From owner-svn-src-head@freebsd.org  Thu Jul 13 13:40:19 2017
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id C7247DA3106;
 Thu, 13 Jul 2017 13:40:19 +0000 (UTC)
 (envelope-from manu@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id A101578393;
 Thu, 13 Jul 2017 13:40:19 +0000 (UTC)
 (envelope-from manu@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v6DDeIdQ086140;
 Thu, 13 Jul 2017 13:40:18 GMT (envelope-from manu@FreeBSD.org)
Received: (from manu@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id v6DDeIE9086139;
 Thu, 13 Jul 2017 13:40:18 GMT (envelope-from manu@FreeBSD.org)
Message-Id: <201707131340.v6DDeIE9086139@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: manu set sender to
 manu@FreeBSD.org using -f
From: Emmanuel Vadot <manu@FreeBSD.org>
Date: Thu, 13 Jul 2017 13:40:18 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r320944 - head/etc/rc.d
X-SVN-Group: head
X-SVN-Commit-Author: manu
X-SVN-Commit-Paths: head/etc/rc.d
X-SVN-Commit-Revision: 320944
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Jul 2017 13:40:19 -0000

Author: manu
Date: Thu Jul 13 13:40:18 2017
New Revision: 320944
URL: https://svnweb.freebsd.org/changeset/base/320944

Log:
  Add an rc.d script to setup a netflow export via ng_netflow
  The default is to export netflow data on localhost on the netflow port.
  ngtee is used to have the lowest overhead possible.
  The ipfw ng hook is the netflow port (it can only be numeric)
  Default is netflow version 5.
  
  Sponsored-By:   Gandi.net
  Reviewed by:	bapt (earlier version), olivier (earlier version)

Added:
  head/etc/rc.d/ipfw_netflow   (contents, props changed)

Added: head/etc/rc.d/ipfw_netflow
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/etc/rc.d/ipfw_netflow	Thu Jul 13 13:40:18 2017	(r320944)
@@ -0,0 +1,77 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+# PROVIDE: ipfw_netflow
+# REQUIRE: ipfw
+# KEYWORD: nojailvnet
+
+. /etc/rc.subr
+. /etc/network.subr
+
+name="ipfw_netflow"
+desc="firewall, ipfw, netflow"
+rcvar="${name}_enable"
+start_cmd="${name}_start"
+stop_cmd="${name}_stop"
+start_precmd="${name}_test"
+status_cmd="${name}_status"
+required_modules="ipfw ng_netflow ng_ipfw"
+extra_commands="status"
+
+: ${ipfw_netflow_hook:=9995}
+: ${ipfw_netflow_rule:=01000}
+: ${ipfw_netflow_ip:=127.0.0.1}
+: ${ipfw_netflow_port:=9995}
+: ${ipfw_netflow_version:=}
+
+ipfw_netflow_test()
+{
+    if [ "${ipfw_netflow_version}" != "" ] && [ "${ipfw_netflow_version}" != 9 ]; then
+	err 1 "Unknown netflow version \'${ipfw_netflow_version}\'"
+    fi
+    case "${ipfw_netflow_hook}" in
+	[!0-9]*)
+	    err 1 "Bad value \"${ipfw_netflow_hook}\": Hook must be numerical"
+    esac
+    case "${ipfw_netflow_rule}" in
+	[!0-9]*)
+	    err 1 "Bad value \"${ipfw_netflow_rule}\": Rule number must be numerical"
+    esac
+}
+
+ipfw_netflow_is_running()
+{
+	ngctl show netflow: > /dev/null 2>&1 && return 0 || return 1
+}
+
+ipfw_netflow_status()
+{
+	ipfw_netflow_is_running && echo "ipfw_netflow is active" || echo "ipfw_netflow is not active"
+}
+
+ipfw_netflow_start()
+{
+	ipfw_netflow_is_running && err 1 "ipfw_netflow is already active"
+	ipfw add ${ipfw_netflow_rule} ngtee ${ipfw_netflow_hook} ip from any to any
+	ngctl -f - <<-EOF
+	mkpeer ipfw: netflow ${ipfw_netflow_hook} iface0
+	name ipfw:${ipfw_netflow_hook} netflow
+	mkpeer netflow: ksocket export${ipfw_netflow_version} inet/dgram/udp
+	msg netflow: setdlt {iface=0 dlt=12}
+	name netflow:export${ipfw_netflow_version} netflow_export
+	msg netflow:export${ipfw_netflow_version} connect inet/${ipfw_netflow_ip}:${ipfw_netflow_port}
+EOF
+}
+
+ipfw_netflow_stop()
+{
+    ipfw_netflow_is_running || err 1 "ipfw_netflow is not active"
+    ngctl shutdown netflow:
+    ipfw delete ${ipfw_netflow_rule}
+}
+
+load_rc_config $name
+
+run_rc_command $*