summaryrefslogtreecommitdiff
path: root/src/conf_mode/flow_accounting_conf.py
diff options
context:
space:
mode:
Diffstat (limited to 'src/conf_mode/flow_accounting_conf.py')
-rwxr-xr-xsrc/conf_mode/flow_accounting_conf.py320
1 files changed, 0 insertions, 320 deletions
diff --git a/src/conf_mode/flow_accounting_conf.py b/src/conf_mode/flow_accounting_conf.py
deleted file mode 100755
index 206f513c8..000000000
--- a/src/conf_mode/flow_accounting_conf.py
+++ /dev/null
@@ -1,320 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2018-2023 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-
-import os
-import re
-
-from sys import exit
-from ipaddress import ip_address
-
-from vyos.base import Warning
-from vyos.config import Config
-from vyos.config import config_dict_merge
-from vyos.configverify import verify_vrf
-from vyos.ifconfig import Section
-from vyos.template import render
-from vyos.utils.process import call
-from vyos.utils.process import cmd
-from vyos.utils.process import run
-from vyos.utils.network import is_addr_assigned
-from vyos import ConfigError
-from vyos import airbag
-airbag.enable()
-
-uacctd_conf_path = '/run/pmacct/uacctd.conf'
-systemd_service = 'uacctd.service'
-systemd_override = f'/run/systemd/system/{systemd_service}.d/override.conf'
-nftables_nflog_table = 'raw'
-nftables_nflog_chain = 'VYOS_PREROUTING_HOOK'
-egress_nftables_nflog_table = 'inet mangle'
-egress_nftables_nflog_chain = 'FORWARD'
-
-# get nftables rule dict for chain in table
-def _nftables_get_nflog(chain, table):
- # define list with rules
- rules = []
-
- # prepare regex for parsing rules
- rule_pattern = '[io]ifname "(?P<interface>[\w\.\*\-]+)".*handle (?P<handle>[\d]+)'
- rule_re = re.compile(rule_pattern)
-
- # run nftables, save output and split it by lines
- nftables_command = f'nft -a list chain {table} {chain}'
- tmp = cmd(nftables_command, message='Failed to get flows list')
- # parse each line and add information to list
- for current_rule in tmp.splitlines():
- if 'FLOW_ACCOUNTING_RULE' not in current_rule:
- continue
- current_rule_parsed = rule_re.search(current_rule)
- if current_rule_parsed:
- groups = current_rule_parsed.groupdict()
- rules.append({ 'interface': groups["interface"], 'table': table, 'handle': groups["handle"] })
-
- # return list with rules
- return rules
-
-def _nftables_config(configured_ifaces, direction, length=None):
- # define list of nftables commands to modify settings
- nftable_commands = []
- nftables_chain = nftables_nflog_chain
- nftables_table = nftables_nflog_table
-
- if direction == "egress":
- nftables_chain = egress_nftables_nflog_chain
- nftables_table = egress_nftables_nflog_table
-
- # prepare extended list with configured interfaces
- configured_ifaces_extended = []
- for iface in configured_ifaces:
- configured_ifaces_extended.append({ 'iface': iface })
-
- # get currently configured interfaces with nftables rules
- active_nflog_rules = _nftables_get_nflog(nftables_chain, nftables_table)
-
- # compare current active list with configured one and delete excessive interfaces, add missed
- active_nflog_ifaces = []
- for rule in active_nflog_rules:
- interface = rule['interface']
- if interface not in configured_ifaces:
- table = rule['table']
- handle = rule['handle']
- nftable_commands.append(f'nft delete rule {table} {nftables_chain} handle {handle}')
- else:
- active_nflog_ifaces.append({
- 'iface': interface,
- })
-
- # do not create new rules for already configured interfaces
- for iface in active_nflog_ifaces:
- if iface in active_nflog_ifaces and iface in configured_ifaces_extended:
- configured_ifaces_extended.remove(iface)
-
- # create missed rules
- for iface_extended in configured_ifaces_extended:
- iface = iface_extended['iface']
- iface_prefix = "o" if direction == "egress" else "i"
- rule_definition = f'{iface_prefix}ifname "{iface}" counter log group 2 snaplen {length} queue-threshold 100 comment "FLOW_ACCOUNTING_RULE"'
- nftable_commands.append(f'nft insert rule {nftables_table} {nftables_chain} {rule_definition}')
- # Also add IPv6 ingres logging
- if nftables_table == nftables_nflog_table:
