];
+ }
+
+ pdu_data_records++;
+ pdu_flowset->length = htons(ntohs(pdu_flowset->length) + tpl->rec_size);
+
+ pdu_packets += nf->nr_packets;
+ pdu_traf += nf->nr_bytes;
+
+ ipt_netflow_free(nf);
+ pdu_ts_mod = jiffies;
+}
+
+static void netflow_switch_version(const int ver)
+{
+ protocol = ver;
+ if (protocol == 5) {
+ memset(&pdu, 0, sizeof(pdu));
+ netflow_export_flow = &netflow_export_flow_v5;
+ netflow_export_pdu = &netflow_export_pdu_v5;
+ } else if (protocol == 9) {
+ pdu_data_used = pdu.v9.data;
+ pdu_max_size = sizeof(pdu.v9);
+ pdu_high_wm = (unsigned char *)&pdu + pdu_max_size;
+ netflow_export_flow = &netflow_export_flow_tpl;
+ netflow_export_pdu = &netflow_export_pdu_v9;
+ } else { /* IPFIX */
+ pdu_data_used = pdu.ipfix.data;
+ pdu_max_size = sizeof(pdu.ipfix);
+ pdu_high_wm = (unsigned char *)&pdu + pdu_max_size;
+ netflow_export_flow = &netflow_export_flow_tpl;
+ netflow_export_pdu = &netflow_export_pdu_ipfix;
+ }
+ if (protocol != 5)
+ free_templates();
+ pdu_data_records = pdu_tpl_records = 0;
+ pdu_flowset = NULL;
+ printk(KERN_INFO "ipt_NETFLOW protocol version %d (%s) enabled.\n",
+ protocol, protocol == 10? "IPFIX" : "NetFlow");
+}
+
+#ifdef CONFIG_NF_NAT_NEEDED
+static void export_nat_event(struct nat_event *nel)
+{
+ static struct ipt_netflow nf = { { NULL } };
+
+ nf.tuple.l3proto = AF_INET;
+ nf.tuple.protocol = nel->protocol;
+ nf.nat = nel; /* this is also flag of dummy flow */
+ nf.tcp_flags = (nel->nat_event == NAT_DESTROY)? TCP_FIN_RST : TCP_SYN_ACK;
+ if (protocol >= 9) {
+ nf.ts_obs = nel->ts_ktime;
+ nf.tuple.src.ip = nel->pre.s_addr;
+ nf.tuple.dst.ip = nel->pre.d_addr;
+ nf.tuple.s_port = nel->pre.s_port;
+ nf.tuple.d_port = nel->pre.d_port;
+ netflow_export_flow(&nf);
+ } else { /* v5 */
+ /* The weird v5 packet(s).
+ * src and dst will be same as in data flow from the FORWARD chain
+ * where src is pre-nat src ip and dst is post-nat dst ip.
+ * What we lacking here is external src ip for SNAT, or
+ * pre-nat dst ip for DNAT. We will put this into Nexthop field
+ * with port into src/dst AS field. tcp_flags will distinguish it's
+ * start or stop event. Two flows in case of full nat. */
+ nf.tuple.src.ip = nel->pre.s_addr;
+ nf.tuple.s_port = nel->pre.s_port;
+ nf.tuple.dst.ip = nel->post.d_addr;
+ nf.tuple.d_port = nel->post.d_port;
+
+ nf.ts_first = nel->ts_jiffies;
+ nf.ts_last = nel->ts_jiffies;
+ if (nel->pre.s_addr != nel->post.s_addr ||
+ nel->pre.s_port != nel->post.s_port) {
+ nf.nh.ip = nel->post.s_addr;
+ nf.s_as = nel->post.s_port;
+ nf.d_as = 0;
+ netflow_export_flow(&nf);
+ }
+ if (nel->pre.d_addr != nel->post.d_addr ||
+ nel->pre.d_port != nel->post.d_port) {
+ nf.nh.ip = nel->pre.d_addr;
+ nf.s_as = 0;
+ nf.d_as = nel->pre.d_port;
+ netflow_export_flow(&nf);
+ }
+ }
+ kfree(nel);
}
+#endif /* CONFIG_NF_NAT_NEEDED */
-static inline int active_needs_export(struct ipt_netflow *nf, long a_timeout)
+static inline int active_needs_export(const struct ipt_netflow *nf, const long a_timeout)
{
/* active too long, finishing, or having too much bytes */
return ((jiffies - nf->ts_first) > a_timeout) ||
@@ -1057,42 +1987,77 @@ static inline int active_needs_export(struct ipt_netflow *nf, long a_timeout)
/* could be called with zero to flush cache and pdu */
/* this function is guaranteed to be called non-concurrently */
-static void netflow_scan_and_export(int flush)
+/* return -1 is trylockfailed, 0 if nothin gexported, >=1 if exported something */
+static int netflow_scan_and_export(const int flush)
{
long i_timeout = inactive_timeout * HZ;
long a_timeout = active_timeout * HZ;
+ int trylock_failed = 0;
+ int pdu_c = pdu_count;
if (flush)
i_timeout = 0;
- spin_lock_bh(&ipt_netflow_lock);
- while (!list_empty(&ipt_netflow_list)) {
+ local_bh_disable();
+ spin_lock(&hlist_lock);
+ /* This is different order of locking than elsewhere,
+ * so we trylock&break to avoid deadlock. */
+
+ while (likely(!list_empty(&ipt_netflow_list))) {
struct ipt_netflow *nf;
-
+
+ /* Last entry, which is usually oldest. */
nf = list_entry(ipt_netflow_list.prev, struct ipt_netflow, list);
+ if (!spin_trylock(nf->lock)) {
+ trylock_failed = 1;
+ break;
+ }
/* Note: i_timeout checked with >= to allow specifying zero timeout
* to purge all flows on module unload */
if (((jiffies - nf->ts_last) >= i_timeout) ||
active_needs_export(nf, a_timeout)) {
hlist_del(&nf->hlist);
+ spin_unlock(nf->lock);
+
list_del(&nf->list);
+ spin_unlock(&hlist_lock);
+ local_bh_enable();
+
NETFLOW_STAT_ADD(pkt_out, nf->nr_packets);
NETFLOW_STAT_ADD(traf_out, nf->nr_bytes);
- spin_unlock_bh(&ipt_netflow_lock);
netflow_export_flow(nf);
- spin_lock_bh(&ipt_netflow_lock);
+
+ local_bh_disable();
+ spin_lock(&hlist_lock);
} else {
+ spin_unlock(nf->lock);
/* all flows which need to be exported is always at the tail
* so if no more exportable flows we can break */
break;
}
}
- spin_unlock_bh(&ipt_netflow_lock);
-
+ spin_unlock(&hlist_lock);
+ local_bh_enable();
+
+#ifdef CONFIG_NF_NAT_NEEDED
+ spin_lock_bh(&nat_lock);
+ while (!list_empty(&nat_list)) {
+ struct nat_event *nel;
+
+ nel = list_entry(nat_list.next, struct nat_event, list);
+ list_del(&nel->list);
+ spin_unlock_bh(&nat_lock);
+ export_nat_event(nel);
+ spin_lock_bh(&nat_lock);
+ }
+ spin_unlock_bh(&nat_lock);
+#endif
/* flush flows stored in pdu if there no new flows for too long */
/* Note: using >= to allow flow purge on zero timeout */
if ((jiffies - pdu_ts_mod) >= i_timeout)
netflow_export_pdu();
+
+ return trylock_failed? -1 : pdu_count - pdu_c;
}
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,20)
@@ -1101,8 +2066,10 @@ static void netflow_work_fn(void *dummy)
