summaryrefslogtreecommitdiff
path: root/src/conf_mode/flow_accounting_conf.py
AgeCommit message (Collapse)Author
2023-10-12pmacct: T5232: Fixed pmacct service control via systemctlzsdc
pmacct daemons have one very important specific - they handle control signals in the same loop as packets. And packets waiting is blocking operation. Because of this, when systemctl sends SIGTERM to uacctd, this signal has no effect until uacct receives at least one packet via nflog. In some cases, this leads to a 90-second timeout, sending SIGKILL, and improperly finished tasks. As a result, a working folder is not cleaned properly. This commit contains several changes to fix service issues: - add a new nftables table for pmacct with a single rule to get the ability to send a packet to nflog and unlock uacctd - remove PID file options from the uacctd and a systemd service file. Systemd can detect proper PID, and PIDfile is created by uacctd too late, which leads to extra errors in systemd logs - KillMode changed to mixed. Without this, SIGTERM is sent to all plugins and the core process exits with status 1 because it loses connection to plugins too early. As a result, we have errors in logs, and the systemd service is in a failed state. - added logging to uacctd - systemctl service modified to send packets to specific address during a service stop which unlocks uacctd and allows systemctl to finish its work properly
2023-09-16conntrack: T5571: Refactor conntrack to be independent conf script from ↵sarthurdev
firewall, nat, nat66
2023-08-07T5319: remove workarounds for defaults in flow_accounting_conf.pyJohn Estabrook
2023-08-06T5195: move helpers from vyos.validate to vyos.utils packageChristian Breunig
2023-07-14T5195: vyos.util -> vyos.utils package refactoring (#2093)Christian Breunig
* T5195: move run, cmd, call, rc_cmd helper to vyos.utils.process * T5195: use read_file and write_file implementation from vyos.utils.file Changed code automatically using: find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import read_file$/from vyos.utils.file import read_file/g' {} + find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import write_file$/from vyos.utils.file import write_file/g' {} + * T5195: move chmod* helpers to vyos.utils.permission * T5195: use colon_separated_to_dict from vyos.utils.dict * T5195: move is_systemd_service_* to vyos.utils.process * T5195: fix boot issues with missing imports * T5195: move dict_search_* helpers to vyos.utils.dict * T5195: move network helpers to vyos.utils.network * T5195: move commit_* helpers to vyos.utils.commit * T5195: move user I/O helpers to vyos.utils.io
2023-06-03T5257: add verify_vrf() check for flow-accountingChristian Breunig
2023-06-03T5257: import cleanup for flow-accountingChristian Breunig
2023-06-03T5257: Fix netflow VRF and bracketize v6 source addresses for netflow/sflowWered
2023-01-14systemd: T2185: always place generated override files in /runChristian Breunig
This prevents any stale override files when the system is beeing rebooted, but the actual configuration was not saved. /run is a tmpfs and thus always fresh after boot.
2022-07-26T4571: add sflow vrf to sflow agent address IP validationDavid
2022-05-21flow-accounting: T4099: "source-address" must exist locallyChristian Poessinger
2022-05-21flow-accounting: T4437: also install rule to IPv6 VYOS_CT_PREROUTING_HOOKChristian Poessinger
2022-05-01flow-accounting: T4353: fix Jinja2 linting errorsChristian Poessinger
2022-03-01flow-accounting: T4277: support sending flow-data via VRF interfaceChristian Poessinger
It should be possible to send the gathered data via a VRF bound interface to the collector. This is somehow related to T3981 but it's the opposite side of the netflow process. set system flow-accounting vrf <name>
2021-12-31Merge branch 'firewall' of https://github.com/sarthurdev/vyos-1x into currentChristian Poessinger
* 'firewall' of https://github.com/sarthurdev/vyos-1x: zone_policy: T3873: Implement intra-zone-filtering policy: T2199: Migrate policy route op-mode to XML/Python policy: T2199: Migrate policy route to XML/Python zone-policy: T2199: Migrate zone-policy op-mode to XML/Python zone-policy: T2199: Migrate zone-policy to XML/Python firewall: T2199: Migrate firewall op-mode to XML/Python firewall: T2199: Migrate firewall to XML/Python
2021-12-26flow-accounting: T4097: move configuration file to /runChristian Poessinger
2021-12-26flow-accounting: T4097: bugfix removing service from CLIChristian Poessinger
2021-12-25flow-accounting: T4106: support specification of capture packet lengthChristian Poessinger
2021-12-25flow-accounting: T4105: drop "sflow agent-address auto"Christian Poessinger
The implementation of the "auto" option to specify the sflow/netflow agent-address is very error prone. The current implementation will determine the IP address used for the "auto" value as follow: Get BGP router-id 1) If not found use OSPF router-id 2) If not found use OSPFv3 router-id 3) If not found use "the first IP address found on the system Well, what is the "first IP address found"? Also this changes if DHCP is in use. Also another disadvantage is when the BGP/OSPF/OSPFv3 router-id is changed, the agent-address is not updated upon the next reboot of the system. This task is about removing the "auto" keyword from the CLI at all and make it either entirely configurable by the user and hardcode the value in CLI, or not use this at all. If "auto" is specified we will query the system in the above order and set the proper router-id in the CLI. If none can be found the CLI node is removed.
