From owner-freebsd-net@FreeBSD.ORG Wed Oct 30 14:14:36 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 4F6B9DC0 for ; Wed, 30 Oct 2013 14:14:36 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 08B5D24CD for ; Wed, 30 Oct 2013 14:14:35 +0000 (UTC) Received: from jre-mbp.elischer.org (ppp121-45-246-96.lns20.per2.internode.on.net [121.45.246.96]) (authenticated bits=0) by vps1.elischer.org (8.14.7/8.14.7) with ESMTP id r9UEEUkS023605 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Wed, 30 Oct 2013 07:14:33 -0700 (PDT) (envelope-from julian@freebsd.org) Message-ID: <52711440.5060405@freebsd.org> Date: Wed, 30 Oct 2013 22:14:24 +0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.1.0 MIME-Version: 1.0 To: Dennis Yusupoff , freebsd-net@freebsd.org Subject: Re: [Feature Request] (ng_)netflow additional References: <5270E22C.1060408@smartspb.net> In-Reply-To: <5270E22C.1060408@smartspb.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Oct 2013 14:14:36 -0000 On 10/30/13, 6:40 PM, Dennis Yusupoff wrote: > Good day everyone. > > To be brief: > > 1. It would be really usefull for CGNAT providers have ability to record > customers IPs in traffic before and after NAT, as it already has done in > ipt_NETFLOW under Linux or in the Cisco ASA series. > > === begin of cut https://github.com/aabc/ipt-netflow/blob/master/README === > natevents=1 > - Collect and send NAT translation events as NetFlow Event Logging > (NEL) > for NetFlow v9/IPFIX, or as dummy flows compatible with NetFlow v5. > Default is 0 (don't send). > > For NetFlow v5 protocol meaning of fields in dummy flows is such: > Src IP, Src Port is Pre-nat source address. > Dst IP, Dst Port is Post-nat destination address. > - These two fields made equal to data flows catched in > FORWARD chain. > Nexthop, Src AS is Post-nat source address for SNAT. Or, > Nexthop, Dst AS is Pre-nat destination address for DNAT. > TCP Flags is SYN+SCK for start event, RST+FIN for stop event. > Pkt/Traffic size is 0 (zero), so it won't interfere with > accounting. I think this would be very hard because the netflow module looks at the packets at one place. Eihter it is before or after NAT but not during.. so the information is not available.. we would have to add a netflow source into the NAT code to do this (and then the other net flow code would need to be turned off if NAT was on.. but since netgraph is like lego, and no part of it knows abut any other part of it, it would be quite a challenge as to how this could be done.) > === end of cut === > > 2. Is it possible to specify by user some field in Netflow v9, for > example /IF_DESC/ or /APPLICATION DESCRIPTION/, according to > http://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9_ps6601_Products_White_Paper.html? > If no, it would be really nice to see. Using example: customers > requested other ip on a interface, where we collect netflow traffic so > when we should to give traffic report we haven't any *unique* identifier > in netflow flows, which can be helpful. It's a real pity. I leave this to the people who know more about netflow... > Thank you for your consideration! > >