[Feature Request] (ng_)netflow additional

Julian Elischer julian at freebsd.org
Wed Oct 30 14:14:36 UTC 2013 

On 10/30/13, 6:40 PM, Dennis Yusupoff wrote:
> Good day everyone.
>
> To be brief:
>
> 1. It would be really usefull for CGNAT providers have ability to record
> customers IPs in traffic before and after NAT, as it already has done in
> ipt_NETFLOW under Linux or in the Cisco ASA series.
>
> === begin of cut https://github.com/aabc/ipt-netflow/blob/master/README ===
> natevents=1
>       - Collect and send NAT translation events as NetFlow Event Logging
> (NEL)
>         for NetFlow v9/IPFIX, or as dummy flows compatible with NetFlow v5.
>         Default is 0 (don't send).
>
>         For NetFlow v5 protocol meaning of fields in dummy flows is such:
>           Src IP, Src Port is Pre-nat source address.
>           Dst IP, Dst Port is Post-nat destination address.
>             - These two fields made equal to data flows catched in
> FORWARD chain.
>           Nexthop, Src AS is Post-nat source address for SNAT. Or,
>           Nexthop, Dst AS is Pre-nat destination address for DNAT.
>           TCP Flags is SYN+SCK for start event, RST+FIN for stop event.
>           Pkt/Traffic size is 0 (zero), so it won't interfere with
> accounting.
I think this would be very hard because the netflow module looks at 
the packets at one place. Eihter it is before or after NAT but not 
during.. so the information is not available.. we would have to add a 
netflow source into the NAT code to do this (and then the other net 
flow code would need to be turned off if NAT was on.. but since 
netgraph is like lego, and no part of it knows abut any other part of 
it, it would be quite a challenge as to how this could be done.)

> === end of cut ===
>
> 2. Is it possible to specify by user some field in Netflow v9, for
> example /IF_DESC/ or /APPLICATION DESCRIPTION/, according to
> http://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9_ps6601_Products_White_Paper.html?
> If no, it would be really nice to see. Using example: customers
> requested other ip on a interface, where we collect netflow traffic so
> when we should to give traffic report we haven't any *unique* identifier
> in netflow flows, which can be helpful. It's a real pity.
I leave this to the people who know more about netflow...

> Thank you for your consideration!
>
>

More information about the freebsd-net mailing list