2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4 * Copyright (c) 2010-2011 Alexander V. Chernikov <melifaro@ipfw.ru>
5 * Copyright (c) 2004-2005 Gleb Smirnoff <glebius@FreeBSD.org>
6 * Copyright (c) 2001-2003 Roman V. Palagin <romanp@unshadow.net>
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * $SourceForge: netflow.c,v 1.41 2004/09/05 11:41:10 glebius Exp $
33 #include <sys/cdefs.h>
34 __FBSDID("$FreeBSD$");
36 #include "opt_inet6.h"
37 #include "opt_route.h"
38 #include <sys/param.h>
39 #include <sys/bitstring.h>
40 #include <sys/systm.h>
41 #include <sys/counter.h>
42 #include <sys/kernel.h>
44 #include <sys/limits.h>
46 #include <sys/syslog.h>
47 #include <sys/socket.h>
51 #include <net/if_dl.h>
52 #include <net/if_var.h>
53 #include <net/route.h>
54 #include <net/ethernet.h>
55 #include <netinet/in.h>
56 #include <netinet/in_systm.h>
57 #include <netinet/ip.h>
58 #include <netinet/ip6.h>
59 #include <netinet/tcp.h>
60 #include <netinet/udp.h>
62 #include <netgraph/ng_message.h>
63 #include <netgraph/netgraph.h>
65 #include <netgraph/netflow/netflow.h>
66 #include <netgraph/netflow/netflow_v9.h>
67 #include <netgraph/netflow/ng_netflow.h>
69 #define NBUCKETS (65536) /* must be power of 2 */
71 /* This hash is for TCP or UDP packets. */
72 #define FULL_HASH(addr1, addr2, port1, port2) \
73 (((addr1 ^ (addr1 >> 16) ^ \
74 htons(addr2 ^ (addr2 >> 16))) ^ \
75 port1 ^ htons(port2)) & \
78 /* This hash is for all other IP packets. */
79 #define ADDR_HASH(addr1, addr2) \
80 ((addr1 ^ (addr1 >> 16) ^ \
81 htons(addr2 ^ (addr2 >> 16))) & \
84 /* Macros to shorten logical constructions */
85 /* XXX: priv must exist in namespace */
86 #define INACTIVE(fle) (time_uptime - fle->f.last > priv->nfinfo_inact_t)
87 #define AGED(fle) (time_uptime - fle->f.first > priv->nfinfo_act_t)
88 #define ISFREE(fle) (fle->f.packets == 0)
91 * 4 is a magical number: statistically number of 4-packet flows is
92 * bigger than 5,6,7...-packet flows by an order of magnitude. Most UDP/ICMP
93 * scans are 1 packet (~ 90% of flow cache). TCP scans are 2-packet in case
94 * of reachable host and 4-packet otherwise.
96 #define SMALL(fle) (fle->f.packets <= 4)
98 MALLOC_DEFINE(M_NETFLOW_HASH, "netflow_hash", "NetFlow hash");
100 static int export_add(item_p, struct flow_entry *);
101 static int export_send(priv_p, fib_export_p, item_p, int);
103 static int hash_insert(priv_p, struct flow_hash_entry *, struct flow_rec *,
104 int, uint8_t, uint8_t);
106 static int hash6_insert(priv_p, struct flow_hash_entry *, struct flow6_rec *,
107 int, uint8_t, uint8_t);
110 static void expire_flow(priv_p, fib_export_p, struct flow_entry *, int);
113 * Generate hash for a given flow record.
115 * FIB is not used here, because:
116 * most VRFS will carry public IPv4 addresses which are unique even
117 * without FIB private addresses can overlap, but this is worked out
118 * via flow_rec bcmp() containing fib id. In IPv6 world addresses are
119 * all globally unique (it's not fully true, there is FC00::/7 for example,
120 * but chances of address overlap are MUCH smaller)
122 static inline uint32_t
123 ip_hash(struct flow_rec *r)
129 return FULL_HASH(r->r_src.s_addr, r->r_dst.s_addr,
130 r->r_sport, r->r_dport);
132 return ADDR_HASH(r->r_src.s_addr, r->r_dst.s_addr);
137 /* Generate hash for a given flow6 record. Use lower 4 octets from v6 addresses */
138 static inline uint32_t
139 ip6_hash(struct flow6_rec *r)
145 return FULL_HASH(r->src.r_src6.__u6_addr.__u6_addr32[3],
146 r->dst.r_dst6.__u6_addr.__u6_addr32[3], r->r_sport,
149 return ADDR_HASH(r->src.r_src6.__u6_addr.__u6_addr32[3],
150 r->dst.r_dst6.__u6_addr.__u6_addr32[3]);
155 ip6_masklen(struct in6_addr *saddr, struct rt_addrinfo *info)
157 const int nbits = sizeof(*saddr) * NBBY;
160 if (info->rti_addrs & RTA_NETMASK)
161 bit_count((bitstr_t *)saddr, 0, nbits, &mlen);
169 * Detach export datagram from priv, if there is any.
