2 * Copyright (c) 2004-2005 Gleb Smirnoff <glebius@FreeBSD.org>
3 * Copyright (c) 2001-2003 Roman V. Palagin <romanp@unshadow.net>
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * $SourceForge: ng_netflow.c,v 1.30 2004/09/05 11:37:43 glebius Exp $
30 static const char rcs_id[] =
33 #include <sys/param.h>
34 #include <sys/systm.h>
35 #include <sys/kernel.h>
37 #include <sys/socket.h>
38 #include <sys/syslog.h>
39 #include <sys/ctype.h>
42 #include <net/ethernet.h>
43 #include <net/if_arp.h>
44 #include <net/if_var.h>
46 #include <netinet/in.h>
47 #include <netinet/in_systm.h>
48 #include <netinet/ip.h>
49 #include <netinet/tcp.h>
50 #include <netinet/udp.h>
52 #include <netgraph/ng_message.h>
53 #include <netgraph/ng_parse.h>
54 #include <netgraph/netgraph.h>
55 #include <netgraph/netflow/netflow.h>
56 #include <netgraph/netflow/ng_netflow.h>
58 /* Netgraph methods */
59 static ng_constructor_t ng_netflow_constructor;
60 static ng_rcvmsg_t ng_netflow_rcvmsg;
61 static ng_close_t ng_netflow_close;
62 static ng_shutdown_t ng_netflow_rmnode;
63 static ng_newhook_t ng_netflow_newhook;
64 static ng_rcvdata_t ng_netflow_rcvdata;
65 static ng_disconnect_t ng_netflow_disconnect;
67 /* Parse type for struct ng_netflow_info */
68 static const struct ng_parse_struct_field ng_netflow_info_type_fields[]
69 = NG_NETFLOW_INFO_TYPE;
70 static const struct ng_parse_type ng_netflow_info_type = {
71 &ng_parse_struct_type,
72 &ng_netflow_info_type_fields
75 /* Parse type for struct ng_netflow_ifinfo */
76 static const struct ng_parse_struct_field ng_netflow_ifinfo_type_fields[]
77 = NG_NETFLOW_IFINFO_TYPE;
78 static const struct ng_parse_type ng_netflow_ifinfo_type = {
79 &ng_parse_struct_type,
80 &ng_netflow_ifinfo_type_fields
83 /* Parse type for struct ng_netflow_setdlt */
84 static const struct ng_parse_struct_field ng_netflow_setdlt_type_fields[]
85 = NG_NETFLOW_SETDLT_TYPE;
86 static const struct ng_parse_type ng_netflow_setdlt_type = {
87 &ng_parse_struct_type,
88 &ng_netflow_setdlt_type_fields
91 /* Parse type for ng_netflow_setifindex */
92 static const struct ng_parse_struct_field ng_netflow_setifindex_type_fields[]
93 = NG_NETFLOW_SETIFINDEX_TYPE;
94 static const struct ng_parse_type ng_netflow_setifindex_type = {
95 &ng_parse_struct_type,
96 &ng_netflow_setifindex_type_fields
99 /* Parse type for ng_netflow_settimeouts */
100 static const struct ng_parse_struct_field ng_netflow_settimeouts_type_fields[]
101 = NG_NETFLOW_SETTIMEOUTS_TYPE;
102 static const struct ng_parse_type ng_netflow_settimeouts_type = {
103 &ng_parse_struct_type,
104 &ng_netflow_settimeouts_type_fields
107 /* List of commands and how to convert arguments to/from ASCII */
108 static const struct ng_cmdlist ng_netflow_cmds[] = {
114 &ng_netflow_info_type
120 &ng_parse_uint16_type,
121 &ng_netflow_ifinfo_type
127 &ng_netflow_setdlt_type,
132 NGM_NETFLOW_SETIFINDEX,
134 &ng_netflow_setifindex_type,