static void netflow_work_fn(struct work_struct *dummy)
#endif
{
- netflow_scan_and_export(0);
- __start_scan_worker();
+ int status;
+
+ status = netflow_scan_and_export(DONT_FLUSH);
+ _schedule_scan_worker(status);
}
#define RATESHIFT 2
@@ -1154,7 +2121,7 @@ static void rate_timer_calc(unsigned long dummy)
old_found = found;
old_notfound = notfound;
/* if there is no access to hash keep rate steady */
- metric = (dfnd + dnfnd)? 10 * (dsrch + dfnd + dnfnd) / (dfnd + dnfnd) : metric;
+ metric = (dfnd + dnfnd)? 100 * (dsrch + dfnd + dnfnd) / (dfnd + dnfnd) : metric;
CALC_RATE(min15_metric, (unsigned long long)metric, 15);
CALC_RATE(min5_metric, (unsigned long long)metric, 5);
CALC_RATE(min_metric, (unsigned long long)metric, 1);
@@ -1162,6 +2129,262 @@ static void rate_timer_calc(unsigned long dummy)
mod_timer(&rate_timer, jiffies + (HZ * SAMPLERATE));
}
+#ifdef CONFIG_NF_NAT_NEEDED
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,31)
+static struct nf_ct_event_notifier *saved_event_cb __read_mostly = NULL;
+static int netflow_conntrack_event(const unsigned int events, struct nf_ct_event *item)
+#else
+static int netflow_conntrack_event(struct notifier_block *this, unsigned long events, void *ptr)
+#endif
+{
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,31)
+ struct nf_conn *ct = item->ct;
+#else
+ struct nf_conn *ct = (struct nf_conn *)ptr;
+#endif
+ struct nat_event *nel;
+ const struct nf_conntrack_tuple *t;
+ int ret = NOTIFY_DONE;
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,31)
+ struct nf_ct_event_notifier *notifier;
+
+ /* Call netlink first. */
+ notifier = rcu_dereference(saved_event_cb);
+ if (likely(notifier))
+ ret = notifier->fcn(events, item);
+#endif
+ if (unlikely(!natevents))
+ return ret;
+
+ if (!(events & ((1 << IPCT_NEW) | (1 << IPCT_RELATED) | (1 << IPCT_DESTROY))))
+ return ret;
+
+ if (!(ct->status & IPS_NAT_MASK))
+ return ret;
+
+ if (unlikely(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num != AF_INET ||
+ ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.l3num != AF_INET)) {
+ /* Well, there is no linux NAT for IPv6 anyway. */
+ return ret;
+ }
+
+ if (!(nel = kmalloc(sizeof(struct nat_event), GFP_ATOMIC))) {
+ printk(KERN_ERR "ipt_NETFLOW: can't kmalloc nat event\n");
+ return ret;
+ }
+ memset(nel, 0, sizeof(struct nat_event));
+ nel->ts_ktime = ktime_get_real();
+ nel->ts_jiffies = jiffies;
+ t = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
+ nel->protocol = t->dst.protonum;
+ nel->pre.s_addr = t->src.u3.ip;
+ nel->pre.d_addr = t->dst.u3.ip;
+ nel->pre.s_port = t->src.u.all;
+ nel->pre.d_port = t->dst.u.all;
+ t = &ct->tuplehash[IP_CT_DIR_REPLY].tuple;
+ /* reply is reversed */
+ nel->post.s_addr = t->dst.u3.ip;
+ nel->post.d_addr = t->src.u3.ip;
+ nel->post.s_port = t->dst.u.all;
+ nel->post.d_port = t->src.u.all;
+ if (events & (1 << IPCT_DESTROY)) {
+ nel->nat_event = NAT_DESTROY;
+ nat_events_stop++;
+ } else {
+ nel->nat_event = NAT_CREATE;
+ nat_events_start++;
+ }
+
+ spin_lock_bh(&nat_lock);
+ list_add_tail(&nel->list, &nat_list);
+ spin_unlock_bh(&nat_lock);
+
+ return ret;
+}
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,31)
+static struct notifier_block ctnl_notifier = {
+ .notifier_call = netflow_conntrack_event
+};
+#else
+static struct nf_ct_event_notifier ctnl_notifier = {
+ .fcn = netflow_conntrack_event
+};
+#endif /* since 2.6.31 */
+#endif /* CONFIG_NF_NAT_NEEDED */
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,23) && \
+ LINUX_VERSION_CODE < KERNEL_VERSION(2,6,35)
+static bool
+#else
+static int
+#endif
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,28)
+netflow_target_check(const char *tablename, const void *entry, const struct xt_target *target,
+ void *targinfo,
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,18)
+ unsigned int targinfosize,
+#endif
+ unsigned int hook_mask)
+{
+#else
+netflow_target_check(const struct xt_tgchk_param *par)
+{
+ const char *tablename = par->table;
+ const struct xt_target *target = par->target;
+#endif
+ if (strcmp("nat", tablename) == 0) {
+ /* In the nat table we only see single packet per flow, which is useless. */
+ printk(KERN_ERR "%s target: is not valid in %s table\n", target->name, tablename);
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,35)
+#define CHECK_FAIL 0
+#define CHECK_OK 1
+#else
+#define CHECK_FAIL -EINVAL
+#define CHECK_OK 0
+#endif
+ return CHECK_FAIL;
+ }
+ if (target->family == AF_INET6 && protocol == 5) {
+ printk(KERN_ERR "ip6tables NETFLOW target is meaningful for protocol 9 or 10 only.\n");
+ return CHECK_FAIL;
+ }
+ return CHECK_OK;
+}
+
+#define SetXBit(x) (0x8000 >> (x)) /* Proper bit for htons later. */
+#ifndef IPPROTO_MH
+#define IPPROTO_MH 135
+#endif
+static inline __u16 observed_hdrs(const __u8 currenthdr)
+{
+ switch (currenthdr) {
+ case IPPROTO_TCP:
+ case IPPROTO_UDP:
+ /* For speed, in case switch is not optimized. */
+ return 0;
+ case IPPROTO_DSTOPTS: return SetXBit(0);
+ case IPPROTO_HOPOPTS: return SetXBit(1);
+ case IPPROTO_ROUTING: return SetXBit(5);
+ case IPPROTO_MH: return SetXBit(12);
+ case IPPROTO_ESP: return SetXBit(13);
+ case IPPROTO_AH: return SetXBit(14);
+ case IPPROTO_COMP: return SetXBit(15);
+ case IPPROTO_FRAGMENT: /* Handled elsewhere. */
+ /* Next is known headers. */
+ case IPPROTO_ICMPV6:
+ case IPPROTO_UDPLITE:
+ case IPPROTO_IPIP:
+ case IPPROTO_PIM:
+ case IPPROTO_GRE:
+ case IPPROTO_SCTP:
+#ifdef IPPROTO_L2TP
+ case IPPROTO_L2TP:
+#endif
+ case IPPROTO_DCCP:
+ return 0;
+ }
+ return SetXBit(3); /* Unknown header. */
+}
+
+/* http://www.iana.org/assignments/ip-parameters/ip-parameters.xhtml */