170 * If there is no, allocate a new one.
173 get_export_dgram(priv_p priv, fib_export_p fe)
177 mtx_lock(&fe->export_mtx);
178 if (fe->exp.item != NULL) {
182 mtx_unlock(&fe->export_mtx);
185 struct netflow_v5_export_dgram *dgram;
188 m = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR);
191 item = ng_package_data(m, NG_NOFLAGS);
194 dgram = mtod(m, struct netflow_v5_export_dgram *);
195 dgram->header.count = 0;
196 dgram->header.version = htons(NETFLOW_V5);
197 dgram->header.pad = 0;
204 * Re-attach incomplete datagram back to priv.
205 * If there is already another one, then send incomplete. */
207 return_export_dgram(priv_p priv, fib_export_p fe, item_p item, int flags)
211 * It may happen on SMP, that some thread has already
212 * put its item there, in this case we bail out and
213 * send what we have to collector.
215 mtx_lock(&fe->export_mtx);
216 if (fe->exp.item == NULL) {
218 mtx_unlock(&fe->export_mtx);
220 mtx_unlock(&fe->export_mtx);
221 export_send(priv, fe, item, flags);
226 * The flow is over. Call export_add() and free it. If datagram is
227 * full, then call export_send().
230 expire_flow(priv_p priv, fib_export_p fe, struct flow_entry *fle, int flags)
232 struct netflow_export_item exp;
233 uint16_t version = fle->f.version;
235 if ((priv->export != NULL) && (version == IPVERSION)) {
236 exp.item = get_export_dgram(priv, fe);
237 if (exp.item == NULL) {
238 priv->nfinfo_export_failed++;
239 if (priv->export9 != NULL)
240 priv->nfinfo_export9_failed++;
241 /* fle definitely contains IPv4 flow. */
242 uma_zfree_arg(priv->zone, fle, priv);
246 if (export_add(exp.item, fle) > 0)
247 export_send(priv, fe, exp.item, flags);
249 return_export_dgram(priv, fe, exp.item, NG_QUEUE);
252 if (priv->export9 != NULL) {
253 exp.item9 = get_export9_dgram(priv, fe, &exp.item9_opt);
254 if (exp.item9 == NULL) {
255 priv->nfinfo_export9_failed++;
256 if (version == IPVERSION)
257 uma_zfree_arg(priv->zone, fle, priv);
259 else if (version == IP6VERSION)
260 uma_zfree_arg(priv->zone6, fle, priv);
263 panic("ng_netflow: Unknown IP proto: %d",
268 if (export9_add(exp.item9, exp.item9_opt, fle) > 0)
269 export9_send(priv, fe, exp.item9, exp.item9_opt, flags);
271 return_export9_dgram(priv, fe, exp.item9,
272 exp.item9_opt, NG_QUEUE);
275 if (version == IPVERSION)
276 uma_zfree_arg(priv->zone, fle, priv);
278 else if (version == IP6VERSION)
279 uma_zfree_arg(priv->zone6, fle, priv);
283 /* Get a snapshot of node statistics */
285 ng_netflow_copyinfo(priv_p priv, struct ng_netflow_info *i)
288 i->nfinfo_bytes = counter_u64_fetch(priv->nfinfo_bytes);
289 i->nfinfo_packets = counter_u64_fetch(priv->nfinfo_packets);
290 i->nfinfo_bytes6 = counter_u64_fetch(priv->nfinfo_bytes6);
291 i->nfinfo_packets6 = counter_u64_fetch(priv->nfinfo_packets6);
292 i->nfinfo_sbytes = counter_u64_fetch(priv->nfinfo_sbytes);
293 i->nfinfo_spackets = counter_u64_fetch(priv->nfinfo_spackets);
294 i->nfinfo_sbytes6 = counter_u64_fetch(priv->nfinfo_sbytes6);
295 i->nfinfo_spackets6 = counter_u64_fetch(priv->nfinfo_spackets6);
296 i->nfinfo_act_exp = counter_u64_fetch(priv->nfinfo_act_exp);
297 i->nfinfo_inact_exp = counter_u64_fetch(priv->nfinfo_inact_exp);
299 i->nfinfo_used = uma_zone_get_cur(priv->zone);
301 i->nfinfo_used6 = uma_zone_get_cur(priv->zone6);
304 i->nfinfo_alloc_failed = priv->nfinfo_alloc_failed;
305 i->nfinfo_export_failed = priv->nfinfo_export_failed;
306 i->nfinfo_export9_failed = priv->nfinfo_export9_failed;
307 i->nfinfo_realloc_mbuf = priv->nfinfo_realloc_mbuf;
308 i->nfinfo_alloc_fibs = priv->nfinfo_alloc_fibs;
309 i->nfinfo_inact_t = priv->nfinfo_inact_t;
310 i->nfinfo_act_t = priv->nfinfo_act_t;
314 * Insert a record into defined slot.
316 * First we get for us a free flow entry, then fill in all
317 * possible fields in it.