139 NGM_NETFLOW_SETTIMEOUTS,
141 &ng_netflow_settimeouts_type,
148 /* Netgraph node type descriptor */
149 static struct ng_type ng_netflow_typestruct = {
150 .version = NG_ABI_VERSION,
151 .name = NG_NETFLOW_NODE_TYPE,
152 .constructor = ng_netflow_constructor,
153 .rcvmsg = ng_netflow_rcvmsg,
154 .close = ng_netflow_close,
155 .shutdown = ng_netflow_rmnode,
156 .newhook = ng_netflow_newhook,
157 .rcvdata = ng_netflow_rcvdata,
158 .disconnect = ng_netflow_disconnect,
159 .cmdlist = ng_netflow_cmds,
161 NETGRAPH_INIT(netflow, &ng_netflow_typestruct);
163 /* Called at node creation */
165 ng_netflow_constructor(node_p node)
170 /* Initialize private data */
171 MALLOC(priv, priv_p, sizeof(*priv), M_NETGRAPH, M_NOWAIT);
174 bzero(priv, sizeof(*priv));
176 /* Make node and its data point at each other */
177 NG_NODE_SET_PRIVATE(node, priv);
180 /* Initialize timeouts to default values */
181 priv->info.nfinfo_inact_t = INACTIVE_TIMEOUT;
182 priv->info.nfinfo_act_t = ACTIVE_TIMEOUT;
184 /* Initialize callout handle */
185 callout_init(&priv->exp_callout, 1);
187 /* Allocate memory and set up flow cache */
188 if ((error = ng_netflow_cache_init(priv)))
195 * ng_netflow supports two hooks: data and export.
196 * Incoming traffic is expected on data, and expired
197 * netflow datagrams are sent to export.
200 ng_netflow_newhook(node_p node, hook_p hook, const char *name)
202 const priv_p priv = NG_NODE_PRIVATE(node);
204 if (strncmp(name, NG_NETFLOW_HOOK_DATA, /* an iface hook? */
205 strlen(NG_NETFLOW_HOOK_DATA)) == 0) {
211 cp = name + strlen(NG_NETFLOW_HOOK_DATA);
212 if (!isdigit(*cp) || (cp[0] == '0' && cp[1] != '\0'))
215 ifnum = (int)strtoul(cp, &eptr, 10);
216 if (*eptr != '\0' || ifnum < 0 || ifnum >= NG_NETFLOW_MAXIFACES)
219 /* See if hook is already connected */
220 if (priv->ifaces[ifnum].hook != NULL)
223 iface = &priv->ifaces[ifnum];
225 /* Link private info and hook together */
226 NG_HOOK_SET_PRIVATE(hook, iface);
230 * In most cases traffic accounting is done on an
231 * Ethernet interface, so default data link type
232 * will be DLT_EN10MB.
234 iface->info.ifinfo_dlt = DLT_EN10MB;
236 } else if (strncmp(name, NG_NETFLOW_HOOK_OUT,
237 strlen(NG_NETFLOW_HOOK_OUT)) == 0) {
243 cp = name + strlen(NG_NETFLOW_HOOK_OUT);
244 if (!isdigit(*cp) || (cp[0] == '0' && cp[1] != '\0'))
247 ifnum = (int)strtoul(cp, &eptr, 10);
248 if (*eptr != '\0' || ifnum < 0 || ifnum >= NG_NETFLOW_MAXIFACES)
251 /* See if hook is already connected */
252 if (priv->ifaces[ifnum].out != NULL)
255 iface = &priv->ifaces[ifnum];
257 /* Link private info and hook together */
258 NG_HOOK_SET_PRIVATE(hook, iface);
261 } else if (strcmp(name, NG_NETFLOW_HOOK_EXPORT) == 0) {
263 if (priv->export != NULL)
268 #if 0 /* TODO: profile & test first */
270 * We send export dgrams in interrupt handlers and in
271 * callout threads. We'd better queue data for later
272 * netgraph ISR processing.