+static const __u8 ip4_opt_table[] = {
+ [7] = 0, /* RR */ /* parsed manually becasue of 0 */
+ [134] = 1, /* CIPSO */
+ [133] = 2, /* E-SEC */
+ [68] = 3, /* TS */
+ [131] = 4, /* LSR */
+ [130] = 5, /* SEC */
+ [1] = 6, /* NOP */
+ [0] = 7, /* EOOL */
+ [15] = 8, /* ENCODE */
+ [142] = 9, /* VISA */
+ [205] = 10, /* FINN */
+ [12] = 11, /* MTUR */
+ [11] = 12, /* MTUP */
+ [10] = 13, /* ZSU */
+ [137] = 14, /* SSR */
+ [136] = 15, /* SID */
+ [151] = 16, /* DPS */
+ [150] = 17, /* NSAPA */
+ [149] = 18, /* SDB */
+ [147] = 19, /* ADDEXT */
+ [148] = 20, /* RTRALT */
+ [82] = 21, /* TR */
+ [145] = 22, /* EIP */
+ [144] = 23, /* IMITD */
+ [30] = 25, /* EXP */
+ [94] = 25, /* EXP */
+ [158] = 25, /* EXP */
+ [222] = 25, /* EXP */
+ [25] = 30, /* QS */
+ [152] = 31, /* UMP */
+};
+/* Parse IPv4 Options array int ipv4Options IPFIX value. */
+static inline __u32 ip4_options(const u_int8_t *p, const unsigned int optsize)
+{
+ __u32 ret = 0;
+ unsigned int i;
+
+ for (i = 0; likely(i < optsize); ) {
+ u_int8_t op = p[i++];
+
+ if (op == 7) /* RR: bit 0 */
+ ret |= 1;
+ else if (likely(op < ARRAY_SIZE(ip4_opt_table))) {
+ /* Btw, IANA doc is messed up in a crazy way:
+ * http://www.ietf.org/mail-archive/web/ipfix/current/msg06008.html (2011)
+ * I decided to follow IANA _text_ description from
+ * http://www.iana.org/assignments/ipfix/ipfix.xhtml (2013-09-18)
+ *
+ * Set proper bit for htonl later. */
+ if (ip4_opt_table[op])
+ ret |= 1 << (32 - ip4_opt_table[op]);
+ }
+ if (likely(i >= optsize || op == 0))
+ break;
+ else if (unlikely(op == 1))
+ continue;
+ else if (unlikely(p[i] < 2))
+ break;
+ else
+ i += p[i] - 1;
+ }
+ return ret;
+}
+
+#define TCPHDR_MAXSIZE (4 * 15)
+/* List of options: http://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml */
+static inline __u32 tcp_options(const struct sk_buff *skb, const unsigned int ptr, const struct tcphdr *th)
+{
+ const unsigned int optsize = th->doff * 4 - sizeof(struct tcphdr);
+ __u8 _opt[TCPHDR_MAXSIZE];
+ const u_int8_t *p;
+ __u32 ret;
+ unsigned int i;
+
+ p = skb_header_pointer(skb, ptr + sizeof(struct tcphdr), optsize, _opt);
+ if (unlikely(!p))
+ return 0;
+ ret = 0;
+ for (i = 0; likely(i < optsize); ) {
+ u_int8_t opt = p[i++];
+
+ if (likely(opt < 32)) {
+ /* IANA doc is messed up, see above. */
+ ret |= 1 << (32 - opt);
+ }
+ if (likely(i >= optsize || opt == 0))
+ break;
+ else if (unlikely(opt == 1))
+ continue;
+ else if (unlikely(p[i] < 2)) /* "silly options" */
+ break;
+ else
+ i += p[i] - 1;
+ }
+ return ret;
+}
/* packet receiver */
static unsigned int netflow_target(
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,24)
@@ -1192,27 +2415,38 @@ static unsigned int netflow_target(
)
{
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,24)
- struct sk_buff *skb = *pskb;
+ const struct sk_buff *skb = *pskb;
+#endif
+ union {
+ struct iphdr ip;
+ struct ipv6hdr ip6;
+ } _iph, *iph;
+ unsigned int hash;
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,28)
+ const int family = target->family;
+#else
+ const int family = par->family;
#endif
- struct iphdr _iph, *iph;
struct ipt_netflow_tuple tuple;
struct ipt_netflow *nf;
__u8 tcp_flags;
struct netflow_aggr_n *aggr_n;
struct netflow_aggr_p *aggr_p;
__u8 s_mask, d_mask;
- unsigned int hash;
-
- iph = skb_header_pointer(skb, 0, sizeof(_iph), &_iph); //iph = ip_hdr(skb);
-
- if (iph == NULL) {
+ unsigned int ptr;
+ int fragment;
+ size_t pkt_len;
+ int options = 0;
+ int tcpoptions = 0;
+
+ iph = skb_header_pointer(skb, 0, (likely(family == AF_INET))? sizeof(_iph.ip) : sizeof(_iph.ip6), &iph);
+ if (unlikely(iph == NULL)) {
NETFLOW_STAT_INC(truncated);
NETFLOW_STAT_INC(pkt_drop);
return IPT_CONTINUE;
}
- tuple.s_addr = iph->saddr;
- tuple.d_addr = iph->daddr;
+ tuple.l3proto = family;
tuple.s_port = 0;
tuple.d_port = 0;
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,28)
@@ -1220,30 +2454,118 @@ static unsigned int netflow_target(
#else
tuple.i_ifc = par->in? par->in->ifindex : -1;
#endif
- tuple.protocol = iph->protocol;
- tuple.tos = iph->tos;
tcp_flags = 0; /* Cisco sometimes have TCP ACK for non TCP packets, don't get it */
s_mask = 0;
d_mask = 0;
- if (iph->frag_off & htons(IP_OFFSET))
+ if (likely(family == AF_INET)) {
+ tuple.src = (union nf_inet_addr){ .ip = iph->ip.saddr };
+ tuple.dst = (union nf_inet_addr){ .ip = iph->ip.daddr };
+ tuple.tos = iph->ip.tos;
+ tuple.protocol = iph->ip.protocol;
+ fragment = unlikely(iph->ip.frag_off & htons(IP_OFFSET));
+ ptr = iph->ip.ihl * 4;
+ pkt_len = ntohs(iph->ip.tot_len);
+
+#define IPHDR_MAXSIZE (4 * 15)
+ if (unlikely(iph->ip.ihl * 4 > sizeof(struct iphdr))) {
+ u_int8_t _opt[IPHDR_MAXSIZE - sizeof(struct iphdr)];
+ const u_int8_t *op;
+ unsigned int optsize = iph->ip.ihl * 4 - sizeof(struct iphdr);
+
+ op = skb_header_pointer(skb, sizeof(struct iphdr), optsize, _opt);
+ if (likely(op))
+ options = ip4_options(op, optsize);
+ }
+ } else {
+ __u8 currenthdr;
+
+ tuple.src.in6 = iph->ip6.saddr;
+ tuple.dst.in6 = iph->ip6.daddr;
+ tuple.tos = iph->ip6.priority;
+ fragment = 0;
+ ptr = sizeof(struct ipv6hdr);
+ pkt_len = ntohs(iph->ip6.payload_len) + sizeof(struct ipv6hdr);
+
+ currenthdr = iph->ip6.nexthdr;
+ while (currenthdr != NEXTHDR_NONE && ipv6_ext_hdr(currenthdr)) {
+ struct ipv6_opt_hdr _hdr;
+ const struct ipv6_opt_hdr *hp;
+ unsigned int hdrlen = 0;
+
+ options |= observed_hdrs(currenthdr);
+ hp = skb_header_pointer(skb, ptr, sizeof(_hdr), &_hdr);
+ if (hp == NULL) {
+ /* We have src/dst, so must account something. */
+ tuple.protocol = currenthdr;
+ fragment = 3;
+ goto do_protocols;
+ }
+
+ switch (currenthdr) {
