Date: Fri, 2 Mar 2018 15:17:43 +0000 (UTC) From: Emmanuel Vadot <manu@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r330280 - in stable/11: etc/defaults etc/rc.d share/man/man5 Message-ID: <201803021517.w22FHhSH046413@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: manu Date: Fri Mar 2 15:17:42 2018 New Revision: 330280 URL: https://svnweb.freebsd.org/changeset/base/330280 Log: MFC r320943-r320944, r321008, r321072, r321128 r320943: Add ipfw_status command to etc/rc.d/ipfw This is helpful when using service/conf management tools. Sonsored-By: Gandi.net r320944: Add an rc.d script to setup a netflow export via ng_netflow The default is to export netflow data on localhost on the netflow port. ngtee is used to have the lowest overhead possible. The ipfw ng hook is the netflow port (it can only be numeric) Default is netflow version 5. Sponsored-By: Gandi.net Reviewed by: bapt (earlier version), olivier (earlier version) r321008: etc/rc.d: Only install ipfw_netflow is MK_IPFW and MK_NETGRAPH is defined While here only install ipfw rc script if MK_IPFW is defined. Reported by: ngie r321072: ipfw_netflow: add +ipfw_netflow_enable="NO" to defaults/rc.conf and document usage in rc.conf(5) Reported by: markj Sponsored by: Gandi.net r321128: ipfw_netflow: Add support for FIB If ipfw_netflow_fib, the ipfw rule will only match packets in that FIB. While here correct some value in rc.conf(5) to be int and not str. Sponsored by: Gandi.net Added: stable/11/etc/rc.d/ipfw_netflow - copied, changed from r320944, head/etc/rc.d/ipfw_netflow Modified: stable/11/etc/defaults/rc.conf stable/11/etc/rc.d/Makefile stable/11/etc/rc.d/ipfw stable/11/share/man/man5/rc.conf.5 Directory Properties: stable/11/ (props changed) Modified: stable/11/etc/defaults/rc.conf ============================================================================== --- stable/11/etc/defaults/rc.conf Fri Mar 2 15:12:18 2018 (r330279) +++ stable/11/etc/defaults/rc.conf Fri Mar 2 15:17:42 2018 (r330280) @@ -167,6 +167,7 @@ firewall_nat_enable="NO" # Enable kernel NAT (if firew firewall_nat_interface="" # Public interface or IPaddress to use firewall_nat_flags="" # Additional configuration parameters dummynet_enable="NO" # Load the dummynet(4) module +ipfw_netflow_enable="NO" # Enable netflow logging via ng_netflow ip_portrange_first="NO" # Set first dynamically allocated port ip_portrange_last="NO" # Set last dynamically allocated port ike_enable="NO" # Enable IKE daemon (usually racoon or isakmpd) Modified: stable/11/etc/rc.d/Makefile ============================================================================== --- stable/11/etc/rc.d/Makefile Fri Mar 2 15:12:18 2018 (r330279) +++ stable/11/etc/rc.d/Makefile Fri Mar 2 15:17:42 2018 (r330280) @@ -47,7 +47,6 @@ FILES= DAEMON \ ip6addrctl \ ipfilter \ ipfs \ - ipfw \ ipmon \ ipnat \ ipsec \ @@ -212,6 +211,13 @@ HASTPACKAGE= hast .if ${MK_INETD} != "no" FILES+= inetd +.endif + +.if ${MK_IPFW} != "no" +FILES+= ipfw +.if ${MK_NETGRAPH} != "no" +FILES+= ipfw_netflow +.endif .endif .if ${MK_ISCSI} != "no" Modified: stable/11/etc/rc.d/ipfw ============================================================================== --- stable/11/etc/rc.d/ipfw Fri Mar 2 15:12:18 2018 (r330279) +++ stable/11/etc/rc.d/ipfw Fri Mar 2 15:17:42 2018 (r330280) @@ -17,7 +17,9 @@ start_cmd="ipfw_start" start_precmd="ipfw_prestart" start_postcmd="ipfw_poststart" stop_cmd="ipfw_stop" +status_cmd="ipfw_status" required_modules="ipfw" +extra_commands="status" set_rcvar_obsolete ipv6_firewall_enable @@ -107,6 +109,18 @@ ipfw_stop() ${_coscript} quietstop fi done +} + +ipfw_status() +{ + status=$(sysctl -n net.inet.ip.fw.enable) + if [ ${status} -eq 0 ]; then + echo "ipfw is not enabled" + exit 1 + else + echo "ipfw is enabled" + exit 0 + fi } load_rc_config $name Copied and modified: stable/11/etc/rc.d/ipfw_netflow (from r320944, head/etc/rc.d/ipfw_netflow) ============================================================================== --- head/etc/rc.d/ipfw_netflow Thu Jul 13 13:40:18 2017 (r320944, copy source) +++ stable/11/etc/rc.d/ipfw_netflow Fri Mar 2 15:17:42 2018 (r330280) @@ -54,7 +54,7 @@ ipfw_netflow_status() ipfw_netflow_start() { ipfw_netflow_is_running && err 1 "ipfw_netflow is already active" - ipfw add ${ipfw_netflow_rule} ngtee ${ipfw_netflow_hook} ip from any to any + ipfw add ${ipfw_netflow_rule} ngtee ${ipfw_netflow_hook} ip from any to any ${ipfw_netflow_fib:+fib ${ipfw_netflow_fib}} ngctl -f - <<-EOF mkpeer ipfw: netflow ${ipfw_netflow_hook} iface0 name ipfw:${ipfw_netflow_hook} netflow Modified: stable/11/share/man/man5/rc.conf.5 ============================================================================== --- stable/11/share/man/man5/rc.conf.5 Fri Mar 2 15:12:18 2018 (r330279) +++ stable/11/share/man/man5/rc.conf.5 Fri Mar 2 15:17:42 2018 (r330280) @@ -594,6 +594,44 @@ module if is also set to .Dq Li YES . .\" ------------------------------------------------------------------- +.It Va ipfw_netflow_enable +.Pq Vt bool +Setting this to +.Dq Li YES +will enable netflow logging via +.Xr ng_netflow 4 +.Pp +By default a ipfw rule is inserted and all packets are duplicated with +the ngtee command and netflow packets are sent to 127.0.0.1 on the netflow +port using protocol version 5. +.It Va ipfw_netflow_hook +.Pq Vt int +netflow hook name, must be numerical +(default +.Pa 9995 ) . +.It Va ipfw_netflow_rule +.Pq Vt int +ipfw rule number +(default +.Pa 1000 ) . +.It Va ipfw_netflow_ip +.Pq Vt str +Destination server ip for receiving netflow data +(default +.Pa 127.0.0.1 ) . +.It Va ipfw_netflow_port +.Pq Vt int +Destination server port for receiving netflow data +(default +.Pa 9995 ) . +.It Va ipfw_netflow_version +.Pq Vt int +Do not set for using version 5 of the netflow protocol, set it to 9 for using version 9. +.It Va ipfw_netflow_fib +.Pq Vt int +Only match packet in FIB +.Pa ipfw_netflow_fib +(default is undefined meaning all FIBs). .It Va natd_program .Pq Vt str Path to
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201803021517.w22FHhSH046413>