From owner-freebsd-net@FreeBSD.ORG Sat Sep 29 09:30:14 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 34E0216A417 for ; Sat, 29 Sep 2007 09:30:14 +0000 (UTC) (envelope-from wel@skm.net.ua) Received: from mail.skm.net.ua (skm.sat.poltava.ua [193.109.248.245]) by mx1.freebsd.org (Postfix) with ESMTP id 7ABEF13C45D for ; Sat, 29 Sep 2007 09:30:12 +0000 (UTC) (envelope-from wel@skm.net.ua) Received: from [193.238.152.25] by mail.skm.net.ua with esmtpa (Exim 4.63) (envelope-from ) id 1IbbQi-0002z1-Hg for freebsd-net@freebsd.org; Sat, 29 Sep 2007 12:28:21 +0000 From: "wel@skm.net.ua" To: freebsd-net@freebsd.org In-Reply-To: <20070928120019.3F59616A4C8@hub.freebsd.org> References: <20070928120019.3F59616A4C8@hub.freebsd.org> Content-Type: text/plain; charset=UTF-8 Date: Sat, 29 Sep 2007 12:27:45 +0300 Message-Id: <1191058065.10918.16.camel@localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.10.3 Content-Transfer-Encoding: quoted-printable Subject: Re: ng_nat+ng_netflow+mpd4 - ? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: wel@skm.net.ua List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Sep 2007 09:30:14 -0000 =D0=92 =D0=9F=D1=82=D0=BD, 28/09/2007 =D0=B2 08:12 +0300, Alexander Motin = =D0=BF=D0=B8=D1=88=D0=B5=D1=82:=20 > wel@skm.net.ua =D0=BF=D0=B8=D1=88=D0=B5=D1=82: > > I want to count ALL traffic pass trought my gateway, but tool's such as > > softflowd I don't want to use because there is already ng_netflow and I > > want use nat from netgraph, may I :)? >=20 > > options NETGRAPH > ... > > options NETGRAPH_TCPMSS >=20 > You do not need to build it statically. All of them can be loaded as=20 > modules. ok=20 > > flow-capture + ng_netflow + this script working fine=20 > > #ngctl -f /ng_netflow > > #cat /ng_netflow > > mkpeer rl1: tee lower left > > name rl1:lower tee0 > > connect rl1: rl1:lower upper right > > mkpeer tee0: one2many left2right many0 > > name tee0:left2right one2many0 > > connect tee0: one2many0: right2left many1 > > mkpeer one2many0: netflow one iface0 > > name one2many0:one netflow > > mkpeer netflow: ksocket export inet/dgram/udp > > msg netflow: setifindex { iface=3D0 index=3D2 } > > msg netflow:export connect inet/127.0.0.1:2222 >=20 > It looks overcomplicated to me. There is no need to use tee and one2many=20 > there as ng_netflow supports passing traffic via it and supports=20 > multiple interfaces. It can be connected just to the interface=20 > upper/lower hooks. If you REALLY wish to count both directions on ALL=20 > interfaces (and have double traffic accounting) you could connect=20 > netflow node twice in different directions. I use example. Can you help me to build script to run ng_nat+ng_netflow? > > /sbin/ipfw add 110 ngtee 30 ip from any to any out via ng* > > /sbin/ipfw add 111 ngtee 30 ip from any to any in via ng* >=20 > If you are using mpd4 to operate ng inetrfaces then you can just use=20 > it's internal ng_netflow support. >=20 > > /sbin/ipfw add 200 netgraph 71 all from not $LOCAL_NET to > > $EXT_IP out via rl1 > > /sbin/ipfw add 201 netgraph 70 all from $LOCAL_NET to not > > $LOCAL_NET in via rl1 =20 >=20 > Recheck twice IP in those rules. What you mean by them? When I read man ng_nat theare is exaple, I use it to build script. There is My network: isp-network(192.168.128.0) <<-getway Internet(192.168.100.1) --- 192.168.100.99|FreeBSD6.2|10.11.2.1 -->>local network 10.11.2.0/24 I use it to build only ng_nat: # cat /usr/local/etc/rc.d/ng_nat.sh=20 #!