+ case IPPROTO_FRAGMENT: {
+ struct frag_hdr _fhdr;
+ const struct frag_hdr *fh;
+
+ fh = skb_header_pointer(skb, ptr, sizeof(_fhdr),
+ &_fhdr);
+ if (fh == NULL) {
+ tuple.protocol = currenthdr;
+ fragment = 2;
+ goto do_protocols;
+ }
+ fragment = 1;
+#define FRA0 SetXBit(4) /* Fragment header - first fragment */
+#define FRA1 SetXBit(6) /* Fragmentation header - not first fragment */
+ options |= (ntohs(fh->frag_off) & 0xFFF8)? FRA1 : FRA0;
+ hdrlen = 8;
+ break;
+ }
+ case IPPROTO_AH: {
+ struct ip_auth_hdr _hdr, *hp;
+
+ if (likely(hp = skb_header_pointer(skb, ptr, 8, &_hdr))) {
+ tuple.s_port = hp->spi >> 16;
+ tuple.d_port = hp->spi;
+ }
+ hdrlen = (hp->hdrlen + 2) << 2;
+ break;
+ }
+ default:
+ hdrlen = ipv6_optlen(hp);
+ }
+ currenthdr = hp->nexthdr;
+ ptr += hdrlen;
+ }
+ tuple.protocol = currenthdr;
+ options |= observed_hdrs(currenthdr);
+ }
+
+do_protocols:
+ if (fragment) {
+ /* if conntrack is enabled it should defrag on pre-routing and local-out */
NETFLOW_STAT_INC(frags);
- else {
+ } else {
switch (tuple.protocol) {
case IPPROTO_TCP: {
struct tcphdr _hdr, *hp;
- if ((hp = skb_header_pointer(skb, iph->ihl * 4, 14, &_hdr))) {
+ if (likely(hp = skb_header_pointer(skb, ptr, 14, &_hdr))) {
tuple.s_port = hp->source;
tuple.d_port = hp->dest;
tcp_flags = (u_int8_t)(ntohl(tcp_flag_word(hp)) >> 16);
+
+ if (unlikely(hp->doff * 4 > sizeof(struct tcphdr)))
+ tcpoptions = tcp_options(skb, ptr, hp);
}
break;
}
- case IPPROTO_UDP: {
+ case IPPROTO_UDP:
+ case IPPROTO_UDPLITE:
+ case IPPROTO_SCTP: {
struct udphdr _hdr, *hp;
- if ((hp = skb_header_pointer(skb, iph->ihl * 4, 4, &_hdr))) {
+ if (likely(hp = skb_header_pointer(skb, ptr, 4, &_hdr))) {
tuple.s_port = hp->source;
tuple.d_port = hp->dest;
}
@@ -1252,72 +2574,111 @@ static unsigned int netflow_target(
case IPPROTO_ICMP: {
struct icmphdr _hdr, *hp;
- if ((hp = skb_header_pointer(skb, iph->ihl * 4, 2, &_hdr)))
- tuple.d_port = (hp->type << 8) | hp->code;
+ if (likely(family == AF_INET &&
+ (hp = skb_header_pointer(skb, ptr, 2, &_hdr))))
+ tuple.d_port = htons((hp->type << 8) | hp->code);
break;
}
+ case IPPROTO_ICMPV6: {
+ struct icmp6hdr _icmp6h, *ic;
+
+ if (likely(family == AF_INET6 &&
+ (ic = skb_header_pointer(skb, ptr, 2, &_icmp6h))))
+ tuple.d_port = htons((ic->icmp6_type << 8) | ic->icmp6_code);
+ break;
+ }
case IPPROTO_IGMP: {
- struct igmphdr *_hdr, *hp;
+ struct igmphdr _hdr, *hp;
- if ((hp = skb_header_pointer(skb, iph->ihl * 4, 1, &_hdr)))
+ if (likely(hp = skb_header_pointer(skb, ptr, 1, &_hdr)))
tuple.d_port = hp->type;
}
break;
+ case IPPROTO_AH: { /* IPSEC */
+ struct ip_auth_hdr _hdr, *hp;
+
+ if (likely(family == AF_INET && /* For IPv6 it's parsed above. */
+ (hp = skb_header_pointer(skb, ptr, 8, &_hdr)))) {
+ tuple.s_port = hp->spi >> 16;
+ tuple.d_port = hp->spi;
+ }
+ break;
+ }
+ case IPPROTO_ESP: {
+ struct ip_esp_hdr _hdr, *hp;
+
+ if (likely(hp = skb_header_pointer(skb, ptr, 4, &_hdr)))
+ tuple.s_port = hp->spi >> 16;
+ tuple.d_port = hp->spi;
+ }
+ break;
}
} /* not fragmented */
/* aggregate networks */
read_lock_bh(&aggr_lock);
- list_for_each_entry(aggr_n, &aggr_n_list, list)
- if ((ntohl(tuple.s_addr) & aggr_n->mask) == aggr_n->addr) {
- tuple.s_addr &= htonl(aggr_n->aggr_mask);
- s_mask = aggr_n->prefix;
- break;
- }
- list_for_each_entry(aggr_n, &aggr_n_list, list)
- if ((ntohl(tuple.d_addr) & aggr_n->mask) == aggr_n->addr) {
- tuple.d_addr &= htonl(aggr_n->aggr_mask);
- d_mask = aggr_n->prefix;
- break;
- }
+ if (family == AF_INET) {
+ list_for_each_entry(aggr_n, &aggr_n_list, list)
+ if (unlikely((ntohl(tuple.src.ip) & aggr_n->mask) == aggr_n->addr)) {
+ tuple.src.ip &= htonl(aggr_n->aggr_mask);
+ s_mask = aggr_n->prefix;
+ atomic_inc(&aggr_n->usage);
+ break;
+ }
+ list_for_each_entry(aggr_n, &aggr_n_list, list)
+ if (unlikely((ntohl(tuple.dst.ip) & aggr_n->mask) == aggr_n->addr)) {
+ tuple.dst.ip &= htonl(aggr_n->aggr_mask);
+ d_mask = aggr_n->prefix;
+ atomic_inc(&aggr_n->usage);
+ break;
+ }
+ }
- /* aggregate ports */
- list_for_each_entry(aggr_p, &aggr_p_list, list)
- if (ntohs(tuple.s_port) >= aggr_p->port1 &&
- ntohs(tuple.s_port) <= aggr_p->port2) {
- tuple.s_port = htons(aggr_p->aggr_port);
- break;
- }
+ if (tuple.protocol == IPPROTO_TCP ||
+ tuple.protocol == IPPROTO_UDP ||
+ tuple.protocol == IPPROTO_SCTP ||
+ tuple.protocol == IPPROTO_UDPLITE) {
+ /* aggregate ports */
+ list_for_each_entry(aggr_p, &aggr_p_list, list)
+ if (unlikely(ntohs(tuple.s_port) >= aggr_p->port1 &&
+ ntohs(tuple.s_port) <= aggr_p->port2)) {
+ tuple.s_port = htons(aggr_p->aggr_port);
+ atomic_inc(&aggr_p->usage);
+ break;
+ }
- list_for_each_entry(aggr_p, &aggr_p_list, list)
- if (ntohs(tuple.d_port) >= aggr_p->port1 &&
- ntohs(tuple.d_port) <= aggr_p->port2) {
- tuple.d_port = htons(aggr_p->aggr_port);
- break;
- }
+ list_for_each_entry(aggr_p, &aggr_p_list, list)
+ if (unlikely(ntohs(tuple.d_port) >= aggr_p->port1 &&
+ ntohs(tuple.d_port) <= aggr_p->port2)) {
+ tuple.d_port = htons(aggr_p->aggr_port);
+ atomic_inc(&aggr_p->usage);
+ break;
+ }
+ }
read_unlock_bh(&aggr_lock);
hash = hash_netflow(&tuple);
- spin_lock_bh(&ipt_netflow_lock);
+ read_lock_bh(&htable_rwlock);
+ spin_lock(&htable_locks[hash & LOCK_COUNT_MASK]);
/* record */
nf = ipt_netflow_find(&tuple, hash);
- if (!nf) {
- if (maxflows > 0 && atomic_read(&ipt_netflow_count) >= maxflows) {
+ if (unlikely(!nf)) {
+ struct rtable *rt;
+
+ if (unlikely(maxflows > 0 && atomic_read(&ipt_netflow_count) >= maxflows)) {
/* This is DOS attack prevention */
NETFLOW_STAT_INC(maxflows_err);
NETFLOW_STAT_INC(pkt_drop);
- NETFLOW_STAT_ADD(traf_drop, ntohs(iph->tot_len));
