forked from aabc/ipt-netflow
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathipt_NETFLOW.h
294 lines (265 loc) · 7.01 KB
/
ipt_NETFLOW.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
/*
* This file is part of NetFlow exporting module.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
#ifndef _IP_NETFLOW_H
#define _IP_NETFLOW_H
/*
* Some tech info:
* http://www.cisco.com/en/US/products/ps6601/prod_white_papers_list.html
* http://www.cisco.com/en/US/products/sw/netmgtsw/ps1964/products_implementation_design_guide09186a00800d6a11.html
*/
#define NETFLOW5_RECORDS_MAX 30
struct netflow5_record {
__be32 s_addr;
__be32 d_addr;
__be32 nexthop;
__be16 i_ifc;
__be16 o_ifc;
__be32 nr_packets;
__be32 nr_octets;
__be32 ts_first;
__be32 ts_last;
__be16 s_port;
__be16 d_port;
__u8 reserved;
__u8 tcp_flags;
__u8 protocol;
__u8 tos;
__be16 s_as;
__be16 d_as;
__u8 s_mask;
__u8 d_mask;
__u16 padding;
} __attribute__ ((packed));
/* NetFlow v5 packet */
struct netflow5_pdu {
__be16 version;
__be16 nr_records;
__be32 ts_uptime; /* ms */
__be32 ts_usecs; /* s */
__be32 ts_unsecs; /* ns */
__be32 seq;
__u8 eng_type;
__u8 eng_id;
__u16 padding;
struct netflow5_record flow[NETFLOW5_RECORDS_MAX];
} __attribute__ ((packed));
#define NETFLOW5_HEADER_SIZE (sizeof(struct netflow5_pdu) - NETFLOW5_RECORDS_MAX * sizeof(struct netflow5_record))
/* NetFlow v9 RFC http://www.ietf.org/rfc/rfc3954.txt */
enum {
IN_BYTES = 1,
IN_PKTS = 2,
PROTOCOL = 4,
TOS = 5,
TCP_FLAGS = 6,
L4_SRC_PORT = 7,
IPV4_SRC_ADDR = 8,
SRC_MASK = 9,
INPUT_SNMP = 10,
L4_DST_PORT = 11,
IPV4_DST_ADDR = 12,
DST_MASK = 13,
OUTPUT_SNMP = 14,
IPV4_NEXT_HOP = 15,
//SRC_AS = 16,
//DST_AS = 17,
//BGP_IPV4_NEXT_HOP = 18,
//MUL_DST_PKTS = 19,
//MUL_DST_BYTES = 20,
LAST_SWITCHED = 21,
FIRST_SWITCHED = 22,
ICMP_TYPE = 32,
MUL_IGMP_TYPE = 33,
//TOTAL_BYTES_EXP = 40,
//TOTAL_PKTS_EXP = 41,
//TOTAL_FLOWS_EXP = 42,
//IP_PROTOCOL_VERSION = 60,
DIRECTION = 61,
/* Values 0-127: NFv9-compatible. Below this line is IPFIX only */
commonPropertiesId = 137, /* for MARK */
postNATSourceIPv4Address = 225,
postNATDestinationIPv4Address = 226,
postNAPTSourceTransportPort = 227,
postNAPTDestinationTransportPort = 228,
natEvent = 230,
IPSecSPI = 295,
};
enum {
FLOWSET_TEMPLATE = 0,
FLOWSET_OPTIONS = 1,
IPFIX_TEMPLATE = 2,
IPFIX_OPTIONS = 3,
FLOWSET_DATA_FIRST = 256,
};
struct flowset_template {
__be16 flowset_id;
__be16 length;
__be16 template_id;
__be16 field_count;
} __attribute__ ((packed));
struct flowset_data {
__be16 flowset_id;
__be16 length;
} __attribute__ ((packed));
/* NetFlow v9 packet. */
struct netflow9_pdu {
__be16 version;
__be16 nr_records;
__be32 sys_uptime_ms;
__be32 export_time_s;
__be32 seq;
__be32 source_id; /* Exporter Observation Domain */
__u8 data[1400];
} __attribute__ ((packed));
/* IPFIX packet. */
struct ipfix_pdu {
__be16 version;
__be16 length;
__be32 export_time_s;
__be32 seq;
__be32 odomain_id; /* Observation Domain ID */
__u8 data[1400];
} __attribute__ ((packed));
/* hashed data which identify unique flow */
struct ipt_netflow_tuple {
__be32 s_addr; // Network byte order
__be32 d_addr; // -"-
__be16 s_port; // -"-
__be16 d_port; // -"-
__be16 i_ifc; // Local byte order
__u8 protocol;
__u8 tos;
};
