Contributed by jason on from the don't-forget-to-put-the-seat-down-when-you're-done dept.
Henning Brauer (henning@) has just committed a new pseudo-device to OpenBSD-current. The pflow(4) interface exports IP accounting data over UDP that is compatible with NetFlow version 5. Please continue to read Henning's commit message and a brief introduction to pflow(4) usage.
CVSROOT: /cvs Module name: src Changes by: firstname.lastname@example.org 2008/09/09 07:56:39 Modified files: sbin/ifconfig : ifconfig.c sbin/pfctl : parse.y pf_print_state.c pfctl_parser.c sys/conf : files sys/net : if_types.h pf.c pfvar.h sys/sys : sockio.h Added files: share/man/man4 : pflow.4 sys/net : if_pflow.c if_pflow.h Log message: welcome pflow(4), a netflow v5 compatible flow export interface. flows export data gathered from pf states. initial implementation by Joerg Goltermann
, guidance and many changes by me. 'put it in' theo
In typical OpenBSD style, this new pseudo-device works seamlessly with the rest of the networking subsystem. It behaves similarly to other virtual networking devices in that you manage it with ifconfig(8) and can even use tcpdump(8) on the interface to monitor flow exports. Setting it up is very simple:
$ sudo ifconfig pflow0 create $ sudo ifconfig pflow0 flowsrc 10.0.0.200 flowdst 10.0.0.1:1234 $ ifconfig pflow0 pflow0: flags=41
mtu 1464 pflow: sender: 10.0.0.200 receiver: 10.0.0.1:1234 groups: pflow
Flows are tracked using the state-tracking capabilities in pf(4). States that are marked with the pflow state-opts keyword will be exported by the pflow interface once the state is expired from the session table. Here is a sample pf filter rule that enables flow accounting for outbound ICMP traffic:
pass out inet proto icmp keep state (pflow)
Once the ruleset is loaded, pfctl(8) will report which states are being tracked for pflow exports:
$ sudo pfctl -vss | grep -B2 pflow | head -3 all tcp 10.0.0.200:38336 -> 184.108.40.206:22 ESTABLISHED:ESTABLISHED [3825225521 + 17376] wscale 0 [3569953586 + 16384] wscale 0 age 00:32:58, expires in 23:59:57, 888:894 pkts, 75601:180313 bytes, pflow
This is a very useful feature for IP accounting and can even be handy for network troubleshooting. It effectively replaces the userland pfflowd daemon (net/pfflowd) created by Damien Miller (djm@), although we would still need a collector to receive the exports. Fortunately, Damien also created flowd (net/flowd), a secure NetFlow collector, and the perfect complement to pflow(4).
As a self-described network geek, I'm thrilled by this new addition to OpenBSD. Joerg Goltermann created the initial implementation of this feature, while Henning refined it for the initial import. I expect additional enhancements to pflow(4) as it stabilizes in the tree from testing and daily use. Although this won't be included with OpenBSD 4.4, buying a pre-order would be a great way to show our appreciation for this type of work!
(Comments are closed)