- spin_unlock_bh(&ipt_netflow_lock);
- return IPT_CONTINUE;
+ NETFLOW_STAT_ADD(traf_drop, pkt_len);
+ goto unlock_return;
}
nf = init_netflow(&tuple, skb, hash);
- if (!nf || IS_ERR(nf)) {
+ if (unlikely(!nf || IS_ERR(nf))) {
NETFLOW_STAT_INC(alloc_err);
NETFLOW_STAT_INC(pkt_drop);
- NETFLOW_STAT_ADD(traf_drop, ntohs(iph->tot_len));
- spin_unlock_bh(&ipt_netflow_lock);
- return IPT_CONTINUE;
+ NETFLOW_STAT_ADD(traf_drop, pkt_len);
+ goto unlock_return;
}
nf->ts_first = jiffies;
@@ -1330,31 +2691,68 @@ static unsigned int netflow_target(
nf->s_mask = s_mask;
nf->d_mask = d_mask;
- if (debug > 2)
- printk(KERN_INFO "ipt_netflow: new (%u) %hd:%hd SRC=%u.%u.%u.%u:%u DST=%u.%u.%u.%u:%u\n",
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,26)
+ rt = (struct rtable *)skb->dst;
+#else /* since 2.6.26 */
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,31)
+ rt = skb->rtable;
+#else /* since 2.6.31 */
+ rt = skb_rtable(skb);
+#endif
+#endif
+ if (likely(family == AF_INET)) {
+ if (rt)
+ nf->nh.ip = rt->rt_gateway;
+ } else {
+ if (rt)
+ nf->nh.in6 = ((struct rt6_info *)rt)->rt6i_gateway;
+ nf->flow_label = (iph->ip6.flow_lbl[0] << 16) |
+ (iph->ip6.flow_lbl[1] << 8) | (iph->ip6.flow_lbl[2]);
+ }
+#if 0
+ if (unlikely(debug > 2))
+ printk(KERN_INFO "ipt_NETFLOW: new (%u) %hd:%hd SRC=%u.%u.%u.%u:%u DST=%u.%u.%u.%u:%u\n",
atomic_read(&ipt_netflow_count),
tuple.i_ifc, nf->o_ifc,
NIPQUAD(tuple.s_addr), ntohs(tuple.s_port),
NIPQUAD(tuple.d_addr), ntohs(tuple.d_port));
+#endif
} else {
/* ipt_netflow_list is sorted by access time:
* most recently accessed flows are at head, old flows remain at tail
* this function bubble up flow to the head */
+ spin_lock(&hlist_lock);
list_move(&nf->list, &ipt_netflow_list);
+ spin_unlock(&hlist_lock);
}
+#ifdef CONFIG_NF_CONNTRACK_MARK
+ {
+ struct nf_conn *ct;
+ enum ip_conntrack_info ctinfo;
+ ct = nf_ct_get(skb, &ctinfo);
+ if (ct)
+ nf->mark = ct->mark;
+ }
+#endif
+
nf->nr_packets++;
- nf->nr_bytes += ntohs(iph->tot_len);
+ nf->nr_bytes += pkt_len;
nf->ts_last = jiffies;
nf->tcp_flags |= tcp_flags;
+ nf->options |= options;
+ if (tuple.protocol == IPPROTO_TCP)
+ nf->tcpoptions |= tcpoptions;
NETFLOW_STAT_INC(pkt_total);
- NETFLOW_STAT_ADD(traf_total, ntohs(iph->tot_len));
+ NETFLOW_STAT_ADD(traf_total, pkt_len);
- if (active_needs_export(nf, active_timeout * HZ)) {
+ if (likely(active_needs_export(nf, active_timeout * HZ))) {
/* ok, if this active flow to be exported
* bubble it to the tail */
+ spin_lock(&hlist_lock);
list_move_tail(&nf->list, &ipt_netflow_list);
+ spin_unlock(&hlist_lock);
/* Blog: I thought about forcing timer to wake up sooner if we have
* enough exportable flows, but in fact this doesn't have much sense,
@@ -1363,35 +2761,194 @@ static unsigned int netflow_target(
* limited size). But yes, this is disputable. */
}
- spin_unlock_bh(&ipt_netflow_lock);
+unlock_return:
+ spin_unlock(&htable_locks[hash & LOCK_COUNT_MASK]);
+ read_unlock_bh(&htable_rwlock);
return IPT_CONTINUE;
}
-static struct ipt_target ipt_netflow_reg = {
- .name = "NETFLOW",
- .target = netflow_target,
- .family = AF_INET,
-#ifndef RAW_PROMISC_HACK
- .table = "filter",
-#ifndef NF_IP_LOCAL_IN /* 2.6.25 */
- .hooks = (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_FORWARD) |
- (1 << NF_INET_LOCAL_OUT),
-#else
- .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
- (1 << NF_IP_LOCAL_OUT),
-#endif /* NF_IP_LOCAL_IN */
+#ifdef CONFIG_NF_NAT_NEEDED
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,31)
+ /* Below 2.6.31 we don't need to handle callback chain manually. */
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3,2,0)
+#define NET_STRUCT struct net *net
+#define NET_ARG net,
+#define nf_conntrack_event_cb net->ct.nf_conntrack_event_cb
#else
- .table = "raw",
-#ifndef NF_IP_LOCAL_IN
- .hooks = (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_FORWARD) |
- (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_PRE_ROUTING),
+#define NET_STRUCT void
+#define NET_ARG
+#endif
+static int set_notifier_cb(NET_STRUCT)
+{
+ struct nf_ct_event_notifier *notifier;
+
+ notifier = rcu_dereference(nf_conntrack_event_cb);
+ if (notifier == NULL) {
+ /* Polite mode. */
+ nf_conntrack_register_notifier(NET_ARG &ctnl_notifier);
+ } else if (notifier != &ctnl_notifier) {
+ if (!saved_event_cb)
+ saved_event_cb = notifier;
+ else if (saved_event_cb != notifier)
+ printk(KERN_ERR "natevents_net_init: %p != %p (report error.)\n",
+ saved_event_cb, notifier);
+ rcu_assign_pointer(nf_conntrack_event_cb, &ctnl_notifier);
+ } else
+ printk(KERN_ERR "ipt_NETFLOW: natevents already enabled.\n");
+ return 0;
+}
+static void unset_notifier_cb(NET_STRUCT)
+{
+ struct nf_ct_event_notifier *notifier;
+
+ notifier = rcu_dereference(nf_conntrack_event_cb);
+ if (notifier == &ctnl_notifier) {
+ if (saved_event_cb == NULL)
+ nf_conntrack_unregister_notifier(NET_ARG &ctnl_notifier);
+ else
+ rcu_assign_pointer(nf_conntrack_event_cb, saved_event_cb);
+ } else
+ printk(KERN_ERR "ipt_NETFLOW: natevents already disabled.\n");
+}
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3,2,0)
+#undef nf_conntrack_event_cb
+static struct pernet_operations natevents_net_ops = {
+ .init = set_notifier_cb,
+ .exit = unset_notifier_cb
+};
+#endif
+#endif /* since 2.6.31 */
+
+static DEFINE_MUTEX(events_lock);
+/* Both functions may be called multiple times. */
+static void register_ct_events(void)
+{
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,31)
+#define NETLINK_M "nf_conntrack_netlink"
+ struct module *netlink_m;
+ static int referenced = 0;
+#endif
+
+ printk(KERN_INFO "ipt_NETFLOW: enable natevents.\n");