- nftable_commands.append(f'nft insert rule ip6 {nftables_table} {nftables_chain} {rule_definition}')
-
- # change nftables
- for command in nftable_commands:
- cmd(command, raising=ConfigError)
-
-
-def _nftables_trigger_setup(operation: str) -> None:
- """Add a dummy rule to unlock the main pmacct loop with a packet-trigger
-
- Args:
- operation (str): 'add' or 'delete' a trigger
- """
- # check if a chain exists
- table_exists = False
- if run('nft -snj list table ip pmacct') == 0:
- table_exists = True
-
- if operation == 'delete' and table_exists:
- nft_cmd: str = 'nft delete table ip pmacct'
- cmd(nft_cmd, raising=ConfigError)
- if operation == 'add' and not table_exists:
- nft_cmds: list[str] = [
- 'nft add table ip pmacct',
- 'nft add chain ip pmacct pmacct_out { type filter hook output priority raw - 50 \\; policy accept \\; }',
- 'nft add rule ip pmacct pmacct_out oif lo ip daddr 127.0.254.0 counter log group 2 snaplen 1 queue-threshold 0 comment NFLOG_TRIGGER'
- ]
- for nft_cmd in nft_cmds:
- cmd(nft_cmd, raising=ConfigError)
-
-
-def get_config(config=None):
- if config:
- conf = config
- else:
- conf = Config()
- base = ['system', 'flow-accounting']
- if not conf.exists(base):
- return None
-
- flow_accounting = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
-
- # We have gathered the dict representation of the CLI, but there are
- # default values which we need to conditionally update into the
- # dictionary retrieved.
- default_values = conf.get_config_defaults(**flow_accounting.kwargs,
- recursive=True)
-
- # delete individual flow type defaults - should only be added if user
- # sets this feature
- for flow_type in ['sflow', 'netflow']:
- if flow_type not in flow_accounting and flow_type in default_values:
- del default_values[flow_type]
-
- flow_accounting = config_dict_merge(default_values, flow_accounting)
-
- return flow_accounting
-
-def verify(flow_config):
- if not flow_config:
- return None
-
- # check if at least one collector is enabled
- if 'sflow' not in flow_config and 'netflow' not in flow_config and 'disable_imt' in flow_config:
- raise ConfigError('You need to configure at least sFlow or NetFlow, ' \
- 'or not set "disable-imt" for flow-accounting!')
-
- # Check if at least one interface is configured
- if 'interface' not in flow_config:
- raise ConfigError('Flow accounting requires at least one interface to ' \
- 'be configured!')
-
- # check that all configured interfaces exists in the system
- for interface in flow_config['interface']:
- if interface not in Section.interfaces():
- # Changed from error to warning to allow adding dynamic interfaces
- # and interface templates
- Warning(f'Interface "{interface}" is not presented in the system')
-
- # check sFlow configuration
- if 'sflow' in flow_config:
- # check if at least one sFlow collector is configured
- if 'server' not in flow_config['sflow']:
- raise ConfigError('You need to configure at least one sFlow server!')
-
- # check that all sFlow collectors use the same IP protocol version
- sflow_collector_ipver = None
- for server in flow_config['sflow']['server']:
- if sflow_collector_ipver:
- if sflow_collector_ipver != ip_address(server).version:
- raise ConfigError("All sFlow servers must use the same IP protocol")
- else:
- sflow_collector_ipver = ip_address(server).version
-
- # check if vrf is defined for Sflow
- verify_vrf(flow_config)
- sflow_vrf = None
- if 'vrf' in flow_config:
- sflow_vrf = flow_config['vrf']
-
- # check agent-id for sFlow: we should avoid mixing IPv4 agent-id with IPv6 collectors and vice-versa
- for server in flow_config['sflow']['server']:
- if 'agent_address' in flow_config['sflow']:
- if ip_address(server).version != ip_address(flow_config['sflow']['agent_address']).version:
- raise ConfigError('IPv4 and IPv6 addresses can not be mixed in "sflow agent-address" and "sflow '\
- 'server". You need to set the same IP version for both "agent-address" and '\
- 'all sFlow servers')
-
- if 'agent_address' in flow_config['sflow']:
- tmp = flow_config['sflow']['agent_address']
- if not is_addr_assigned(tmp, sflow_vrf):
- raise ConfigError(f'Configured "sflow agent-address {tmp}" does not exist in the system!')