/bin/sh=20 ngctl=3D"/usr/sbin/ngctl "=20 ipfw=3D"/sbin/ipfw "=20 ifconfig=3D"/sbin/ifconfig "=20 tcpdumt=3D"/usr/sbin/tcpdump"=20 nat_ip=3D"192.168.100.99"=20 $ngctl mkpeer ipfw: nat 60 out=20 $ngctl name ipfw:60 nat=20 $ngctl connect ipfw: nat: 61 in=20 $ngctl msg nat: setaliasaddr $nat_ip=20 $ipfw add 10 skipto 65400 ip from 192.168.100.1 to me=20 $ipfw add 300 netgraph 61 all from any to me in via rl1=20 $ipfw add 400 netgraph 60 all from 10.11.2.0/24 to not me out via rl1=20 $ipfw add 500 fwd 192.168.100.1 all from me to any=20 $ipfw delete 10=20 sleep 60 $ngctl list >/ng_nat/ngctllist=20 $ipfw show>/ng_nat/ipfwshow=20 $ifconfig >/ng_nat/ifconfig=20 $ipfw -f flush # pfctl -d=20 pfctl: pf not enabled #cat {ngctl list >}/ng_nat/ngctllist There are 5 total nodes:=20 Name: ngctl1095 Type: socket ID: 00000009 Num hooks: 0=20 Name: nat Type: nat ID: 00000005 Num hooks: 2=20 Name: ipfw Type: ipfw ID: 00000003 Num hooks: 2=20 Name: rl1 Type: ether ID: 00000002 Num hooks: 0=20 Name: rl0 Type: ether ID: 00000001 Num hooks: 0 #cat {ipfw show>}/ng_nat/ipfwshow 00300 202 12523 netgraph 61 ip from any to me in via rl1=20 00400 161 8057 netgraph 60 ip from 10.11.2.0/24 to not me out via rl1=20 00500 174 8963 fwd 192.168.100.1 ip from me to any=20 65400 504 26548 allow ip from any to any=20 65535 2 56 allow ip from any to any #cat {ifconfig >}/ng_nat/ifconfig rl0: flags=3D8843 mtu 1500=20 options=3D8=20 inet 10.11.2.1 netmask 0xffffff00 broadcast 10.11.2.255=20 ether 00:a1:b0:01:05:71=20 media: Ethernet autoselect (100baseTX )=20 status: active=20 rl1: flags=3D8843 mtu 1500=20 options=3D8=20 inet 192.168.100.99 netmask 0xffffff00 broadcast 192.168.100.255=20 ether 00:01:29:76:0f:cd=20 media: Ethernet autoselect (100baseTX )=20 status: active=20 plip0: flags=3D108810 mtu 1500=20 pfsync0: flags=3D0<> mtu 2020=20 syncpeer: 224.0.0.240 maxupd: 128=20 pflog0: flags=3D0<> mtu 33208=20 lo0: flags=3D8049 mtu 16384=20 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6=20 inet6 ::1 prefixlen 128=20 inet 127.0.0.1 netmask 0xff000000 run tcpdump on 192.168.100.1 (getway to Internet and other network) when run script=20 # tcpdump -i eth1 -f=20 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode=20 listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes=20 22:30:22.430329 arp who-has 192.168.100.1 tell 192.168.100.99=20 22:30:22.438397 arp reply 192.168.100.1 is-at 00:30:4f:25:7a:b1 (oui Unknown)=20 22:30:22.430367 IP 10.11.2.3 > 192.168.100.1: ICMP echo request, id 512, seq 44033, length 40=20 22:30:22.931140 IP 10.11.2.3 > 192.168.128.2: ICMP echo request, id 512, seq 44289, length 40=20 22:30:23.381425 IP 192.168.100.99.59543 > 10.11.25.1.domain: 54371 notify [b2&3=3D0x2400] [1a] SOA? 25.11.10.in-addr.arpa. (95)=20 22:30:23.438366 IP 10.11.25.1.domain > 192.168.100.99.59543: 54371 notify* 0/0/0 (39)=20 22:30:23.881984 IP 192.168.100.99.59543 > 10.11.25.1.domain: 38578 notify [b2&3=3D0x2400] [1a] SOA? skyhome. (74)=20 22:30:24.181110 IP 10.11.25.1.domain > 192.168.100.99.59543: 38578 notify* 0/0/0 (25)=20 22:30:27.930042 IP 192.168.100.99 > 192.168.100.1: ICMP echo request, id 512, seq 45825, length 40=20 22:30:27.930128 IP 192.168.100.1 > 192.168.100.99: ICMP echo reply, id 512, seq 45825, length 40=20 22:30:28.430049 IP 10.11.2.1 > 10.11.2.3: ICMP echo reply, id 512, seq 46337, length 40=20 22:30:28.430123 IP 192.168.100.99 > 192.168.128.2: ICMP echo request, id 512, seq 46081, length 40=20 22:30:28.430921 IP 192.168.128.2 > 192.168.100.99: ICMP