Page MenuHomePhabricator

add export netflow nel format
Open, LowPublicFEATURE REQUEST

Description

Allow vyos to export flows nsel* format used for record NAT translations
nel is a format supported by pmacct since version 1.5

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible

Event Timeline

elbuit created this task.Nov 29 2019, 6:44 PM
elbuit renamed this task from add export netflof nsel format to add export netflow nel format.Nov 29 2019, 11:26 PM
elbuit updated the task description. (Show Details)
c-po triaged this task as Low priority.Nov 30 2019, 9:24 AM
c-po edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.
c-po added a subscriber: c-po.

This should be done when rewriting the whole flow-accounting portion

pasik added a subscriber: pasik.Nov 30 2019, 10:25 AM
elbuit claimed this task.EditedNov 30 2019, 12:55 PM

Yes, I know that the best way to do is a python rewriting from perl, I love perl :-(

I'll take a look.

PD: I'm struggling to create a xml from node.def skeleton

Found:
templates/system/flow-accounting/sflow/server/node.tag/
doesn't have node.def and importer script needs that.

zsdc added a subscriber: zsdc.Dec 17 2019, 6:24 PM

Hello, @elbuit !
We almost ready to release rewritten flow-accounting, and maybe we will be able to include your request into it. Can you describe more detailed what exactly records you want to have? It would be good to see an example pmacct configuration for your case.

elbuit added a comment.EditedDec 17 2019, 7:46 PM

Hello @zsdc
I was also porting old style vyatta to a new one.
I've ported interface xml definition and almost finished the conf python script:

You can found them here:
https://github.com/elbuit/vyos-ports

You can find an example of how NEL format is in https://github.com/pmacct/pmacct/blob/master/QUICKSTART chapter XXI:

traffic:
aggregate[traffic]: src_host, dst_host, peer_src_ip, peer_dst_ip, in_iface, out_iface, timestamp_start, timestamp_end, src_port, dst_port, proto, tos, src_mask, dst_mask, src_as, dst_as, tcpflags
nat:
aggregate[nat]: src_host, post_nat_src_host, src_port, post_nat_src_port, proto, nat_event, timestamp_start

Basically it adds post_nat_src_host post_nat_src_port to standard flow export

zsdc added a comment.Dec 18 2019, 4:58 PM

Hello, @elbuit!
As I see, NAT events can be recorded only by nfacctd, and therefore this is not possible with the current way to capture traffic (by NFLOG + uacctd). Fix me, if I was missed something, please.

Hello @zsdc
I didn't tested it.

I didn't find that it doesn't work with NFLOG+uacctd anywhere
but I'll create a lab with gns3 to test if it doesn't work.
Perhaps it depends on the "hook" in iptables/nftables chain.
Give me some days to test it ;-)