+ mutex_lock(&events_lock);
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,31)
+ /* Pre-load netlink module who will be first notifier
+ * user, and then hijack nf_conntrack_event_cb from it. */
+ if (
+#if LINUX_VERSION_CODE < KERNEL_VERSION(3,2,0)
+ !rcu_dereference(nf_conntrack_event_cb) ||
+#endif
+ !(netlink_m = find_module(NETLINK_M))) {
+ printk("Loading " NETLINK_M "\n");
+ request_module(NETLINK_M);
+ }
+ /* Reference netlink module to prevent it's unsafe unload before us. */
+ if (!referenced && (netlink_m = find_module(NETLINK_M))) {
+ referenced++;
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,35)
+#define use_module ref_module
+#endif
+ use_module(THIS_MODULE, netlink_m);
+ }
+
+ /* Register ct events callback. */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3,2,0)
+ register_pernet_subsys(&natevents_net_ops);
#else
- .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
- (1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_PRE_ROUTING),
-#endif /* NF_IP_LOCAL_IN */
-#endif /* !RAW_PROMISC_HACK */
- .me = THIS_MODULE
+ set_notifier_cb();
+#endif
+#else /* below v2.6.31 */
+ if (!natevents && nf_conntrack_register_notifier(&ctnl_notifier) < 0)
+ printk(KERN_ERR "Can't register conntrack notifier, natevents disabled.\n");
+ else
+#endif
+ natevents = 1;
+ mutex_unlock(&events_lock);
+}
+
+static void unregister_ct_events(void)
+{
+ printk(KERN_INFO "ipt_NETFLOW: disable natevents.\n");
+ mutex_lock(&events_lock);
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,31)
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3,2,0)
+ unregister_pernet_subsys(&natevents_net_ops);
+#else /* < v3.2 */
+ unset_notifier_cb();
+#endif /* v3.2 */
+ rcu_assign_pointer(saved_event_cb, NULL);
+#else /* < v2.6.31 */
+ nf_conntrack_unregister_notifier(&ctnl_notifier);
+#endif
+ natevents = 0;
+ mutex_unlock(&events_lock);
+}
+#endif /* CONFIG_NF_NAT_NEEDED */
+
+#ifndef NF_IP_LOCAL_IN /* 2.6.25 */
+#define NF_IP_PRE_ROUTING NF_INET_PRE_ROUTING
+#define NF_IP_LOCAL_IN NF_INET_LOCAL_IN
+#define NF_IP_FORWARD NF_INET_FORWARD
+#define NF_IP_LOCAL_OUT NF_INET_LOCAL_OUT
+#define NF_IP_POST_ROUTING NF_INET_POST_ROUTING
+#endif
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
+/* net/netfilter/x_tables.c */
+static void xt_unregister_targets(struct xt_target *target, unsigned int n)
+{
+ unsigned int i;
+
+ for (i = 0; i < n; i++)
+ xt_unregister_target(&target[i]);
+}
+static int xt_register_targets(struct xt_target *target, unsigned int n)
+{
+ unsigned int i;
+
+ int err = 0;
+ for (i = 0; i < n; i++)
+ if ((err = xt_register_target(&target[i])))
+ goto err;
+ return err;
+err:
+ if (i > 0)
+ xt_unregister_targets(target, i);
+ return err;
+}
+#endif
+
+static struct ipt_target ipt_netflow_reg[] __read_mostly = {
+ {
+ .name = "NETFLOW",
+ .target = netflow_target,
+ .checkentry = netflow_target_check,
+ .family = AF_INET,
+ .hooks =
+ (1 << NF_IP_PRE_ROUTING) |
+ (1 << NF_IP_LOCAL_IN) |
+ (1 << NF_IP_FORWARD) |
+ (1 << NF_IP_LOCAL_OUT) |
+ (1 << NF_IP_POST_ROUTING),
+ .me = THIS_MODULE
+ },
+ {
+ .name = "NETFLOW",
+ .target = netflow_target,
+ .checkentry = netflow_target_check,
+ .family = AF_INET6,
+ .hooks =
+ (1 << NF_IP_PRE_ROUTING) |
+ (1 << NF_IP_LOCAL_IN) |
+ (1 << NF_IP_FORWARD) |
+ (1 << NF_IP_LOCAL_OUT) |
+ (1 << NF_IP_POST_ROUTING),
+ .me = THIS_MODULE
+ },
};
static int __init ipt_netflow_init(void)
@@ -1399,11 +2956,16 @@ static int __init ipt_netflow_init(void)
#ifdef CONFIG_PROC_FS
struct proc_dir_entry *proc_stat;
#endif
+ printk(KERN_INFO "ipt_NETFLOW version %s, srcversion %s\n",
+ IPT_NETFLOW_VERSION, THIS_MODULE->srcversion);
get_random_bytes(&ipt_netflow_hash_rnd, 4);
/* determine hash size (idea from nf_conntrack_core.c) */
if (!hashsize) {
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3,11,0)
+#define num_physpages totalram_pages
+#endif
hashsize = (((num_physpages << PAGE_SHIFT) / 16384)
/ sizeof(struct hlist_head));
if (num_physpages > (1024 * 1024 * 1024 / PAGE_SIZE))
@@ -1411,8 +2973,7 @@ static int __init ipt_netflow_init(void)
}
if (hashsize < 16)
hashsize = 16;
- printk(KERN_INFO "ipt_netflow version %s (%u buckets)\n",
- IPT_NETFLOW_VERSION, hashsize);
+ printk(KERN_INFO "ipt_NETFLOW: hashsize %u\n", hashsize);
ipt_netflow_hash_size = hashsize;
ipt_netflow_hash = alloc_hashtable(ipt_netflow_hash_size);
@@ -1434,12 +2995,18 @@ static int __init ipt_netflow_init(void)
}
#ifdef CONFIG_PROC_FS
+#if LINUX_VERSION_CODE < KERNEL_VERSION(3,10,0)
proc_stat = create_proc_entry("ipt_netflow", S_IRUGO, INIT_NET(proc_net_stat));
+#else
+ proc_stat = proc_create("ipt_netflow", S_IRUGO, INIT_NET(proc_net_stat), &nf_seq_fops);
+#endif
if (!proc_stat) {
printk(KERN_ERR "Unable to create /proc/net/stat/ipt_netflow entry\n");
goto err_free_netflow_slab;
}
+#if LINUX_VERSION_CODE < KERNEL_VERSION(3,10,0)
proc_stat->proc_fops = &nf_seq_fops;
+#endif
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,30)
proc_stat->owner = THIS_MODULE;
#endif
@@ -1480,21 +3047,28 @@ static int __init ipt_netflow_init(void)
}
add_aggregation(aggregation);
- __start_scan_worker();
+ netflow_switch_version(protocol);
+ _schedule_scan_worker(0);
setup_timer(&rate_timer, rate_timer_calc, 0);
mod_timer(&rate_timer, jiffies + (HZ * SAMPLERATE));
- if (xt_register_target(&ipt_netflow_reg))
+ peakflows_at = jiffies;
+ if (xt_register_targets(ipt_netflow_reg, ARRAY_SIZE(ipt_netflow_reg)))
goto err_stop_timer;
- peakflows_at = jiffies;
+#ifdef CONFIG_NF_NAT_NEEDED
+ if (natevents)
+ register_ct_events();
+#endif
- printk(KERN_INFO "ipt_netflow loaded.\n");
+ printk(KERN_INFO "ipt_NETFLOW is loaded.\n");