echo reply, id 512, seq 46081, length 40=20 22:30:28.436810 arp who-has 192.168.100.99 tell 192.168.100.1=20 22:30:28.436913 arp reply 192.168.100.99 is-at 00:01:29:76:0f:cd (oui Unknown)=20 22:30:33.429858 IP 192.168.100.99 > 192.168.100.1: ICMP echo request, id 512, seq 46593, length 40=20 22:30:33.429945 IP 192.168.100.1 > 192.168.100.99: ICMP echo reply, id 512, seq 46593, length 40=20 22:30:33.929773 IP 10.11.2.1 > 10.11.2.3: ICMP echo reply, id 512, seq 46849, length 40=20 22:30:33.929850 IP 192.168.100.99 > 192.168.128.2: ICMP echo request, id 512, seq 47105, length 40=20 22:30:33.930216 IP 192.168.128.2 > 192.168.100.99: ICMP echo reply, id 512, seq 47105, length 40=20 22:30:38.929631 IP 192.168.100.99 > 192.168.100.1: ICMP echo request, id 512, seq 47361, length 40=20 22:30:38.929698 IP 192.168.100.1 > 192.168.100.99: ICMP echo reply, id 512, seq 47361, length 40=20 22:30:39.429559 IP 10.11.2.1 > 10.11.2.3: ICMP echo reply, id 512, seq 47617, length 40=20 22:30:39.429672 IP 192.168.100.99 > 192.168.128.2: ICMP echo request, id 512, seq 47873, length 40=20 22:30:44.429404 IP 192.168.100.99 > 192.168.100.1: ICMP echo request, id 512, seq 48129, length 40=20 22:30:44.429475 IP 192.168.100.1 > 192.168.100.99: ICMP echo reply, id 512, seq 48129, length 40=20 22:30:44.929344 IP 10.11.2.1 > 10.11.2.3: ICMP echo reply, id 512, seq 48385, length 40=20 22:30:44.929468 IP 192.168.100.99 > 192.168.128.2: ICMP echo request, id 512, seq 48641, length 40=20 22:30:44.929880 IP 192.168.128.2 > 192.168.100.99: ICMP echo reply, id 512, seq 48641, length 40=20 22:30:49.929176 IP 192.168.100.99 > 192.168.100.1: ICMP echo request, id 512, seq 48897, length 40=20 22:30:49.929246 IP 192.168.100.1 > 192.168.100.99: ICMP echo reply, id 512, seq 48897, length 40=20 22:30:50.429144 IP 10.11.2.1 > 10.11.2.3: ICMP echo reply, id 512, seq 49153, length 40=20 22:30:50.429266 IP 192.168.100.99 > 192.168.128.2: ICMP echo request, id 512, seq 49409, length 40=20 22:30:50.494074 IP 192.168.128.2 > 192.168.100.99: ICMP echo reply, id 512, seq 49409, length 40=20 22:30:55.428970 IP 192.168.100.99 > 192.168.100.1: ICMP echo request, id 512, seq 49665, length 40=20 22:30:55.429060 IP 192.168.100.1 > 192.168.100.99: ICMP echo reply, id 512, seq 49665, length 40=20 22:30:55.928922 IP 10.11.2.1 > 10.11.2.3: ICMP echo reply, id 512, seq 49921, length 40=20 22:30:55.928996 IP 192.168.100.99 > 192.168.128.2: ICMP echo request, id 512, seq 50177, length 40=20 22:30:55.929427 IP 192.168.128.2 > 192.168.100.99: ICMP echo reply, id 512, seq 50177, length 40=20 22:31:00.427013 arp who-has 192.168.100.99 tell 192.168.100.1=20 22:31:00.427151 arp reply 192.168.100.99 is-at 00:01:29:76:0f:cd (oui Unknown)=20 22:31:00.928744 IP 192.168.100.99 > 192.168.100.1: ICMP echo request, id 512, seq 50433, length 40=20 22:31:00.928814 IP 192.168.100.1 > 192.168.100.99: ICMP echo reply, id 512, seq 50433, length 40=20 22:31:01.428737 IP 10.11.2.1 > 10.11.2.3: ICMP echo reply, id 512, seq 50689, length 40=20 22:31:01.428853 IP 192.168.100.99 > 192.168.128.2: ICMP echo request, id 512, seq 50945, length 40=20 22:31:01.429186 IP 192.168.128.2 > 192.168.100.99: ICMP echo reply, id 512, seq 50945, length 40=20 22:31:04.731353 IP 192.168.100.99.1036 > 192.168.100.1.domain: 64927+ A? login.icq.com. (31)=20 22:31:04.731427 IP 192.168.100.1 > 192.168.100.99: ICMP 192.168.100.1 udp port domain unreachable, length 67=20 22:31:05.731305 IP 192.168.100.99.1036 > 192.168.128.2.domain: 64927+ A? login.icq.com. (31)=20 22:31:05.732547 IP 192.168.128.2.domain > 192.168.100.99.1036: 64927 2/4/0 CNAME[|domain]=20 22:31:06.428548 IP 192.168.100.99 > 192.168.100.1: ICMP echo request, id 512, seq 51201, length 40=20 22:31:06.428621 IP 192.168.100.1 > 192.168.100.99: ICMP echo reply, id 512, seq 51201, length 40=20 22:31:06.731233 IP 192.168.100.99.1036 > 192.168.100.1.domain: 64927+ A? login.icq.com. (31)=20 22:31:06.731316 IP 192.168.100.1 > 192.168.100.99: ICMP 192.168.100.1 udp port domain unreachable, length 67=20 22:31:06.928525 IP 10.11.2.1 > 10.11.2.3: ICMP echo reply, id 512, seq 51457, length 40=20 22:31:06.928640 IP 192.168.100.99 > 192.168.128.2: ICMP echo request, id 512, seq 51713, length 40=20 22:31:06.929187 IP 192.168.128.2 > 192.168.100.99: ICMP echo reply, id 512, seq 51713, length 40=20 22:31:08.731195 IP 192.168.100.99.1036 > 192.168.100.1.domain: 64927+ A? login.icq.com. (31)=20 22:31:08.731259 IP 192.168.100.1 > 192.168.100.99: ICMP 192.168.100.1 udp port domain unreachable, length 67=20 22:31:08.731276 IP 192.168.100.99.1036 > 192.168.128.2.domain: 64927+ A? login.icq.com. (31)=20 22:31:08.732343 IP 192.168.128.2.domain > 192.168.100.99.1036: 64927 2/4/0 CNAME[|domain]=20 22:31:11.928333 IP 192.168.100.99 > 192.168.100.1: ICMP echo request, id 512, seq 51969, length 40=20 22:31:11.928420 IP 192.168.100.1 > 192.168.100.99: ICMP echo reply, id 512, seq 51969, length 40=20 22:31:12.428298 IP 10.11.2.1 > 10.11.2.3: ICMP echo reply, id 512, seq 52225, length 40=20 22:31:12.428371 IP 192.168.100.99 > 192.168.128.2: ICMP echo request, id 512, seq 52481, length 40=20 22:31:12.428696 IP 192.168.128.2 > 192.168.100.99: ICMP echo reply, id 512, seq 52481, length 40=20 22:31:12.731006 IP 192.168.100.99.1036 > 192.168.100.1.domain: 64927+ A? login.icq.com. (31)=20 22:31:12.731068 IP 192.168.100.1 > 192.168.100.99: ICMP 192.168.100.1 udp port domain unreachable, length 67=20 22:31:12.731086 IP 192.168.100.99.1036 > 192.168.128.2.domain: 64927+ A? login.icq.com. (31)=20 22:31:12.731903 IP 192.168.128.2.domain > 192.168.100.99.1036: 64927 2/4/0 CNAME[|domain]=20 22:31:17.428112 IP 192.168.100.99 > 192.168.100.1: ICMP echo request, id 512, seq 52737, length 40=20 22:31:17.428182 IP 192.168.100.1 > 192.168.100.99: ICMP echo reply, id 512, seq 52737, length 40=20 22:31:17.928064 IP 10.11.2.1 > 10.11.2.3: ICMP echo reply, id 512, seq 52993, length 40=20 22:31:17.928203 IP 192.168.100.99 > 192.168.128.2: ICMP echo request, id 512, seq 53249, length 40=20 22:31:17.928804 IP 192.168.128.2 > 192.168.100.99: ICMP echo reply, id 512, seq 53249, length 40=20 22:31:22.927909 IP 192.168.100.99 > 192.168.100.1: ICMP echo request, id 512, seq 53505, length 40=20 22:31:22.927980 IP 192.168.100.1 > 192.168.100.99: ICMP echo reply, id 512, seq 53505, length 40=20 22:31:23.427881 IP 10.11.2.1 > 10.11.2.3: ICMP echo reply, id 512, seq 53761, length 40=20 22:31:23.428004 IP 192.168.100.99 > 192.168.128.2: ICMP echo request, id 512, seq 54017, length 40=20 22:31:23.428295 IP 192.168.128.2 > 192.168.100.99: ICMP echo reply, id 512, seq 54017, length 40=20 22:31:28.427666 IP 10.11.2.3 > 192.168.100.1: ICMP echo request, id 512, seq 54273, length 40=20 22:31:28.927667 IP 10.11.2.3 > 192.168.128.2: ICMP echo request, id 512, seq 54785, length 40=20 82 packets captured=20 82 packets received by filter=20 0 packets dropped by kernel # sysctl -a | grep one_pass=20 net.inet.ip.fw.one_pass: 0 # ps awx | grep natd=20 1172 p0 R+ 0:00.00 grep natd