summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniil Baturin <daniil@vyos.io>2023-07-27 17:10:48 +0100
committerGitHub <noreply@github.com>2023-07-27 17:10:48 +0100
commitb76f103317b5aa8abdee5c942509fc11f9e20ef3 (patch)
treeac2b268cc25c42f23f1bae2f91498787aa743b7a
parentef6cc1f32566e8524e71634c386c8044e5bcc673 (diff)
parentbd4bb4f869d6df02bfda1ce5668b8cf15a95b4af (diff)
downloadvyos-1x-b76f103317b5aa8abdee5c942509fc11f9e20ef3.tar.gz
vyos-1x-b76f103317b5aa8abdee5c942509fc11f9e20ef3.zip
Merge pull request #2105 from sever-sever/T5368
T5368: service ids ddos-protection add support sflow mode
-rw-r--r--data/templates/ids/fastnetmon.j211
-rw-r--r--data/templates/ids/fastnetmon_networks_list.j22
-rw-r--r--interface-definitions/service-ids-ddos-protection.xml.in33
-rwxr-xr-xsrc/conf_mode/service_ids_fastnetmon.py14
4 files changed, 47 insertions, 13 deletions
diff --git a/data/templates/ids/fastnetmon.j2 b/data/templates/ids/fastnetmon.j2
index 0340d3c92..f6f03d0db 100644
--- a/data/templates/ids/fastnetmon.j2
+++ b/data/templates/ids/fastnetmon.j2
@@ -29,10 +29,19 @@ unban_only_if_attack_finished = on
# For each subnet, list track speed in bps and pps for both directions
enable_subnet_counters = off
-{% if mode.mirror is vyos_defined %}
+{% if mode is vyos_defined('mirror') %}
mirror_afpacket = on
+{% elif mode is vyos_defined('sflow') %}
+sflow = on
+{% if sflow.port is vyos_defined %}
+sflow_port = {{ sflow.port }}
+{% endif %}
+{% if sflow.listen_address is vyos_defined %}
+sflow_host = {{ sflow.listen_address }}
+{% endif %}
{% endif %}
+
process_incoming_traffic = {{ 'on' if direction is vyos_defined and 'in' in direction else 'off' }}
process_outgoing_traffic = {{ 'on' if direction is vyos_defined and 'out' in direction else 'off' }}
diff --git a/data/templates/ids/fastnetmon_networks_list.j2 b/data/templates/ids/fastnetmon_networks_list.j2
index 5f1b3ba4d..0a0576d2a 100644
--- a/data/templates/ids/fastnetmon_networks_list.j2
+++ b/data/templates/ids/fastnetmon_networks_list.j2
@@ -1,4 +1,4 @@
-{% if network is vyos_defined() %}
+{% if network is vyos_defined %}
{% for net in network %}
{{ net }}
{% endfor %}
diff --git a/interface-definitions/service-ids-ddos-protection.xml.in b/interface-definitions/service-ids-ddos-protection.xml.in
index bb06189bc..78463136b 100644
--- a/interface-definitions/service-ids-ddos-protection.xml.in
+++ b/interface-definitions/service-ids-ddos-protection.xml.in
@@ -70,17 +70,34 @@
<multi/>
</properties>
</leafNode>
- <node name="mode">
+ <leafNode name="mode">
<properties>
- <help>Traffic capture modes</help>
+ <help>Traffic capture mode</help>
+ <completionHelp>
+ <list>mirror sflow</list>
+ </completionHelp>
+ <valueHelp>
+ <format>mirror</format>
+ <description>Listen to mirrored traffic</description>
+ </valueHelp>
+ <valueHelp>
+ <format>sflow</format>
+ <description>Capture sFlow flows</description>
+ </valueHelp>
+ <constraint>
+ <regex>(mirror|sflow)</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <node name="sflow">
+ <properties>
+ <help>Sflow settings</help>
</properties>
<children>
- <!-- Future modes "mirror" "netflow" "combine (both)" -->
- <leafNode name="mirror">
- <properties>
- <help>Listen mirrored traffic mode</help>
- <valueless/>
- </properties>
+ #include <include/listen-address-ipv4-single.xml.i>
+ #include <include/port-number.xml.i>
+ <leafNode name="port">
+ <defaultValue>6343</defaultValue>
</leafNode>
</children>
</node>
diff --git a/src/conf_mode/service_ids_fastnetmon.py b/src/conf_mode/service_ids_fastnetmon.py
index 2e678cf0b..f6b80552b 100755
--- a/src/conf_mode/service_ids_fastnetmon.py
+++ b/src/conf_mode/service_ids_fastnetmon.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2018-2022 VyOS maintainers and contributors
+# Copyright (C) 2018-2023 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -30,6 +30,7 @@ airbag.enable()
config_file = r'/run/fastnetmon/fastnetmon.conf'
networks_list = r'/run/fastnetmon/networks_list'
excluded_networks_list = r'/run/fastnetmon/excluded_networks_list'
+attack_dir = '/var/log/fastnetmon_attacks'
def get_config(config=None):
if config:
@@ -55,8 +56,11 @@ def verify(fastnetmon):
if 'mode' not in fastnetmon:
raise ConfigError('Specify operating mode!')
- if 'listen_interface' not in fastnetmon:
- raise ConfigError('Specify interface(s) for traffic capture')
+ if fastnetmon.get('mode') == 'mirror' and 'listen_interface' not in fastnetmon:
+ raise ConfigError("Incorrect settings for 'mode mirror': must specify interface(s) for traffic mirroring")
+
+ if fastnetmon.get('mode') == 'sflow' and 'listen_address' not in fastnetmon.get('sflow', {}):
+ raise ConfigError("Incorrect settings for 'mode sflow': must specify sFlow 'listen-address'")
if 'alert_script' in fastnetmon:
if os.path.isfile(fastnetmon['alert_script']):
@@ -74,6 +78,10 @@ def generate(fastnetmon):
return None
+ # Create dir for log attack details
+ if not os.path.exists(attack_dir):
+ os.mkdir(attack_dir)
+
render(config_file, 'ids/fastnetmon.j2', fastnetmon)
render(networks_list, 'ids/fastnetmon_networks_list.j2', fastnetmon)
render(excluded_networks_list, 'ids/fastnetmon_excluded_networks_list.j2', fastnetmon)