/* maximum bytes flow can have, after it reached flow become not searchable and will be exported soon */
#define FLOW_FULL_WATERMARK 0xffefffff
/* flow entry */
struct ipt_netflow {
struct hlist_node hlist; // hashtable search chain
struct list_head list; // all flows chain
/* unique per flow data (hashed, NETFLOW_TUPLE_SIZE) */
struct ipt_netflow_tuple tuple;
/* volatile data */
__be32 nexthop;
__be16 o_ifc;
__u8 s_mask;
__u8 d_mask;
__u8 tcp_flags; /* `OR' of all tcp flags */
/* flow statistics */
u_int32_t nr_packets;
u_int32_t nr_bytes;
unsigned long ts_first;
unsigned long ts_last;
#ifdef CONFIG_NF_CONNTRACK_MARK
u_int32_t mark;
#endif
#ifdef CONFIG_NF_NAT_NEEDED
__be32 s_as;
__be32 d_as;
struct nat_event *nat;
#endif
spinlock_t *lock;
};
#ifdef CONFIG_NF_NAT_NEEDED
enum {
NAT_CREATE, NAT_DESTROY, NAT_POOLEXHAUSTED
};
struct nat_event {
struct list_head list;
struct {
__be32 s_addr;
__be32 d_addr;
__be16 s_port;
__be16 d_port;
} pre, post;
unsigned long ts;
__u8 protocol;
__u8 nat_event;
};
#define IS_DUMMY_FLOW(nf) (nf->nat)
#else
#define IS_DUMMY_FLOW(nf) 0
#endif
static inline int ipt_netflow_tuple_equal(const struct ipt_netflow_tuple *t1,
const struct ipt_netflow_tuple *t2)
{
return (!memcmp(t1, t2, sizeof(struct ipt_netflow_tuple)));
}
struct ipt_netflow_sock {
struct list_head list;
struct socket *sock;
__be32 ipaddr;
unsigned short port;
atomic_t wmem_peak; // sk_wmem_alloc peak value
atomic_t err_full; // socket filled error
atomic_t err_connect; // connect errors
atomic_t err_other; // other socket errors
};
struct netflow_aggr_n {
struct list_head list;
atomic_t usage;
__u32 mask;
__u32 addr;
__u32 aggr_mask;
__u8 prefix;
};
struct netflow_aggr_p {
struct list_head list;
atomic_t usage;
__u16 port1;
__u16 port2;
__u16 aggr_port;
};
#define NETFLOW_STAT_INC(count) (__get_cpu_var(ipt_netflow_stat).count++)
#define NETFLOW_STAT_ADD(count, val) (__get_cpu_var(ipt_netflow_stat).count += (unsigned long long)val)
#define NETFLOW_STAT_INC_ATOMIC(count) \
do { \
preempt_disable(); \
(__get_cpu_var(ipt_netflow_stat).count++); \
preempt_enable(); \
} while(0);
#define NETFLOW_STAT_ADD_ATOMIC(count, val) \
do { \
preempt_disable(); \
(__get_cpu_var(ipt_netflow_stat).count += (unsigned long long)val); \
preempt_enable(); \
} while(0);
/* statistics */
struct ipt_netflow_stat {
u64 searched; // hash stat
u64 found; // hash stat
u64 notfound; // hash stat
unsigned int truncated; // packets stat
unsigned int frags; // packets stat
unsigned int alloc_err; // failed to allocate flow mem
unsigned int maxflows_err; // maxflows reached
unsigned int send_success; // sendmsg() ok
unsigned int send_failed; // sendmsg() failed
unsigned int sock_errors; // socket error callback called (got icmp refused)
u64 exported_size; // netflow traffic itself
u64 pkt_total; // packets accounted total
u64 traf_total; // traffic accounted total
u64 pkt_drop; // packets not accounted total
u64 traf_drop; // traffic not accounted total
u64 pkt_out; // packets out of the memory
u64 traf_out; // traffic out of the memory
};
#ifndef list_first_entry
#define list_first_entry(ptr, type, member) \
list_entry((ptr)->next, type, member)
#endif
#endif
/* vim: set sw=8: */