274 NG_HOOK_FORCE_QUEUE(NG_HOOK_PEER(hook));
277 /* Exporter is ready. Let's schedule expiry. */
278 callout_reset(&priv->exp_callout, (1*hz), &ng_netflow_expire,
286 /* Get a netgraph control message. */
288 ng_netflow_rcvmsg (node_p node, item_p item, hook_p lasthook)
290 const priv_p priv = NG_NODE_PRIVATE(node);
291 struct ng_mesg *resp = NULL;
295 NGI_GET_MSG(item, msg);
297 /* Deal with message according to cookie and command */
298 switch (msg->header.typecookie) {
299 case NGM_NETFLOW_COOKIE:
300 switch (msg->header.cmd) {
301 case NGM_NETFLOW_INFO:
303 struct ng_netflow_info *i;
305 NG_MKRESPONSE(resp, msg, sizeof(struct ng_netflow_info),
307 i = (struct ng_netflow_info *)resp->data;
308 ng_netflow_copyinfo(priv, i);
312 case NGM_NETFLOW_IFINFO:
314 struct ng_netflow_ifinfo *i;
315 const uint16_t *index;
317 if (msg->header.arglen != sizeof(uint16_t))
320 index = (uint16_t *)msg->data;
321 if (*index >= NG_NETFLOW_MAXIFACES)
324 /* connected iface? */
325 if (priv->ifaces[*index].hook == NULL)
328 NG_MKRESPONSE(resp, msg,
329 sizeof(struct ng_netflow_ifinfo), M_NOWAIT);
330 i = (struct ng_netflow_ifinfo *)resp->data;
331 memcpy((void *)i, (void *)&priv->ifaces[*index].info,
332 sizeof(priv->ifaces[*index].info));
336 case NGM_NETFLOW_SETDLT:
338 struct ng_netflow_setdlt *set;
339 struct ng_netflow_iface *iface;
341 if (msg->header.arglen != sizeof(struct ng_netflow_setdlt))
344 set = (struct ng_netflow_setdlt *)msg->data;
345 if (set->iface >= NG_NETFLOW_MAXIFACES)
347 iface = &priv->ifaces[set->iface];
349 /* connected iface? */
350 if (iface->hook == NULL)
355 iface->info.ifinfo_dlt = DLT_EN10MB;
358 iface->info.ifinfo_dlt = DLT_RAW;
365 case NGM_NETFLOW_SETIFINDEX:
367 struct ng_netflow_setifindex *set;
368 struct ng_netflow_iface *iface;
370 if (msg->header.arglen != sizeof(struct ng_netflow_setifindex))
373 set = (struct ng_netflow_setifindex *)msg->data;
374 if (set->iface >= NG_NETFLOW_MAXIFACES)
376 iface = &priv->ifaces[set->iface];
378 /* connected iface? */
379 if (iface->hook == NULL)
382 iface->info.ifinfo_index = set->index;
386 case NGM_NETFLOW_SETTIMEOUTS:
388 struct ng_netflow_settimeouts *set;
390 if (msg->header.arglen != sizeof(struct ng_netflow_settimeouts))
393 set = (struct ng_netflow_settimeouts *)msg->data;
395 priv->info.nfinfo_inact_t = set->inactive_timeout;
396 priv->info.nfinfo_act_t = set->active_timeout;
400 case NGM_NETFLOW_SHOW:
404 if (msg->header.arglen != sizeof(uint32_t))
407 last = (uint32_t *)msg->data;
409 NG_MKRESPONSE(resp, msg, NGRESP_SIZE, M_NOWAIT);
414 error = ng_netflow_flow_show(priv, *last, resp);
419 ERROUT(EINVAL); /* unknown command */
424 ERROUT(EINVAL); /* incorrect cookie */
429 * Take care of synchronous response, if any.
430 * Free memory and return.
433 NG_RESPOND_MSG(error, node, item, resp);
439 /* Receive data on hook. */
441 ng_netflow_rcvdata (hook_p hook, item_p item)
443 const node_p node = NG_HOOK_NODE(hook);
444 const priv_p priv = NG_NODE_PRIVATE(node);
445 const iface_p iface = NG_HOOK_PRIVATE(hook);
446 struct mbuf *m = NULL;
451 if (hook == priv->export) {
453 * Data arrived on export hook.