2021-12-25flow-accounting: T4099: rename "netflow source-ip" to source-addressChristian Poessinger
sFlow uses the source-address CLI node and netflow uses source-ip this is just confusing and should be synced to the common source-address CLI node.
2021-12-25flow-accounting: T4097: move to get_config_dict()Christian Poessinger
2021-12-06firewall: T2199: Migrate firewall to XML/Pythonsarthurdev
2021-12-06sflow: T4046: Add source-address for sflowViacheslav
2021-10-31netflow: T3953: use warning if "netflow source-ip" does not exist instead of ↵Christian Poessinger
error
2021-06-04flow-accounting: T3132: fix egress iptables chainJan-Philipp Benecke
(cherry picked from commit 95cc2e4b4c11414cc71749af12abb575e96e5bd4)
2020-12-17flow-accounting: T3132: enable egress traffic accountingJan-Philipp Benecke
2020-07-04cleanup: no need to call sudo for configuration mode scriptsChristian Poessinger
2020-05-29airbag: T2088: explicit enabling of the featureThomas Mangin
airbag must now be explicitly installed. the patch also allow to fully disables the installation of the logging code at setup (and not just installing and doing nothing)
2020-05-13flow-accounting: T2456: Replace old functionDmitriyEshenko
2020-04-17flow-accounting: T2275: fix NameError: name 'stdout' is not definedChristian Poessinger
2020-04-17flow-accounting: T2275: import render template from correct libraryChristian Poessinger
2020-04-13flow-accounting: T2185: explicitly specify systemd serviceChristian Poessinger
2020-04-12template: T2230: use render to generate templatesThomas Mangin
convert all call to jinja to use template.render
2020-04-11Merge pull request #329 from thomas-mangin/T2226Christian Poessinger
util: T2226: improvement and fixes
2020-04-11ifconfig: T2223: rename Section.listing to interfacesThomas Mangin
update all code using the API. Interface.interfaces() could be used but the code was change to use Section.interfaces() which make more sense when reading it.
2020-04-11util: T2226: do not use universal_newlinesThomas Mangin
2020-04-06util: T2226: rewrite flow accounting to use cmdThomas Mangin
The failure are now reported slightly differently using the cmd "raising" feature which will allow down the line to intercept the issue and present them better to the user
2020-04-05flow-accounting: T2230: move inlined templates to dedicated filesChristian Poessinger
2020-03-24ifconfig: T2057: remove need for interface-types.jsonThomas Mangin
2019-12-24flow-accounting: T1890: Fixed bugs in flow-accountingzsdc
* fixed improper `process.returncode` invokes * added check for if an in-memory table is active before using IMT for flows show * replaced `--nflog-range` to `--nflog-size` in iptables rules, as `--nflog-range` had never works. **WARNING: this change break compatibility with Debian 8!**
2019-12-19flow-accounting: T1890: fixed scripts permissionszsdc
2019-12-18flow-accounting: T1890: flow-accounting rewritten with Python and XMLzsdc
This patch keep compatibility with old configuration and software, but now it is much easier to add a lot of other useful things Completely replaces vyatta-netflow package (except some outdated and not available via CLI parts)