Feature #15039
closed
GUI to configure Packet Flow Data (``pflow``) export
Added by Jim Pingle 5 months ago.
Updated 2 months ago.
Description
Following #15038 the GUI will need a set of options to configure pflow(4) behavior
It will need at least the following options:
- Flow source IP address (optional) - Can be an interface address, IP alias VIP, CARP VIP.
- Flow source port (optional, but if set, source IP address must also be set)
- Flow destination IP address (required)
- Flow destination port (required)
- Flow protocol select between:
5 - Netflow v510 - IPFIX
See also: https://man.openbsd.org/ifconfig.8#PFLOW
It's not abundantly clear where the best place in the UI would be for this. It's a feature of PF and not a daemon/service. It's related to traffic monitoring but it isn't a graph or log of its own. So it may fit under Firewall > Traffic Flows or maybe System > Traffic Flows for example. Exact location is open for ideas/debate.
- Follows Feature #15038: Operating System support for PF ``pflow`` packet data flow export added
The required OS code has been merged.
pflow configuration is done through `pflowctl`. Use `pflowctl -c` to create a flow exporter. List them with `pflowctl -l`.
Flows can be configured with `pflowctl -s pflow0 src 192.168.1.1:1234 dst 10.0.0.1:2055 proto 10 domain 42`. This sets the source to IP 192.168.1.1 port 1234, the destination to 10.0.0.1 port 2055, the protocol version to 10 and the observation domain to 42.
Flow exporters can be removed again with `pflowctl -d pflow0`.
pf will only export flow information for states that are created by rules that have the 'pflow' tracking option set. e.g. "pass in from 192.0.2.2 keep state (pflow)"
That option can be set for all rules with "set state-defaults pflow".
- Assignee set to Jim Pingle
- Status changed from New to In Progress
- Status changed from In Progress to Pull Request Review
- Status changed from Pull Request Review to Feedback
- % Done changed from 0 to 100
Things to keep in mind when testing.
When inactive (disabled or not yet applied):
: kldstat | grep -i pflow
: pflowctl -l
pflowctl: pflow.ko is not loaded.
: pfctl -vvsr | grep -c pflow
0
: grep -c pflow /tmp/rules.debug
0
When active:
: kldstat | grep -i pflow
18 1 0xffffffff84622000 53e8 pflow.ko
: pflowctl -l
pflow0: version 10 domain 1 dst 172.21.32.3:2055
: pfctl -vvsr | grep -c pflow
39
: grep -c pflow /tmp/rule
rules.debug rules.limits
: grep -c pflow /tmp/rules.debug
16
The specific values will vary based on the rules on the system.
Be sure to test with it enabled/disabled globally and per-exporter and make sure that the state is expected at each step.
Test with pflow on rules by default and off by default + explicitly configured on rules.
- Subject changed from GUI option to configure ``pflow`` export behavior to GUI to configure Packet Flow Data (``pflow``) export
- Category changed from Web Interface to Rules / NAT
- Status changed from Feedback to Closed
This has been working perfectly here, no other reports of errors/problems.
Also available in: Atom
PDF
Updated by 
Updated by