-
- # Check if configured sflow source-address exist in the system
- if 'source_address' in flow_config['sflow']:
- if not is_addr_assigned(flow_config['sflow']['source_address'], sflow_vrf):
- tmp = flow_config['sflow']['source_address']
- raise ConfigError(f'Configured "sflow source-address {tmp}" does not exist on the system!')
-
- # check NetFlow configuration
- if 'netflow' in flow_config:
- # check if vrf is defined for netflow
- netflow_vrf = None
- if 'vrf' in flow_config:
- netflow_vrf = flow_config['vrf']
-
- # check if at least one NetFlow collector is configured if NetFlow configuration is presented
- if 'server' not in flow_config['netflow']:
- raise ConfigError('You need to configure at least one NetFlow server!')
-
- # Check if configured netflow source-address exist in the system
- if 'source_address' in flow_config['netflow']:
- if not is_addr_assigned(flow_config['netflow']['source_address'], netflow_vrf):
- tmp = flow_config['netflow']['source_address']
- raise ConfigError(f'Configured "netflow source-address {tmp}" does not exist on the system!')
-
- # Check if engine-id compatible with selected protocol version
- if 'engine_id' in flow_config['netflow']:
- v5_filter = '^(\d|[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]):(\d|[1-9]\d|1\d{2}|2[0-4]\d|25[0-5])$'
- v9v10_filter = '^(\d|[1-9]\d{1,8}|[1-3]\d{9}|4[01]\d{8}|42[0-8]\d{7}|429[0-3]\d{6}|4294[0-8]\d{5}|42949[0-5]\d{4}|429496[0-6]\d{3}|4294967[01]\d{2}|42949672[0-8]\d|429496729[0-5])$'
- engine_id = flow_config['netflow']['engine_id']
- version = flow_config['netflow']['version']
-
- if flow_config['netflow']['version'] == '5':
- regex_filter = re.compile(v5_filter)
- if not regex_filter.search(engine_id):
- raise ConfigError(f'You cannot use NetFlow engine-id "{engine_id}" '\
- f'together with NetFlow protocol version "{version}"!')
- else:
- regex_filter = re.compile(v9v10_filter)
- if not regex_filter.search(flow_config['netflow']['engine_id']):
- raise ConfigError(f'Can not use NetFlow engine-id "{engine_id}" together '\
- f'with NetFlow protocol version "{version}"!')
-
- # return True if all checks were passed
- return True
-
-def generate(flow_config):
- if not flow_config:
- return None
-
- render(uacctd_conf_path, 'pmacct/uacctd.conf.j2', flow_config)
- render(systemd_override, 'pmacct/override.conf.j2', flow_config)
- # Reload systemd manager configuration
- call('systemctl daemon-reload')
-
-def apply(flow_config):
- # Check if flow-accounting was removed and define command
- if not flow_config:
- _nftables_config([], 'ingress')
- _nftables_config([], 'egress')
-
- # Stop flow-accounting daemon and remove configuration file
- call(f'systemctl stop {systemd_service}')
- if os.path.exists(uacctd_conf_path):
- os.unlink(uacctd_conf_path)
-
- # must be done after systemctl
- _nftables_trigger_setup('delete')
-
- return
-
- # Start/reload flow-accounting daemon
- call(f'systemctl restart {systemd_service}')
-
- # configure nftables rules for defined interfaces
- if 'interface' in flow_config:
- _nftables_config(flow_config['interface'], 'ingress', flow_config['packet_length'])
-
- # configure egress the same way if configured otherwise remove it
- if 'enable_egress' in flow_config:
- _nftables_config(flow_config['interface'], 'egress', flow_config['packet_length'])
- else:
- _nftables_config([], 'egress')
-
- # add a trigger for signal processing
- _nftables_trigger_setup('add')
-
-
-if __name__ == '__main__':
- try:
- config = get_config()
- verify(config)
- generate(config)
- apply(config)
- except ConfigError as e:
- print(e)
- exit(1)