return 0;
err_stop_timer:
- __stop_scan_worker();
+ _unschedule_scan_worker();
+ netflow_scan_and_export(AND_FLUSH);
del_timer_sync(&rate_timer);
+ free_templates();
destination_removeall();
aggregation_remove(&aggr_n_list);
aggregation_remove(&aggr_p_list);
@@ -1506,17 +3080,18 @@ err_free_proc_stat:
#ifdef CONFIG_PROC_FS
remove_proc_entry("ipt_netflow", INIT_NET(proc_net_stat));
err_free_netflow_slab:
-#endif
+#endif
kmem_cache_destroy(ipt_netflow_cachep);
err_free_hash:
vfree(ipt_netflow_hash);
err:
+ printk(KERN_INFO "ipt_NETFLOW is not loaded.\n");
return -ENOMEM;
}
static void __exit ipt_netflow_fini(void)
{
- printk(KERN_INFO "ipt_netflow unloading..\n");
+ printk(KERN_INFO "ipt_NETFLOW unloading..\n");
#ifdef CONFIG_SYSCTL
unregister_sysctl_table(netflow_sysctl_header);
@@ -1524,14 +3099,18 @@ static void __exit ipt_netflow_fini(void)
#ifdef CONFIG_PROC_FS
remove_proc_entry("ipt_netflow", INIT_NET(proc_net_stat));
#endif
-
- xt_unregister_target(&ipt_netflow_reg);
- __stop_scan_worker();
- netflow_scan_and_export(1);
+ xt_unregister_targets(ipt_netflow_reg, ARRAY_SIZE(ipt_netflow_reg));
+#ifdef CONFIG_NF_NAT_NEEDED
+ if (natevents)
+ unregister_ct_events();
+#endif
+ _unschedule_scan_worker();
+ netflow_scan_and_export(AND_FLUSH);
del_timer_sync(&rate_timer);
synchronize_sched();
+ free_templates();
destination_removeall();
aggregation_remove(&aggr_n_list);
aggregation_remove(&aggr_p_list);
@@ -1539,7 +3118,7 @@ static void __exit ipt_netflow_fini(void)
kmem_cache_destroy(ipt_netflow_cachep);
vfree(ipt_netflow_hash);
- printk(KERN_INFO "ipt_netflow unloaded.\n");
+ printk(KERN_INFO "ipt_NETFLOW unloaded.\n");
}
module_init(ipt_netflow_init);
diff --git a/ipt_NETFLOW.h b/ipt_NETFLOW.h
index 4a7b645..749f985 100644
--- a/ipt_NETFLOW.h
+++ b/ipt_NETFLOW.h
@@ -35,8 +35,8 @@ struct netflow5_record {
__be16 o_ifc;
__be32 nr_packets;
__be32 nr_octets;
- __be32 ts_first;
- __be32 ts_last;
+ __be32 first_ms;
+ __be32 last_ms;
__be16 s_port;
__be16 d_port;
__u8 reserved;
@@ -54,9 +54,9 @@ struct netflow5_record {
struct netflow5_pdu {
__be16 version;
__be16 nr_records;
- __be32 ts_uptime;
- __be32 ts_usecs;
- __be32 ts_unsecs;
+ __be32 ts_uptime; /* ms */
+ __be32 ts_usecs; /* s */
+ __be32 ts_unsecs; /* ns */
__be32 seq;
__u8 eng_type;
__u8 eng_id;
@@ -65,42 +65,185 @@ struct netflow5_pdu {
} __attribute__ ((packed));
#define NETFLOW5_HEADER_SIZE (sizeof(struct netflow5_pdu) - NETFLOW5_RECORDS_MAX * sizeof(struct netflow5_record))
+/* NetFlow v9 RFC http://www.ietf.org/rfc/rfc3954.txt */
+enum {
+ IN_BYTES = 1,
+ IN_PKTS = 2,
+ PROTOCOL = 4,
+ TOS = 5,
+ TCP_FLAGS = 6,
+ L4_SRC_PORT = 7,
+ IPV4_SRC_ADDR = 8,
+ SRC_MASK = 9,
+ INPUT_SNMP = 10,
+ L4_DST_PORT = 11,
+ IPV4_DST_ADDR = 12,
+ DST_MASK = 13,
+ OUTPUT_SNMP = 14,
+ IPV4_NEXT_HOP = 15,
+ //SRC_AS = 16,
+ //DST_AS = 17,
+ //BGP_IPV4_NEXT_HOP = 18,
+ //MUL_DST_PKTS = 19,
+ //MUL_DST_BYTES = 20,
+ LAST_SWITCHED = 21,
+ FIRST_SWITCHED = 22,
+ IPV6_SRC_ADDR = 27,
+ IPV6_DST_ADDR = 28,
+ IPV6_FLOW_LABEL = 31,
+ ICMP_TYPE = 32,
+ MUL_IGMP_TYPE = 33,
+ //TOTAL_BYTES_EXP = 40,
+ //TOTAL_PKTS_EXP = 41,
+ //TOTAL_FLOWS_EXP = 42,
+ IPV6_NEXT_HOP = 62,
+ IPV6_OPTION_HEADERS = 64,
+ commonPropertiesId = 137, /* for MARK */
+ ipv4Options = 208,
+ tcpOptions = 209,
+ postNATSourceIPv4Address = 225,
+ postNATDestinationIPv4Address = 226,
+ postNAPTSourceTransportPort = 227,
+ postNAPTDestinationTransportPort = 228,
+ natEvent = 230,
+ postNATSourceIPv6Address = 281,
+ postNATDestinationIPv6Address = 282,
+ IPSecSPI = 295,
+ observationTimeMilliseconds = 323,
+ observationTimeMicroseconds = 324,
+ observationTimeNanoseconds = 325,
+};
+
+enum {
+ FLOWSET_TEMPLATE = 0,
+ FLOWSET_OPTIONS = 1,
+ IPFIX_TEMPLATE = 2,
+ IPFIX_OPTIONS = 3,
+ FLOWSET_DATA_FIRST = 256,
+};
+
+struct flowset_template {
+ __be16 flowset_id;
+ __be16 length;
+ __be16 template_id;
+ __be16 field_count;
+} __attribute__ ((packed));
+
+struct flowset_data {
+ __be16 flowset_id;
+ __be16 length;
+} __attribute__ ((packed));
+
+/* NetFlow v9 packet. */
+struct netflow9_pdu {
+ __be16 version;
+ __be16 nr_records;
+ __be32 sys_uptime_ms;
+ __be32 export_time_s;
+ __be32 seq;
+ __be32 source_id; /* Exporter Observation Domain */
+ __u8 data[1400];
+} __attribute__ ((packed));
+
+/* IPFIX packet. */
+struct ipfix_pdu {
+ __be16 version;
+ __be16 length;
+ __be32 export_time_s;
+ __be32 seq;
+ __be32 odomain_id; /* Observation Domain ID */
+ __u8 data[1400];
+} __attribute__ ((packed));
+
+/* Maximum bytes flow can have, after it's reached flow will become
+ * not searchable and will be exported soon. */
+#define FLOW_FULL_WATERMARK 0xffefffff
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,25)
+union nf_inet_addr {
+ __be32 ip;
+ __be32 ip6[4];
+ struct in_addr in;
+ struct in6_addr in6;
+};
+#endif
+
/* hashed data which identify unique flow */
+/* 16+16 + 2+2 + 2+1+1+1 = 41 */
struct ipt_netflow_tuple {
- __be32 s_addr; // Network byte order
- __be32 d_addr; // -"-
- __be16 s_port; // -"-
+ union nf_inet_addr src;
+ union nf_inet_addr dst;
+ __be16 s_port; // Network byte order
__be16 d_port; // -"-
- __be16 i_ifc; // Local byte order
+ __u16 i_ifc; // Host byte order
__u8 protocol;
__u8 tos;
+ __u8 l3proto;
};
-/* tuple size is rounded to u32s */
-#define NETFLOW_TUPLE_SIZE (sizeof(struct ipt_netflow_tuple) / 4)
-
-/* maximum bytes flow can have, after it reached flow become not searchable and will be exported soon */
-#define FLOW_FULL_WATERMARK 0xffefffff
-/* flow entry */
+/* hlist[2] + tuple[]: 8+8 + 41 = 57 (less than usual cache line, 64) */
struct ipt_netflow {
struct hlist_node hlist; // hashtable search chain