319 * TODO: consider dropping hash mutex while filling in datagram,
320 * as this was done in previous version. Need to test & profile
324 hash_insert(priv_p priv, struct flow_hash_entry *hsh, struct flow_rec *r,
325 int plen, uint8_t flags, uint8_t tcp_flags)
327 struct flow_entry *fle;
328 struct sockaddr_in sin, sin_mask;
329 struct sockaddr_dl rt_gateway;
330 struct rt_addrinfo info;
332 mtx_assert(&hsh->mtx, MA_OWNED);
334 fle = uma_zalloc_arg(priv->zone, priv, M_NOWAIT);
336 priv->nfinfo_alloc_failed++;
341 * Now fle is totally ours. It is detached from all lists,
342 * we can safely edit it.
344 fle->f.version = IPVERSION;
345 bcopy(r, &fle->f.r, sizeof(struct flow_rec));
348 fle->f.tcp_flags = tcp_flags;
350 fle->f.first = fle->f.last = time_uptime;
353 * First we do route table lookup on destination address. So we can
354 * fill in out_ifx, dst_mask, nexthop, and dst_as in future releases.
356 if ((flags & NG_NETFLOW_CONF_NODSTLOOKUP) == 0) {
357 bzero(&sin, sizeof(sin));
358 sin.sin_len = sizeof(struct sockaddr_in);
359 sin.sin_family = AF_INET;
360 sin.sin_addr = fle->f.r.r_dst;
362 rt_gateway.sdl_len = sizeof(rt_gateway);
363 sin_mask.sin_len = sizeof(struct sockaddr_in);
364 bzero(&info, sizeof(info));
366 info.rti_info[RTAX_GATEWAY] = (struct sockaddr *)&rt_gateway;
367 info.rti_info[RTAX_NETMASK] = (struct sockaddr *)&sin_mask;
369 if (rib_lookup_info(r->fib, (struct sockaddr *)&sin, NHR_REF, 0,
371 fle->f.fle_o_ifx = info.rti_ifp->if_index;
373 if (info.rti_flags & RTF_GATEWAY &&
374 rt_gateway.sdl_family == AF_INET)
376 ((struct sockaddr_in *)&rt_gateway)->sin_addr;
378 if (info.rti_addrs & RTA_NETMASK)
379 fle->f.dst_mask = bitcount32(sin_mask.sin_addr.s_addr);
380 else if (info.rti_flags & RTF_HOST)
381 /* Give up. We can't determine mask :( */
382 fle->f.dst_mask = 32;
384 rib_free_info(&info);
388 /* Do route lookup on source address, to fill in src_mask. */
389 if ((flags & NG_NETFLOW_CONF_NOSRCLOOKUP) == 0) {
390 bzero(&sin, sizeof(sin));
391 sin.sin_len = sizeof(struct sockaddr_in);
392 sin.sin_family = AF_INET;
393 sin.sin_addr = fle->f.r.r_src;
395 sin_mask.sin_len = sizeof(struct sockaddr_in);
396 bzero(&info, sizeof(info));
398 info.rti_info[RTAX_NETMASK] = (struct sockaddr *)&sin_mask;
400 if (rib_lookup_info(r->fib, (struct sockaddr *)&sin, 0, 0,
402 if (info.rti_addrs & RTA_NETMASK)
404 bitcount32(sin_mask.sin_addr.s_addr);
405 else if (info.rti_flags & RTF_HOST)
406 /* Give up. We can't determine mask :( */
407 fle->f.src_mask = 32;
411 /* Push new flow at the and of hash. */
412 TAILQ_INSERT_TAIL(&hsh->head, fle, fle_hash);
419 hash6_insert(priv_p priv, struct flow_hash_entry *hsh6, struct flow6_rec *r,
420 int plen, uint8_t flags, uint8_t tcp_flags)
422 struct flow6_entry *fle6;
423 struct sockaddr_in6 sin6, sin6_mask;
424 struct sockaddr_dl rt_gateway;
425 struct rt_addrinfo info;
427 mtx_assert(&hsh6->mtx, MA_OWNED);
429 fle6 = uma_zalloc_arg(priv->zone6, priv, M_NOWAIT);
431 priv->nfinfo_alloc_failed++;
436 * Now fle is totally ours. It is detached from all lists,
437 * we can safely edit it.
440 fle6->f.version = IP6VERSION;
441 bcopy(r, &fle6->f.r, sizeof(struct flow6_rec));
442 fle6->f.bytes = plen;
444 fle6->f.tcp_flags = tcp_flags;
446 fle6->f.first = fle6->f.last = time_uptime;
449 * First we do route table lookup on destination address. So we can
450 * fill in out_ifx, dst_mask, nexthop, and dst_as in future releases.
