svn commit: r320944 - head/etc/rc.d

[Emmanuel Vadot]

Author: manu
Date: Thu Jul 13 13:40:18 2017
New Revision: 320944
URL: https://svnweb.freebsd.org/changeset/base/320944

Log:
  Add an rc.d script to setup a netflow export via ng_netflow
  The default is to export netflow data on localhost on the netflow port.
  ngtee is used to have the lowest overhead possible.
  The ipfw ng hook is the netflow port (it can only be numeric)
  Default is netflow version 5.
  
  Sponsored-By:   Gandi.net
  Reviewed by:  bapt (earlier version), olivier (earlier version)

Added:
  head/etc/rc.d/ipfw_netflow   (contents, props changed)

Added: head/etc/rc.d/ipfw_netflow
==============================================================================
--- /dev/null   00:00:00 1970   (empty, because file is newly added)
+++ head/etc/rc.d/ipfw_netflow  Thu Jul 13 13:40:18 2017        (r320944)
@@ -0,0 +1,77 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+# PROVIDE: ipfw_netflow
+# REQUIRE: ipfw
+# KEYWORD: nojailvnet
+
+. /etc/rc.subr
+. /etc/network.subr
+
+name="ipfw_netflow"
+desc="firewall, ipfw, netflow"
+rcvar="${name}_enable"
+start_cmd="${name}_start"
+stop_cmd="${name}_stop"
+start_precmd="${name}_test"
+status_cmd="${name}_status"
+required_modules="ipfw ng_netflow ng_ipfw"
+extra_commands="status"
+
+: ${ipfw_netflow_hook:=9995}
+: ${ipfw_netflow_rule:=01000}
+: ${ipfw_netflow_ip:=127.0.0.1}
+: ${ipfw_netflow_port:=9995}
+: ${ipfw_netflow_version:=}
+
+ipfw_netflow_test()
+{
+    if [ "${ipfw_netflow_version}" != "" ] && [ "${ipfw_netflow_version}" != 9 
]; then
+       err 1 "Unknown netflow version \'${ipfw_netflow_version}\'"
+    fi
+    case "${ipfw_netflow_hook}" in
+       [!0-9]*)
+           err 1 "Bad value \"${ipfw_netflow_hook}\": Hook must be numerical"
+    esac
+    case "${ipfw_netflow_rule}" in
+       [!0-9]*)
+           err 1 "Bad value \"${ipfw_netflow_rule}\": Rule number must be 
numerical"
+    esac
+}
+
+ipfw_netflow_is_running()
+{
+       ngctl show netflow: > /dev/null 2>&1 && return 0 || return 1
+}
+
+ipfw_netflow_status()
+{
+       ipfw_netflow_is_running && echo "ipfw_netflow is active" || echo 
"ipfw_netflow is not active"
+}
+
+ipfw_netflow_start()
+{
+       ipfw_netflow_is_running && err 1 "ipfw_netflow is already active"
+       ipfw add ${ipfw_netflow_rule} ngtee ${ipfw_netflow_hook} ip from any to 
any
+       ngctl -f - <<-EOF
+       mkpeer ipfw: netflow ${ipfw_netflow_hook} iface0
+       name ipfw:${ipfw_netflow_hook} netflow
+       mkpeer netflow: ksocket export${ipfw_netflow_version} inet/dgram/udp
+       msg netflow: setdlt {iface=0 dlt=12}
+       name netflow:export${ipfw_netflow_version} netflow_export
+       msg netflow:export${ipfw_netflow_version} connect 
inet/${ipfw_netflow_ip}:${ipfw_netflow_port}
+EOF
+}
+
+ipfw_netflow_stop()
+{
+    ipfw_netflow_is_running || err 1 "ipfw_netflow is not active"
+    ngctl shutdown netflow:
+    ipfw delete ${ipfw_netflow_rule}
+}
+
+load_rc_config $name
+
+run_rc_command $*
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"