Add an rc.d script to setup a netflow export via ng_netflow
The default is to export netflow data on localhost on the netflow port. ngtee is used to have the lowest overhead possible. The ipfw ng hook is the netflow port (it can only be numeric) Default is netflow version 5. Sponsored-By: Gandi.net Reviewed by: bapt (earlier version), olivier (earlier version)
This commit is contained in:
Emmanuel Vadot
parent
600a08a80d
commit
0fc830cca9
77
etc/rc.d/ipfw_netflow
Executable file
77
etc/rc.d/ipfw_netflow
Executable file
@ -0,0 +1,77 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# $FreeBSD$
|
||||
#
|
||||
|
||||
# PROVIDE: ipfw_netflow
|
||||
# REQUIRE: ipfw
|
||||
# KEYWORD: nojailvnet
|
||||
|
||||
. /etc/rc.subr
|
||||
. /etc/network.subr
|
||||
|
||||
name="ipfw_netflow"
|
||||
desc="firewall, ipfw, netflow"
|
||||
rcvar="${name}_enable"
|
||||
start_cmd="${name}_start"
|
||||
stop_cmd="${name}_stop"
|
||||
start_precmd="${name}_test"
|
||||
status_cmd="${name}_status"
|
||||
required_modules="ipfw ng_netflow ng_ipfw"
|
||||
extra_commands="status"
|
||||
|
||||
: ${ipfw_netflow_hook:=9995}
|
||||
: ${ipfw_netflow_rule:=01000}
|
||||
: ${ipfw_netflow_ip:=127.0.0.1}
|
||||
: ${ipfw_netflow_port:=9995}
|
||||
: ${ipfw_netflow_version:=}
|
||||
|
||||
ipfw_netflow_test()
|
||||
{
|
||||
if [ "${ipfw_netflow_version}" != "" ] && [ "${ipfw_netflow_version}" != 9 ]; then
|
||||
err 1 "Unknown netflow version \'${ipfw_netflow_version}\'"
|
||||
fi
|
||||
case "${ipfw_netflow_hook}" in
|
||||
[!0-9]*)
|
||||
err 1 "Bad value \"${ipfw_netflow_hook}\": Hook must be numerical"
|
||||
esac
|
||||
case "${ipfw_netflow_rule}" in
|
||||
[!0-9]*)
|
||||
err 1 "Bad value \"${ipfw_netflow_rule}\": Rule number must be numerical"
|
||||
esac
|
||||
}
|
||||
|
||||
ipfw_netflow_is_running()
|
||||
{
|
||||
ngctl show netflow: > /dev/null 2>&1 && return 0 || return 1
|
||||
}
|
||||
|
||||
ipfw_netflow_status()
|
||||
{
|
||||
ipfw_netflow_is_running && echo "ipfw_netflow is active" || echo "ipfw_netflow is not active"
|
||||
}
|
||||
|
||||
ipfw_netflow_start()
|
||||
{
|
||||
ipfw_netflow_is_running && err 1 "ipfw_netflow is already active"
|
||||
ipfw add ${ipfw_netflow_rule} ngtee ${ipfw_netflow_hook} ip from any to any
|
||||
ngctl -f - <<-EOF
|
||||
mkpeer ipfw: netflow ${ipfw_netflow_hook} iface0
|
||||
name ipfw:${ipfw_netflow_hook} netflow
|
||||
mkpeer netflow: ksocket export${ipfw_netflow_version} inet/dgram/udp
|
||||
msg netflow: setdlt {iface=0 dlt=12}
|
||||
name netflow:export${ipfw_netflow_version} netflow_export
|
||||
msg netflow:export${ipfw_netflow_version} connect inet/${ipfw_netflow_ip}:${ipfw_netflow_port}
|
||||
EOF
|
||||
}
|
||||
|
||||
ipfw_netflow_stop()
|
||||
{
|
||||
ipfw_netflow_is_running || err 1 "ipfw_netflow is not active"
|
||||
ngctl shutdown netflow:
|
||||
ipfw delete ${ipfw_netflow_rule}
|
||||
}
|
||||
|
||||
load_rc_config $name
|
||||
|
||||
run_rc_command $*
|
||||
Loading…
Reference in New Issue
Block a user