452 if ((flags & NG_NETFLOW_CONF_NODSTLOOKUP) == 0) {
453 bzero(&sin6, sizeof(struct sockaddr_in6));
454 sin6.sin6_len = sizeof(struct sockaddr_in6);
455 sin6.sin6_family = AF_INET6;
456 sin6.sin6_addr = r->dst.r_dst6;
458 rt_gateway.sdl_len = sizeof(rt_gateway);
459 sin6_mask.sin6_len = sizeof(struct sockaddr_in6);
460 bzero(&info, sizeof(info));
462 info.rti_info[RTAX_GATEWAY] = (struct sockaddr *)&rt_gateway;
463 info.rti_info[RTAX_NETMASK] = (struct sockaddr *)&sin6_mask;
465 if (rib_lookup_info(r->fib, (struct sockaddr *)&sin6, NHR_REF,
467 fle6->f.fle_o_ifx = info.rti_ifp->if_index;
469 if (info.rti_flags & RTF_GATEWAY &&
470 rt_gateway.sdl_family == AF_INET6)
471 fle6->f.n.next_hop6 =
472 ((struct sockaddr_in6 *)&rt_gateway)->sin6_addr;
475 ip6_masklen(&sin6_mask.sin6_addr, &info);
477 rib_free_info(&info);
481 if ((flags & NG_NETFLOW_CONF_NOSRCLOOKUP) == 0) {
482 /* Do route lookup on source address, to fill in src_mask. */
483 bzero(&sin6, sizeof(struct sockaddr_in6));
484 sin6.sin6_len = sizeof(struct sockaddr_in6);
485 sin6.sin6_family = AF_INET6;
486 sin6.sin6_addr = r->src.r_src6;
488 sin6_mask.sin6_len = sizeof(struct sockaddr_in6);
489 bzero(&info, sizeof(info));
491 info.rti_info[RTAX_NETMASK] = (struct sockaddr *)&sin6_mask;
493 if (rib_lookup_info(r->fib, (struct sockaddr *)&sin6, 0, 0,
496 ip6_masklen(&sin6_mask.sin6_addr, &info);
499 /* Push new flow at the and of hash. */
500 TAILQ_INSERT_TAIL(&hsh6->head, (struct flow_entry *)fle6, fle_hash);
508 * Non-static functions called from ng_netflow.c
511 /* Allocate memory and set up flow cache */
513 ng_netflow_cache_init(priv_p priv)
515 struct flow_hash_entry *hsh;
518 /* Initialize cache UMA zone. */
519 priv->zone = uma_zcreate("NetFlow IPv4 cache",
520 sizeof(struct flow_entry), NULL, NULL, NULL, NULL,
522 uma_zone_set_max(priv->zone, CACHESIZE);
524 priv->zone6 = uma_zcreate("NetFlow IPv6 cache",
525 sizeof(struct flow6_entry), NULL, NULL, NULL, NULL,
527 uma_zone_set_max(priv->zone6, CACHESIZE);
531 priv->hash = malloc(NBUCKETS * sizeof(struct flow_hash_entry),
532 M_NETFLOW_HASH, M_WAITOK | M_ZERO);
534 /* Initialize hash. */
535 for (i = 0, hsh = priv->hash; i < NBUCKETS; i++, hsh++) {
536 mtx_init(&hsh->mtx, "hash mutex", NULL, MTX_DEF);
537 TAILQ_INIT(&hsh->head);
542 priv->hash6 = malloc(NBUCKETS * sizeof(struct flow_hash_entry),
543 M_NETFLOW_HASH, M_WAITOK | M_ZERO);
545 /* Initialize hash. */
546 for (i = 0, hsh = priv->hash6; i < NBUCKETS; i++, hsh++) {
547 mtx_init(&hsh->mtx, "hash mutex", NULL, MTX_DEF);
548 TAILQ_INIT(&hsh->head);
552 priv->nfinfo_bytes = counter_u64_alloc(M_WAITOK);
553 priv->nfinfo_packets = counter_u64_alloc(M_WAITOK);
554 priv->nfinfo_bytes6 = counter_u64_alloc(M_WAITOK);
555 priv->nfinfo_packets6 = counter_u64_alloc(M_WAITOK);
556 priv->nfinfo_sbytes = counter_u64_alloc(M_WAITOK);
557 priv->nfinfo_spackets = counter_u64_alloc(M_WAITOK);
558 priv->nfinfo_sbytes6 = counter_u64_alloc(M_WAITOK);
559 priv->nfinfo_spackets6 = counter_u64_alloc(M_WAITOK);
560 priv->nfinfo_act_exp = counter_u64_alloc(M_WAITOK);
561 priv->nfinfo_inact_exp = counter_u64_alloc(M_WAITOK);
563 ng_netflow_v9_cache_init(priv);
564 CTR0(KTR_NET, "ng_netflow startup()");
567 /* Initialize new FIB table for v5 and v9 */
569 ng_netflow_fib_init(priv_p priv, int fib)
571 fib_export_p fe = priv_to_fib(priv, fib);
573 CTR1(KTR_NET, "ng_netflow(): fib init: %d", fib);
578 if ((fe = malloc(sizeof(struct fib_export), M_NETGRAPH,
579 M_NOWAIT | M_ZERO)) == NULL)
582 mtx_init(&fe->export_mtx, "export dgram lock", NULL, MTX_DEF);
583 mtx_init(&fe->export9_mtx, "export9 dgram lock", NULL, MTX_DEF);
587 if (atomic_cmpset_ptr((volatile uintptr_t *)&priv->fib_data[fib],
588 (uintptr_t)NULL, (uintptr_t)fe) == 0) {
589 /* FIB already set up by other ISR */
590 CTR3(KTR_NET, "ng_netflow(): fib init: %d setup %p but got %p",
591 fib, fe, priv_to_fib(priv, fib));
592 mtx_destroy(&fe->export_mtx);
593 mtx_destroy(&fe->export9_mtx);
594 free(fe, M_NETGRAPH);
596 /* Increase counter for statistics */
597 CTR3(KTR_NET, "ng_netflow(): fib %d setup to %p (%p)",
598 fib, fe, priv_to_fib(priv, fib));
599 priv->nfinfo_alloc_fibs++;
605 /* Free all flow cache memory. Called from node close method. */
607 ng_netflow_cache_flush(priv_p priv)
609 struct flow_entry *fle, *fle1;
610 struct flow_hash_entry *hsh;
611 struct netflow_export_item exp;
615 bzero(&exp, sizeof(exp));
618 * We are going to free probably billable data.
