Project

General

Profile

Actions

Feature #15039

closed

GUI to configure Packet Flow Data (``pflow``) export

Added by Jim Pingle 8 months ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Rules / NAT
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Release Notes:
Default

Description

Following #15038 the GUI will need a set of options to configure pflow(4) behavior

It will need at least the following options:

  • Flow source IP address (optional) - Can be an interface address, IP alias VIP, CARP VIP.
  • Flow source port (optional, but if set, source IP address must also be set)
  • Flow destination IP address (required)
  • Flow destination port (required)
  • Flow protocol select between:
    • 5 - Netflow v5
    • 10 - IPFIX

See also: https://man.openbsd.org/ifconfig.8#PFLOW

It's not abundantly clear where the best place in the UI would be for this. It's a feature of PF and not a daemon/service. It's related to traffic monitoring but it isn't a graph or log of its own. So it may fit under Firewall > Traffic Flows or maybe System > Traffic Flows for example. Exact location is open for ideas/debate.


Related issues

Follows Feature #15038: Operating System support for PF ``pflow`` packet data flow exportClosedKristof Provost

Actions
Actions #1

Updated by Jim Pingle 8 months ago

  • Follows Feature #15038: Operating System support for PF ``pflow`` packet data flow export added
Actions #2

Updated by Kristof Provost 6 months ago

The required OS code has been merged.

pflow configuration is done through `pflowctl`. Use `pflowctl -c` to create a flow exporter. List them with `pflowctl -l`.
Flows can be configured with `pflowctl -s pflow0 src 192.168.1.1:1234 dst 10.0.0.1:2055 proto 10 domain 42`. This sets the source to IP 192.168.1.1 port 1234, the destination to 10.0.0.1 port 2055, the protocol version to 10 and the observation domain to 42.

Flow exporters can be removed again with `pflowctl -d pflow0`.

pf will only export flow information for states that are created by rules that have the 'pflow' tracking option set. e.g. "pass in from 192.0.2.2 keep state (pflow)"
That option can be set for all rules with "set state-defaults pflow".

Actions #3

Updated by Jim Pingle 6 months ago

  • Assignee set to Jim Pingle
Actions #4

Updated by Jim Pingle 6 months ago

  • Status changed from New to In Progress
Actions #5

Updated by Jim Pingle 6 months ago

  • Status changed from In Progress to Pull Request Review
Actions #6

Updated by Jim Pingle 6 months ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100
Actions #7

Updated by Jim Pingle 6 months ago

Things to keep in mind when testing.

When inactive (disabled or not yet applied):

: kldstat | grep -i pflow
: pflowctl -l
pflowctl: pflow.ko is not loaded.
: pfctl -vvsr | grep -c pflow
0
: grep -c pflow /tmp/rules.debug
0

When active:

: kldstat | grep -i pflow
18    1 0xffffffff84622000     53e8 pflow.ko
: pflowctl -l
pflow0: version 10 domain 1 dst 172.21.32.3:2055
: pfctl -vvsr | grep -c pflow
39
: grep -c pflow /tmp/rule
rules.debug   rules.limits  
: grep -c pflow /tmp/rules.debug 
16

The specific values will vary based on the rules on the system.

Be sure to test with it enabled/disabled globally and per-exporter and make sure that the state is expected at each step.

Test with pflow on rules by default and off by default + explicitly configured on rules.

Actions #8

Updated by Jim Pingle 5 months ago

  • Subject changed from GUI option to configure ``pflow`` export behavior to GUI to configure Packet Flow Data (``pflow``) export
  • Category changed from Web Interface to Rules / NAT
Actions #9

Updated by Jim Pingle 4 months ago

  • Status changed from Feedback to Closed

This has been working perfectly here, no other reports of errors/problems.

Actions

Also available in: Atom PDF