From eef695dd0c16ec018e725a801099a907ade0cd68 Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Fri, 15 Apr 2016 14:39:47 +0200 Subject: [PATCH] (netflow) add egress_only option to ui and netflow setup script. for most downstream interfaces it's a good idea to inspect both traffic going to the firewall (proxy usage for example) as going through it, for wan type interfaces however you don't want to count the traffic going to local for nat processing (no ingress). --- src/etc/rc.d/netflow | 14 ++++++++++++-- .../OPNsense/Diagnostics/forms/netflow_capture.xml | 8 ++++++++ .../app/models/OPNsense/Diagnostics/Netflow.xml | 8 ++++++++ .../templates/OPNsense/Netflow/netflow.conf | 5 +++++ 4 files changed, 33 insertions(+), 2 deletions(-) diff --git a/src/etc/rc.d/netflow b/src/etc/rc.d/netflow index bfddedd2e..7eb466788 100755 --- a/src/etc/rc.d/netflow +++ b/src/etc/rc.d/netflow @@ -40,6 +40,7 @@ status_cmd="${name}_status" extra_commands="status" [ -z "$netflow_enable" ] && netflow_enable="NO" +[ -z "$netflow_egress_only" ] && netflow_egress_only="" # setup_interface (interface) # - use netgraph + ng_netflow in combination with samplicate to record netflow data and send it to multiple locations @@ -58,7 +59,16 @@ setup_interface() echo "error : interface $interface not found" return fi - echo "setup $interface" + # disable ingress (traffic to this host) for selected interfaces + # avoids counting traffic going through this firewall double when using nat + if [ ! -z "`echo " $netflow_egress_only " | grep " $interface "`" ]; then + conf="10" + echo "setup $interface [egress only]" + else + conf="11" + echo "setup $interface" + fi; + # make sure netgraph is attached /usr/local/sbin/ngattach $interface # remove earlier setup (if any) @@ -69,7 +79,7 @@ setup_interface() name $interface:lower netflow_$interface connect $interface: netflow_$interface: upper out$ifIndex mkpeer netflow_$interface: ksocket export$nfversion inet/dgram/udp - msg netflow_$interface: setconfig {iface=$ifIndex conf=11} + msg netflow_$interface: setconfig {iface=$ifIndex conf=$conf} msg netflow_$interface:export$nfversion connect inet/$netflow_int_destination SEQ } diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Diagnostics/forms/netflow_capture.xml b/src/opnsense/mvc/app/controllers/OPNsense/Diagnostics/forms/netflow_capture.xml index 9bd210491..c52fc5421 100644 --- a/src/opnsense/mvc/app/controllers/OPNsense/Diagnostics/forms/netflow_capture.xml +++ b/src/opnsense/mvc/app/controllers/OPNsense/Diagnostics/forms/netflow_capture.xml @@ -7,6 +7,14 @@ Type or select interface. + + netflow.capture.egress_only + + select_multiple + + + Type or select interface. + netflow.collect.enable diff --git a/src/opnsense/mvc/app/models/OPNsense/Diagnostics/Netflow.xml b/src/opnsense/mvc/app/models/OPNsense/Diagnostics/Netflow.xml index d32454ae7..886f97c2a 100644 --- a/src/opnsense/mvc/app/models/OPNsense/Diagnostics/Netflow.xml +++ b/src/opnsense/mvc/app/models/OPNsense/Diagnostics/Netflow.xml @@ -13,6 +13,14 @@ /^(?!0).*$/ + + N + wan + Y + + /^(?!0).*$/ + + Y v9 diff --git a/src/opnsense/service/templates/OPNsense/Netflow/netflow.conf b/src/opnsense/service/templates/OPNsense/Netflow/netflow.conf index f6c36a40a..f9d70b315 100644 --- a/src/opnsense/service/templates/OPNsense/Netflow/netflow.conf +++ b/src/opnsense/service/templates/OPNsense/Netflow/netflow.conf @@ -11,6 +11,11 @@ OPNsense.Netflow.capture.targets.strip() %} netflow_interfaces="{% for interface in OPNsense.Netflow.capture.interfaces.split(',') +%}{{ + physical_interface(interface) +}} {% + endfor%}" +netflow_egress_only="{% for interface in OPNsense.Netflow.capture.egress_only.split(',') %}{{ physical_interface(interface) }} {%