619 * Expire everything before freeing it.
620 * No locking is required since callout is already drained.
622 for (hsh = priv->hash, i = 0; i < NBUCKETS; hsh++, i++)
623 TAILQ_FOREACH_SAFE(fle, &hsh->head, fle_hash, fle1) {
624 TAILQ_REMOVE(&hsh->head, fle, fle_hash);
625 fe = priv_to_fib(priv, fle->f.r.fib);
626 expire_flow(priv, fe, fle, NG_QUEUE);
629 for (hsh = priv->hash6, i = 0; i < NBUCKETS; hsh++, i++)
630 TAILQ_FOREACH_SAFE(fle, &hsh->head, fle_hash, fle1) {
631 TAILQ_REMOVE(&hsh->head, fle, fle_hash);
632 fe = priv_to_fib(priv, fle->f.r.fib);
633 expire_flow(priv, fe, fle, NG_QUEUE);
637 uma_zdestroy(priv->zone);
638 /* Destroy hash mutexes. */
639 for (i = 0, hsh = priv->hash; i < NBUCKETS; i++, hsh++)
640 mtx_destroy(&hsh->mtx);
642 /* Free hash memory. */
643 if (priv->hash != NULL)
644 free(priv->hash, M_NETFLOW_HASH);
646 uma_zdestroy(priv->zone6);
647 /* Destroy hash mutexes. */
648 for (i = 0, hsh = priv->hash6; i < NBUCKETS; i++, hsh++)
649 mtx_destroy(&hsh->mtx);
651 /* Free hash memory. */
652 if (priv->hash6 != NULL)
653 free(priv->hash6, M_NETFLOW_HASH);
656 for (i = 0; i < priv->maxfibs; i++) {
657 if ((fe = priv_to_fib(priv, i)) == NULL)
660 if (fe->exp.item != NULL)
661 export_send(priv, fe, fe->exp.item, NG_QUEUE);
663 if (fe->exp.item9 != NULL)
664 export9_send(priv, fe, fe->exp.item9,
665 fe->exp.item9_opt, NG_QUEUE);
667 mtx_destroy(&fe->export_mtx);
668 mtx_destroy(&fe->export9_mtx);
669 free(fe, M_NETGRAPH);
672 counter_u64_free(priv->nfinfo_bytes);
673 counter_u64_free(priv->nfinfo_packets);
674 counter_u64_free(priv->nfinfo_bytes6);
675 counter_u64_free(priv->nfinfo_packets6);
676 counter_u64_free(priv->nfinfo_sbytes);
677 counter_u64_free(priv->nfinfo_spackets);
678 counter_u64_free(priv->nfinfo_sbytes6);
679 counter_u64_free(priv->nfinfo_spackets6);
680 counter_u64_free(priv->nfinfo_act_exp);
681 counter_u64_free(priv->nfinfo_inact_exp);
683 ng_netflow_v9_cache_flush(priv);
686 /* Insert packet from into flow cache. */
688 ng_netflow_flow_add(priv_p priv, fib_export_p fe, struct ip *ip,
689 caddr_t upper_ptr, uint8_t upper_proto, uint8_t flags,
690 unsigned int src_if_index)
692 struct flow_entry *fle, *fle1;
693 struct flow_hash_entry *hsh;
698 uint8_t tcp_flags = 0;
700 bzero(&r, sizeof(r));
702 if (ip->ip_v != IPVERSION)
705 hlen = ip->ip_hl << 2;
706 if (hlen < sizeof(struct ip))
709 eproto = ETHERTYPE_IP;
710 /* Assume L4 template by default */
711 r.flow_type = NETFLOW_V9_FLOW_V4_L4;
713 r.r_src = ip->ip_src;
714 r.r_dst = ip->ip_dst;
717 plen = ntohs(ip->ip_len);
720 r.r_tos = ip->ip_tos;
722 r.r_i_ifx = src_if_index;
725 * XXX NOTE: only first fragment of fragmented TCP, UDP and
726 * ICMP packet will be recorded with proper s_port and d_port.