- struct list_head list; // all flows chain
/* unique per flow data (hashed, NETFLOW_TUPLE_SIZE) */
struct ipt_netflow_tuple tuple;
/* volatile data */
- __be16 o_ifc;
+ union nf_inet_addr nh;
+ __u16 o_ifc;
__u8 s_mask;
__u8 d_mask;
+ __u8 tcp_flags; /* `OR' of all tcp flags */
/* flow statistics */
u_int32_t nr_packets;
u_int32_t nr_bytes;
- unsigned long ts_first;
- unsigned long ts_last;
- __u8 tcp_flags; /* `OR' of all tcp flags */
+ union {
+ struct {
+ unsigned long first;
+ unsigned long last;
+ } ts;
+ ktime_t ts_obs;
+ } _ts_un;
+#define ts_first _ts_un.ts.first
+#define ts_last _ts_un.ts.last
+#define ts_obs _ts_un.ts_obs
+ u_int32_t flow_label; /* IPv6 */
+ u_int32_t options; /* IPv4(16) & IPv6(32) Options */
+ u_int32_t tcpoptions;
+#ifdef CONFIG_NF_CONNTRACK_MARK
+ u_int32_t mark; /* Exported as commonPropertiesId */
+#endif
+#ifdef CONFIG_NF_NAT_NEEDED
+ __be32 s_as;
+ __be32 d_as;
+ struct nat_event *nat;
+#endif
+ struct list_head list; // all flows chain
+ spinlock_t *lock;
+};
+
+#ifdef CONFIG_NF_NAT_NEEDED
+enum {
+ NAT_CREATE, NAT_DESTROY, NAT_POOLEXHAUSTED
};
+struct nat_event {
+ struct list_head list;
+ struct {
+ __be32 s_addr;
+ __be32 d_addr;
+ __be16 s_port;
+ __be16 d_port;
+ } pre, post;
+ ktime_t ts_ktime;
+ unsigned long ts_jiffies;
+ __u8 protocol;
+ __u8 nat_event;
+};
+#define IS_DUMMY_FLOW(nf) (nf->nat)
+#else
+#define IS_DUMMY_FLOW(nf) 0
+#endif
static inline int ipt_netflow_tuple_equal(const struct ipt_netflow_tuple *t1,
const struct ipt_netflow_tuple *t2)
@@ -115,11 +258,13 @@ struct ipt_netflow_sock {
unsigned short port;
atomic_t wmem_peak; // sk_wmem_alloc peak value
atomic_t err_full; // socket filled error
+ atomic_t err_connect; // connect errors
atomic_t err_other; // other socket errors
};
struct netflow_aggr_n {
struct list_head list;
+ atomic_t usage;
__u32 mask;
__u32 addr;
__u32 aggr_mask;
@@ -128,6 +273,7 @@ struct netflow_aggr_n {
struct netflow_aggr_p {
struct list_head list;
+ atomic_t usage;
__u16 port1;
__u16 port2;
__u16 aggr_port;
diff --git a/libipt_NETFLOW.c b/libipt_NETFLOW.c
index d85b6d9..a0f9e5d 100644
--- a/libipt_NETFLOW.c
+++ b/libipt_NETFLOW.c
@@ -58,24 +58,24 @@
#define _IPT_IP struct ipt_ip
#endif
+#ifndef IPTABLES_VERSION
+#define IPTABLES_VERSION XTABLES_VERSION
+#endif
+
static struct option opts[] = {
- {0}
+ { 0 }
};
static void help(void)
{
- printf( "NETFLOW target\n");
+ printf("NETFLOW target\n");
}
-//static int parse(int c, char **argv, int invert, unsigned int *flags,
-// const _IPT_ENTRY *entry,
-// struct ipt_entry_target **target)
static int parse(int c, char **argv, int invert, unsigned int *flags,
const _IPT_ENTRY *entry,
struct ipt_entry_target **targetinfo)
{
-
return 1;
}
@@ -95,16 +95,9 @@ static void print(const _IPT_IP *ip,
}
static struct iptables_target netflow = {
-#ifdef MOD140
- .family = AF_INET,
-#endif
.next = NULL,
.name = "NETFLOW",
-#ifdef XTABLES_VERSION
- .version = XTABLES_VERSION,
-#else
.version = IPTABLES_VERSION,
-#endif
.size = IPT_ALIGN(0),
.userspacesize = IPT_ALIGN(0),
.help = &help,
diff --git a/murmur3.h b/murmur3.h
new file mode 100644
index 0000000..57a6006
--- /dev/null
+++ b/murmur3.h
@@ -0,0 +1,42 @@
+/* MurmurHash3, based on https://code.google.com/p/smhasher of Austin Appleby. */
+
+static __always_inline uint32_t rotl32(const uint32_t x, const int8_t r)
+{
+ return (x << r) | (x >> (32 - r));
+}
+
+static __always_inline uint32_t fmix32(register uint32_t h)
+{
+ h ^= h >> 16;
+ h *= 0x85ebca6b;
+ h ^= h >> 13;
+ h *= 0xc2b2ae35;
+ h ^= h >> 16;
+ return h;
+}
+
+static inline uint32_t murmur3(const void *key, const uint32_t len, const uint32_t seed)
+{
+ const uint32_t c1 = 0xcc9e2d51;
+ const uint32_t c2 = 0x1b873593;
+ const uint32_t *blocks;
+ const uint8_t *tail;
+ register uint32_t h1 = seed;
+ uint32_t k1 = 0;
+ uint32_t i;
+
+ blocks = (const uint32_t *)key;
+ for (i = len / 4; i; --i) {
+ h1 ^= rotl32(*blocks++ * c1, 15) * c2;
+ h1 = rotl32(h1, 13) * 5 + 0xe6546b64;
+ }
+ tail = (const uint8_t*)blocks;
+ switch (len & 3) {
+ case 3: k1 ^= tail[2] << 16;
+ case 2: k1 ^= tail[1] << 8;
+ case 1: k1 ^= tail[0];
+ h1 ^= rotl32(k1 * c1, 15) * c2;
+ }
+ return fmix32(h1^ len);
+}
+
diff --git a/raw_promisc_debian_squeeze6.patch b/raw_promisc_debian_squeeze6.patch
new file mode 100644
index 0000000..69d0d35
--- /dev/null
+++ b/raw_promisc_debian_squeeze6.patch
@@ -0,0 +1,37 @@
+
+ Short manual and patch for Debian Squeeze
+ suggested by Pavel Odintsov:
+
+On Thu, Dec 27, 2012 at 07:46:30PM +0400, Pavel Odintsov wrote:
+>
+> ������� ������ ��� �������� Debian Squeeze ���� ������ promisc.
+>
+> cd /usr/src
+> apt-get install -y dpkg-dev
+> apt-get build-dep linux-image-2.6.32-5-amd64
+> cd linux-2.6-2.6.32/
+> apt-get source linux-image-2.6.32-5-amd64
+>
+> wget .... /root/raw_promisc_debian_squeeze6.patch
+> patch -p1 < raw_promisc_debian_squeeze6.patch
+> ����������� ����� �������:
+> debian/rules source
+>
+> ��������� ������:
+> debian/rules binary
+>
+
+diff -rupN linux-2.6-2.6.32/net/ipv4/ip_input.c linux-2.6-2.6.32_promisc_raw//net/ipv4/ip_input.c
+--- linux-2.6-2.6.32/net/ipv4/ip_input.c 2009-12-03 04:51:21.000000000 +0100
++++ linux-2.6-2.6.32_promisc_raw//net/ipv4/ip_input.c 2012-06-25 19:13:49.000000000 +0200
+@@ -383,8 +383,8 @@ int ip_rcv(struct sk_buff *skb, struct n
+ /* When the interface is in promisc. mode, drop all the crap
+ * that it receives, do not try to analyse it.
+ */
+- if (skb->pkt_type == PACKET_OTHERHOST)
+- goto drop;
++ //if (skb->pkt_type == PACKET_OTHERHOST)
++ // goto drop;
+
+
+ IP_UPD_PO_STATS_BH(dev_net(dev), IPSTATS_MIB_IN, skb->len);