Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 28 Sep 2007 08:12:16 +0300
From:      Alexander Motin <mav@FreeBSD.org>
To:        wel@skm.net.ua
Cc:        freebsd-net@freebsd.org
Subject:   Re: ng_nat+ng_netflow+mpd4 - ?
Message-ID:  <46FC8D30.7030708@FreeBSD.org>
In-Reply-To: <1190942604.00806258.1190932201@10.7.7.3>
References:  <20070731120013.285EE16A4E1@hub.freebsd.org> <1190942604.00806258.1190932201@10.7.7.3>
next in thread | previous in thread | raw e-mail | index | archive | help 
wel@skm.net.ua пишет:
> I want to count ALL traffic pass trought my gateway, but tool's such as
> softflowd I don't want to use because there is already ng_netflow and I
> want use nat from netgraph, may I :)?

> options NETGRAPH
...
> options         NETGRAPH_TCPMSS

You do not need to build it statically. All of them can be loaded as 
modules.

> flow-capture + ng_netflow + this script working fine 
> #ngctl -f /ng_netflow
> #cat /ng_netflow
> mkpeer rl1: tee lower left
> name rl1:lower tee0
> connect rl1: rl1:lower upper right
> mkpeer tee0: one2many left2right many0
> name tee0:left2right one2many0
> connect tee0:  one2many0: right2left many1
> mkpeer one2many0: netflow one iface0
> name one2many0:one netflow
> mkpeer netflow: ksocket export inet/dgram/udp
> msg netflow: setifindex { iface=0 index=2 }
> msg netflow:export connect inet/127.0.0.1:2222

It looks overcomplicated to me. There is no need to use tee and one2many 
there as ng_netflow supports passing traffic via it and supports 
multiple interfaces. It can be connected just to the interface 
upper/lower hooks. If you REALLY wish to count both directions on ALL 
interfaces (and have double traffic accounting) you could connect 
netflow node twice in different directions.

>        /sbin/ipfw add 110 ngtee 30 ip from any to any out via ng*
>        /sbin/ipfw add 111 ngtee 30 ip from any to any in via ng*

If you are using mpd4 to operate ng inetrfaces then you can just use 
it's internal ng_netflow support.

>         /sbin/ipfw add 200 netgraph 71 all from not $LOCAL_NET to
> $EXT_IP out via rl1
>         /sbin/ipfw add 201 netgraph 70 all from $LOCAL_NET to not
> $LOCAL_NET in via rl1     

Recheck twice IP in those rules. What you mean by them?

-- 
Alexander Motin

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46FC8D30.7030708>