727 * Following fragments will be recorded simply as IP packet with
728 * ip_proto = ip->ip_p and s_port, d_port set to zero.
729 * I know, it looks like bug. But I don't want to re-implement
730 * ip packet assebmling here. Anyway, (in)famous trafd works this way -
731 * and nobody complains yet :)
733 if ((ip->ip_off & htons(IP_OFFMASK)) == 0)
739 tcp = (struct tcphdr *)((caddr_t )ip + hlen);
740 r.r_sport = tcp->th_sport;
741 r.r_dport = tcp->th_dport;
742 tcp_flags = tcp->th_flags;
746 r.r_ports = *(uint32_t *)((caddr_t )ip + hlen);
750 counter_u64_add(priv->nfinfo_packets, 1);
751 counter_u64_add(priv->nfinfo_bytes, plen);
753 /* Find hash slot. */
754 hsh = &priv->hash[ip_hash(&r)];
759 * Go through hash and find our entry. If we encounter an
760 * entry, that should be expired, purge it. We do a reverse
761 * search since most active entries are first, and most
762 * searches are done on most active entries.
764 TAILQ_FOREACH_REVERSE_SAFE(fle, &hsh->head, fhead, fle_hash, fle1) {
765 if (bcmp(&r, &fle->f.r, sizeof(struct flow_rec)) == 0)
767 if ((INACTIVE(fle) && SMALL(fle)) || AGED(fle)) {
768 TAILQ_REMOVE(&hsh->head, fle, fle_hash);
769 expire_flow(priv, priv_to_fib(priv, fle->f.r.fib),
771 counter_u64_add(priv->nfinfo_act_exp, 1);
775 if (fle) { /* An existent entry. */
777 fle->f.bytes += plen;
779 fle->f.tcp_flags |= tcp_flags;
780 fle->f.last = time_uptime;
783 * We have the following reasons to expire flow in active way:
784 * - it hit active timeout
785 * - a TCP connection closed
786 * - it is going to overflow counter
788 if (tcp_flags & TH_FIN || tcp_flags & TH_RST || AGED(fle) ||
789 (fle->f.bytes >= (CNTR_MAX - IF_MAXMTU)) ) {
790 TAILQ_REMOVE(&hsh->head, fle, fle_hash);
791 expire_flow(priv, priv_to_fib(priv, fle->f.r.fib),
793 counter_u64_add(priv->nfinfo_act_exp, 1);
796 * It is the newest, move it to the tail,
797 * if it isn't there already. Next search will
800 if (fle != TAILQ_LAST(&hsh->head, fhead)) {
801 TAILQ_REMOVE(&hsh->head, fle, fle_hash);
802 TAILQ_INSERT_TAIL(&hsh->head, fle, fle_hash);
805 } else /* A new flow entry. */
806 error = hash_insert(priv, hsh, &r, plen, flags, tcp_flags);
808 mtx_unlock(&hsh->mtx);
814 /* Insert IPv6 packet from into flow cache. */
816 ng_netflow_flow6_add(priv_p priv, fib_export_p fe, struct ip6_hdr *ip6,
817 caddr_t upper_ptr, uint8_t upper_proto, uint8_t flags,
818 unsigned int src_if_index)
820 struct flow_entry *fle = NULL, *fle1;
821 struct flow6_entry *fle6;
822 struct flow_hash_entry *hsh;
826 uint8_t tcp_flags = 0;
829 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION)
832 bzero(&r, sizeof(r));
834 r.src.r_src6 = ip6->ip6_src;
835 r.dst.r_dst6 = ip6->ip6_dst;
838 /* Assume L4 template by default */
839 r.flow_type = NETFLOW_V9_FLOW_V6_L4;
841 plen = ntohs(ip6->ip6_plen) + sizeof(struct ip6_hdr);
844 /* XXX: set DSCP/CoS value */
845 r.r_tos = ip->ip_tos;
847 if ((flags & NG_NETFLOW_IS_FRAG) == 0) {
848 switch(upper_proto) {
853 tcp = (struct tcphdr *)upper_ptr;
854 r.r_ports = *(uint32_t *)upper_ptr;
855 tcp_flags = tcp->th_flags;
860 r.r_ports = *(uint32_t *)upper_ptr;
865 r.r_ip_p = upper_proto;
866 r.r_i_ifx = src_if_index;
868 counter_u64_add(priv->nfinfo_packets6, 1);
869 counter_u64_add(priv->nfinfo_bytes6, plen);
871 /* Find hash slot. */
872 hsh = &priv->hash6[ip6_hash(&r)];
877 * Go through hash and find our entry. If we encounter an
878 * entry, that should be expired, purge it. We do a reverse
879 * search since most active entries are first, and most
880 * searches are done on most active entries.