454 * This must not happen.
456 log(LOG_ERR, "ng_netflow: incoming data on export hook!\n");
460 if (hook == iface->out) {
462 * Data arrived on out hook. Bypass it.
464 if (iface->hook == NULL)
467 NG_FWD_ITEM_HOOK(error, item, iface->hook);
473 /* Increase counters. */
474 iface->info.ifinfo_packets++;
477 * Depending on interface data link type and packet contents
478 * we pullup enough data, so that ng_netflow_flow_add() does not
479 * need to know about mbuf at all. We keep current length of data
480 * needed to be contiguous in pullup_len. mtod() is done at the
481 * very end one more time, since m can had changed after pulluping.
483 * In case of unrecognized data we don't return error, but just
484 * pass data to downstream hook, if it is available.
487 #define M_CHECK(length) do { \
488 pullup_len += length; \
489 if ((m)->m_pkthdr.len < (pullup_len)) { \
493 if ((m)->m_len < (pullup_len) && \
494 (((m) = m_pullup((m),(pullup_len))) == NULL)) { \
500 switch (iface->info.ifinfo_dlt) {
501 case DLT_EN10MB: /* Ethernet */
503 struct ether_header *eh;
506 M_CHECK(sizeof(struct ether_header));
507 eh = mtod(m, struct ether_header *);
509 /* Make sure this is IP frame. */
510 etype = ntohs(eh->ether_type);
513 M_CHECK(sizeof(struct ip));
514 eh = mtod(m, struct ether_header *);
515 ip = (struct ip *)(eh + 1);
518 goto bypass; /* pass this frame */
522 case DLT_RAW: /* IP packets */
523 M_CHECK(sizeof(struct ip));
524 ip = mtod(m, struct ip *);
531 if ((ip->ip_off & htons(IP_OFFMASK)) == 0) {
533 * In case of IP header with options, we haven't pulled
536 pullup_len += (ip->ip_hl << 2) - sizeof(struct ip);
540 M_CHECK(sizeof(struct tcphdr));
543 M_CHECK(sizeof(struct udphdr));
548 switch (iface->info.ifinfo_dlt) {
551 struct ether_header *eh;
553 eh = mtod(m, struct ether_header *);
554 ip = (struct ip *)(eh + 1);
558 ip = mtod(m, struct ip *);
561 panic("ng_netflow entered deadcode");
566 error = ng_netflow_flow_add(priv, ip, iface, m->m_pkthdr.rcvif);
569 if (iface->out != NULL) {
570 /* XXX: error gets overwritten here */
571 NG_FWD_NEW_DATA(error, item, iface->out, m);
583 /* We will be shut down in a moment */
585 ng_netflow_close(node_p node)
587 const priv_p priv = NG_NODE_PRIVATE(node);
589 callout_drain(&priv->exp_callout);
590 ng_netflow_cache_flush(priv);
595 /* Do local shutdown processing. */
597 ng_netflow_rmnode(node_p node)
599 const priv_p priv = NG_NODE_PRIVATE(node);
601 NG_NODE_SET_PRIVATE(node, NULL);
602 NG_NODE_UNREF(priv->node);
604 FREE(priv, M_NETGRAPH);
609 /* Hook disconnection. */
611 ng_netflow_disconnect(hook_p hook)
613 node_p node = NG_HOOK_NODE(hook);
614 priv_p priv = NG_NODE_PRIVATE(node);
615 iface_p iface = NG_HOOK_PRIVATE(hook);
618 if (iface->hook == hook)
620 if (iface->out == hook)
624 /* if export hook disconnected stop running expire(). */
625 if (hook == priv->export) {
626 callout_drain(&priv->exp_callout);
630 /* Removal of the last link destroys the node. */
631 if (NG_NODE_NUMHOOKS(node) == 0)
632 ng_rmnode_self(node);