From owner-freebsd-hackers@FreeBSD.ORG Fri Jan 9 01:46:33 2015 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B1684127 for ; Fri, 9 Jan 2015 01:46:33 +0000 (UTC) Received: from mailuogwdur.emc.com (mailuogwdur.emc.com [128.221.224.79]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mailuogwprd51.lss.emc.com", Issuer "RSA Corporate Server CA v2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 66C53A93 for ; Fri, 9 Jan 2015 01:46:32 +0000 (UTC) Received: from maildlpprd52.lss.emc.com (maildlpprd52.lss.emc.com [10.106.48.156]) by mailuogwprd54.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id t091kThI022422 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 8 Jan 2015 20:46:29 -0500 X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd54.lss.emc.com t091kThI022422 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=emc.com; s=jan2013; t=1420767989; bh=7El3gutXE2+gSMHC5YAd/XNQmYg=; h=From:To:CC:Date:Subject:Message-ID:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:MIME-Version; b=LAQH1PB998rTaEG42qC+jPNEfvWkkteWn2pCBb0wh2SQMToPwJw9HRKbVvJvvKVZ1 PIdfJ5+1dGMJoHlNse6if+RGvCMPvaEPy0+Wtorrtf6qPieCPcdUrfh/7lc2QCX9EG ruJuGU9+b1mwTKjpld+CF1U0QZCej3RXQuyjJTp0= X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd54.lss.emc.com t091kThI022422 Received: from mailusrhubprd52.lss.emc.com (mailusrhubprd52.lss.emc.com [10.106.48.25]) by maildlpprd52.lss.emc.com (RSA Interceptor); Thu, 8 Jan 2015 20:46:41 -0500 Received: from mxhub12.corp.emc.com (mxhub12.corp.emc.com [10.254.92.107]) by mailusrhubprd52.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id t091kOAd016262 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 8 Jan 2015 20:46:24 -0500 Received: from mx25a.corp.emc.com ([169.254.1.95]) by mxhub12.corp.emc.com ([10.254.92.107]) with mapi; Thu, 8 Jan 2015 20:46:23 -0500 From: "O'Connor, Daniel" To: Patrick Lamaiziere Date: Thu, 8 Jan 2015 20:46:23 -0500 Subject: Re: if_pflow from OpenBSD Thread-Topic: if_pflow from OpenBSD Thread-Index: AdArrhKlpVY9vsjVQiyt4ikhpbvWLw== Message-ID: <9085F2E7-5429-4C16-86DB-7C3F04C993DC@emc.com> References: <45056363-1E83-4318-B870-7F673993166B@emc.com> <20150108101744.2c2a9eae@mr185083> In-Reply-To: <20150108101744.2c2a9eae@mr185083> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Sentrion-Hostname: mailusrhubprd52.lss.emc.com X-RSA-Classifications: public X-Mailman-Approved-At: Fri, 09 Jan 2015 03:16:34 +0000 Cc: "O'Connor, Daniel" , FreeBSD Hackers X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jan 2015 01:46:33 -0000 On 8 Jan 2015, at 19:47, Patrick Lamaiziere wrote: > Le Wed, 7 Jan 2015 07:26:42 -0500, > "O'Connor, Daniel" a =E9crit : >=20 >> Has anyone attempted a port of this? >> (http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_pflow.c) >>=20 >> I used to use pfflowd but it broke due to pf changes and looks dead >> upstream - if_pflow(4) seems like the canonical pf way now. >=20 > May be you can try ng_netflow(4)? Funny you should mention that :) I am using mpd for PPPoE which uses netgraph and so enabled that (although = had to fix a bug when you have netflow and IPv6) - however I am using pf fo= r my firewall and NAT and I'd rather not change. That means that mp (and he= nce ng_netflow) don't see un-NAT'd addresses which makes the flow tracking = not particularly useful. I could run softflowd but that doesn't see traffic generated by the router = itself (of which there is quite a bit) so that's out too.. I had a look at if_pflow and it does appear to handle NAT properly and so s= hould do what I want.. > (I have to migrate an OpenBSD firewall to FreeBSD and any > input on ng_netflow will be welcome.) I think if you used netgraph for NAT then it would work but I'm reluctant t= o migrate my setting (just yet anyway..) Regards, Daniel O=92Connor Senior Software Engineer Isilon Platforms Team