882 TAILQ_FOREACH_REVERSE_SAFE(fle, &hsh->head, fhead, fle_hash, fle1) {
883 if (fle->f.version != IP6VERSION)
885 fle6 = (struct flow6_entry *)fle;
886 if (bcmp(&r, &fle6->f.r, sizeof(struct flow6_rec)) == 0)
888 if ((INACTIVE(fle6) && SMALL(fle6)) || AGED(fle6)) {
889 TAILQ_REMOVE(&hsh->head, fle, fle_hash);
890 expire_flow(priv, priv_to_fib(priv, fle->f.r.fib), fle,
892 counter_u64_add(priv->nfinfo_act_exp, 1);
896 if (fle != NULL) { /* An existent entry. */
897 fle6 = (struct flow6_entry *)fle;
899 fle6->f.bytes += plen;
901 fle6->f.tcp_flags |= tcp_flags;
902 fle6->f.last = time_uptime;
905 * We have the following reasons to expire flow in active way:
906 * - it hit active timeout
907 * - a TCP connection closed
908 * - it is going to overflow counter
910 if (tcp_flags & TH_FIN || tcp_flags & TH_RST || AGED(fle6) ||
911 (fle6->f.bytes >= (CNTR_MAX - IF_MAXMTU)) ) {
912 TAILQ_REMOVE(&hsh->head, fle, fle_hash);
913 expire_flow(priv, priv_to_fib(priv, fle->f.r.fib), fle,
915 counter_u64_add(priv->nfinfo_act_exp, 1);
918 * It is the newest, move it to the tail,
919 * if it isn't there already. Next search will
922 if (fle != TAILQ_LAST(&hsh->head, fhead)) {
923 TAILQ_REMOVE(&hsh->head, fle, fle_hash);
924 TAILQ_INSERT_TAIL(&hsh->head, fle, fle_hash);
927 } else /* A new flow entry. */
928 error = hash6_insert(priv, hsh, &r, plen, flags, tcp_flags);
930 mtx_unlock(&hsh->mtx);
937 * Return records from cache to userland.
939 * TODO: matching particular IP should be done in kernel, here.
942 ng_netflow_flow_show(priv_p priv, struct ngnf_show_header *req,
943 struct ngnf_show_header *resp)
945 struct flow_hash_entry *hsh;
946 struct flow_entry *fle;
947 struct flow_entry_data *data = (struct flow_entry_data *)(resp + 1);
949 struct flow6_entry_data *data6 = (struct flow6_entry_data *)(resp + 1);
958 if (req->version == 6) {
960 hsh = priv->hash6 + i;
964 if (req->version == 4) {
966 hsh = priv->hash + i;
972 * We will transfer not more than NREC_AT_ONCE. More data
973 * will come in next message.
974 * We send current hash index and current record number in list
975 * to userland, and userland should return it back to us.
976 * Then, we will restart with new entry.
978 * The resulting cache snapshot can be inaccurate if flow expiration
979 * is taking place on hash item between userland data requests for
983 for (; i < NBUCKETS; hsh++, i++) {
986 if (mtx_trylock(&hsh->mtx) == 0) {
988 * Requested hash index is not available,
989 * relay decision to skip or re-request data
998 TAILQ_FOREACH(fle, &hsh->head, fle_hash) {
999 if (hsh->mtx.mtx_lock & MTX_CONTESTED) {
1001 resp->list_id = list_id;
1002 mtx_unlock(&hsh->mtx);
1007 /* Search for particular record in list. */
1008 if (req->list_id > 0) {
1009 if (list_id < req->list_id)
1012 /* Requested list position found. */
1016 if (req->version == 6) {
1017 struct flow6_entry *fle6;
1019 fle6 = (struct flow6_entry *)fle;
1020 bcopy(&fle6->f, data6 + resp->nentries,
1024 bcopy(&fle->f, data + resp->nentries,
1027 if (resp->nentries == max) {
1030 * If it was the last item in list
1031 * we simply skip to next hash_id.
1033 resp->list_id = list_id + 1;
1034 mtx_unlock(&hsh->mtx);
1038 mtx_unlock(&hsh->mtx);
1041 resp->hash_id = resp->list_id = 0;
1046 /* We have full datagram in privdata. Send it to export hook. */
1048 export_send(priv_p priv, fib_export_p fe, item_p item, int flags)
1050 struct mbuf *m = NGI_M(item);
1051 struct netflow_v5_export_dgram *dgram = mtod(m,
1052 struct netflow_v5_export_dgram *);
1053 struct netflow_v5_header *header = &dgram->header;
1057 /* Fill mbuf header. */
1058 m->m_len = m->m_pkthdr.len = sizeof(struct netflow_v5_record) *
1059 header->count + sizeof(struct netflow_v5_header);
1061 /* Fill export header. */
1062 header->sys_uptime = htonl(MILLIUPTIME(time_uptime));
1064 header->unix_secs = htonl(ts.tv_sec);
1065 header->unix_nsecs = htonl(ts.tv_nsec);
1066 header->engine_type = 0;
1067 header->engine_id = fe->domain_id;
1069 header->flow_seq = htonl(atomic_fetchadd_32(&fe->flow_seq,
1071 header->count = htons(header->count);
1073 if (priv->export != NULL)
1074 NG_FWD_ITEM_HOOK_FLAGS(error, item, priv->export, flags);
1082 /* Add export record to dgram. */
1084 export_add(item_p item, struct flow_entry *fle)
1086 struct netflow_v5_export_dgram *dgram = mtod(NGI_M(item),
1087 struct netflow_v5_export_dgram *);
1088 struct netflow_v5_header *header = &dgram->header;
1089 struct netflow_v5_record *rec;
1091 rec = &dgram->r[header->count];
1094 KASSERT(header->count <= NETFLOW_V5_MAX_RECORDS,
1095 ("ng_netflow: export too big"));
1097 /* Fill in export record. */
1098 rec->src_addr = fle->f.r.r_src.s_addr;
1099 rec->dst_addr = fle->f.r.r_dst.s_addr;
1100 rec->next_hop = fle->f.next_hop.s_addr;
1101 rec->i_ifx = htons(fle->f.fle_i_ifx);
1102 rec->o_ifx = htons(fle->f.fle_o_ifx);
1103 rec->packets = htonl(fle->f.packets);
1104 rec->octets = htonl(fle->f.bytes);
1105 rec->first = htonl(MILLIUPTIME(fle->f.first));
1106 rec->last = htonl(MILLIUPTIME(fle->f.last));
1107 rec->s_port = fle->f.r.r_sport;
1108 rec->d_port = fle->f.r.r_dport;
1109 rec->flags = fle->f.tcp_flags;
1110 rec->prot = fle->f.r.r_ip_p;
1111 rec->tos = fle->f.r.r_tos;
1112 rec->dst_mask = fle->f.dst_mask;
1113 rec->src_mask = fle->f.src_mask;
1117 /* Not supported fields. */
1118 rec->src_as = rec->dst_as = 0;
1120 if (header->count == NETFLOW_V5_MAX_RECORDS)
1121 return (1); /* end of datagram */
1126 /* Periodic flow expiry run. */
1128 ng_netflow_expire(void *arg)
1130 struct flow_entry *fle, *fle1;
1131 struct flow_hash_entry *hsh;
1132 priv_p priv = (priv_p )arg;
1136 * Going through all the cache.
1138 used = uma_zone_get_cur(priv->zone);
1139 for (hsh = priv->hash, i = 0; i < NBUCKETS; hsh++, i++) {
1141 * Skip entries, that are already being worked on.
1143 if (mtx_trylock(&hsh->mtx) == 0)
1146 TAILQ_FOREACH_SAFE(fle, &hsh->head, fle_hash, fle1) {
1148 * Interrupt thread wants this entry!
1149 * Quick! Quick! Bail out!
1151 if (hsh->mtx.mtx_lock & MTX_CONTESTED)
1155 * Don't expire aggressively while hash collision
1156 * ratio is predicted small.
1158 if (used <= (NBUCKETS*2) && !INACTIVE(fle))
1161 if ((INACTIVE(fle) && (SMALL(fle) ||
1162 (used > (NBUCKETS*2)))) || AGED(fle)) {
1163 TAILQ_REMOVE(&hsh->head, fle, fle_hash);
1164 expire_flow(priv, priv_to_fib(priv,
1165 fle->f.r.fib), fle, NG_NOFLAGS);
1167 counter_u64_add(priv->nfinfo_inact_exp, 1);
1170 mtx_unlock(&hsh->mtx);
1174 used = uma_zone_get_cur(priv->zone6);
1175 for (hsh = priv->hash6, i = 0; i < NBUCKETS; hsh++, i++) {
1176 struct flow6_entry *fle6;
1179 * Skip entries, that are already being worked on.
1181 if (mtx_trylock(&hsh->mtx) == 0)
1184 TAILQ_FOREACH_SAFE(fle, &hsh->head, fle_hash, fle1) {
1185 fle6 = (struct flow6_entry *)fle;
1187 * Interrupt thread wants this entry!
1188 * Quick! Quick! Bail out!
1190 if (hsh->mtx.mtx_lock & MTX_CONTESTED)
1194 * Don't expire aggressively while hash collision
1195 * ratio is predicted small.
1197 if (used <= (NBUCKETS*2) && !INACTIVE(fle6))
1200 if ((INACTIVE(fle6) && (SMALL(fle6) ||
1201 (used > (NBUCKETS*2)))) || AGED(fle6)) {
1202 TAILQ_REMOVE(&hsh->head, fle, fle_hash);
1203 expire_flow(priv, priv_to_fib(priv,
1204 fle->f.r.fib), fle, NG_NOFLAGS);
1206 counter_u64_add(priv->nfinfo_inact_exp, 1);
1209 mtx_unlock(&hsh->mtx);
1213 /* Schedule next expire. */
1214 callout_reset(&priv->exp_callout, (1*hz), &ng_netflow_expire,
projects / FreeBSD / FreeBSD.git / blob