summaryrefslogtreecommitdiff
path: root/src/op_mode
diff options
context:
space:
mode:
authorzsdc <taras@sentrium.io>2019-12-18 23:57:52 +0200
committerzsdc <taras@sentrium.io>2019-12-18 23:57:52 +0200
commitf0aab13bb4bf111b3b47f34cb554873e1db1d44d (patch)
treee23872f22bbe458ddcf0cca6607fd59e8fa8985f /src/op_mode
parentf1cc9b0e08dfc4ae38c40f70db89b808d73fe7f9 (diff)
downloadvyos-1x-f0aab13bb4bf111b3b47f34cb554873e1db1d44d.tar.gz
vyos-1x-f0aab13bb4bf111b3b47f34cb554873e1db1d44d.zip
flow-accounting: T1890: flow-accounting rewritten with Python and XML
This patch keep compatibility with old configuration and software, but now it is much easier to add a lot of other useful things Completely replaces vyatta-netflow package (except some outdated and not available via CLI parts)
Diffstat (limited to 'src/op_mode')
-rw-r--r--src/op_mode/flow_accounting_op.py233
1 files changed, 233 insertions, 0 deletions
diff --git a/src/op_mode/flow_accounting_op.py b/src/op_mode/flow_accounting_op.py
new file mode 100644
index 000000000..caaf22b31
--- /dev/null
+++ b/src/op_mode/flow_accounting_op.py
@@ -0,0 +1,233 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2018 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import sys
+import argparse
+import re
+import ipaddress
+import subprocess
+from tabulate import tabulate
+
+# some default values
+uacctd_pidfile = '/var/run/uacctd.pid'
+uacctd_pipefile = '/tmp/uacctd.pipe'
+
+
+# check if ports argument have correct format
+def _is_ports(ports):
+ # define regex for checking
+ regex_filter = re.compile('^(\d|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5])$|^(\d|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5])-(\d|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5])$|^((\d|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5]),)+(\d|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5])$')
+ if not regex_filter.search(ports):
+ raise argparse.ArgumentTypeError("Invalid ports: {}".format(ports))
+
+ # check which type nitation is used: single port, ports list, ports range
+ # single port
+ regex_filter = re.compile('^(\d|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5])$')
+ if regex_filter.search(ports):
+ filter_ports = { 'type': 'single', 'value': int(ports) }
+
+ # ports list
+ regex_filter = re.compile('^((\d|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5]),)+(\d|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5])')
+ if regex_filter.search(ports):
+ filter_ports = { 'type': 'list', 'value': list(map(int, ports.split(','))) }
+
+ # ports range
+ regex_filter = re.compile('^(?P<first>\d|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5])-(?P<second>\d|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5])$')
+ if regex_filter.search(ports):
+ # check if second number is greater than the first
+ if int(regex_filter.search(ports).group('first')) >= int(regex_filter.search(ports).group('second')):
+ raise argparse.ArgumentTypeError("Invalid ports: {}".format(ports))
+ filter_ports = { 'type': 'range', 'value': range(int(regex_filter.search(ports).group('first')), int(regex_filter.search(ports).group('second'))) }
+
+ # if all above failed
+ if not filter_ports:
+ raise argparse.ArgumentTypeError("Failed to parse: {}".format(ports))
+ else:
+ return filter_ports
+
+# check if host argument have correct format
+def _is_host(host):
+ # define regex for checking
+ if not ipaddress.ip_address(host):
+ raise argparse.ArgumentTypeError("Invalid host: {}".format(host))
+ return host
+
+# check if flow-accounting running
+def _uacctd_running():
+ command = "/usr/bin/sudo /bin/systemctl status uacctd > /dev/null"
+ return_code = subprocess.call(command, shell=True)
+ if not return_code == 0:
+ return False
+
+ # return True if all checks were passed
+ return True
+
+# get list of interfaces
+def _get_ifaces_dict():
+ # run command to get ifaces list
+ command = "/bin/ip link show"
+ process = subprocess.Popen(command.split(' '), stdout=subprocess.PIPE, universal_newlines=True)
+ stdout, stderr = process.communicate()
+ if not process.returncode == 0:
+ print("Failed to get interfaces list: command \"{}\" returned exit code: {}".format(command, process.returncode()))
+ sys.exit(1)
+
+ # read output
+ ifaces_out = stdout.splitlines()
+
+ # make a dictionary with interfaces and indexes
+ ifaces_dict = {}
+ regex_filter = re.compile('^(?P<iface_index>\d+):\ (?P<iface_name>[\w\d\.]+)[:@].*$')
+ for iface_line in ifaces_out:
+ if regex_filter.search(iface_line):
+ ifaces_dict[int(regex_filter.search(iface_line).group('iface_index'))] = regex_filter.search(iface_line).group('iface_name')
+
+ # return dictioanry
+ return ifaces_dict
+
+# get list of flows
+def _get_flows_list():
+ # run command to get flows list
+ command = "/usr/bin/pmacct -s -O json -T flows -p {}".format(uacctd_pipefile)
+ process = subprocess.Popen(command.split(' '), stdout=subprocess.PIPE, universal_newlines=True)
+ stdout, stderr = process.communicate()
+ if not process.returncode == 0:
+ print("Failed to get flows list: command \"{}\" returned exit code: {}\nError: {}".format(command, process.returncode(), stderr))
+ sys.exit(1)
+
+ # read output
+ flows_out = stdout.splitlines()
+
+ # make a list with flows
+ flows_list = []
+ for flow_line in flows_out:
+ flows_list.append(eval(flow_line))
+
+ # return list of flows
+ return flows_list
+
+# filter and format flows
+def _flows_filter(flows, ifaces):
+ # predefine filtered flows list
+ flows_filtered = []
+
+ # add interface names to flows
+ for flow in flows:
+ if flow['iface_in'] in ifaces:
+ flow['iface_in_name'] = ifaces[flow['iface_in']]
+ else:
+ flow['iface_in_name'] = 'unknown'
+
+ # iterate through flows list
+ for flow in flows:
+ # filter by interface
+ if cmd_args.interface:
+ if flow['iface_in_name'] != cmd_args.interface:
+ continue
+ # filter by host
+ if cmd_args.host:
+ if flow['ip_src'] != cmd_args.host and flow['ip_dst'] != cmd_args.host:
+ continue
+ # filter by ports
+ if cmd_args.ports:
+ if cmd_args.ports['type'] == 'single':
+ if flow['port_src'] != cmd_args.ports['value'] and flow['port_dst'] != cmd_args.ports['value']:
+ continue
+ else:
+ if flow['port_src'] not in cmd_args.ports['value'] and flow['port_dst'] not in cmd_args.ports['value']:
+ continue
+ # add filtered flows to new list
+ flows_filtered.append(flow)
+
+ # stop adding if we already reached top count
+ if cmd_args.top:
+ if len(flows_filtered) == cmd_args.top:
+ break
+
+ # return filtered flows
+ return flows_filtered
+
+# print flow table
+def _flows_table_print(flows):
+ #define headers and body
+ table_headers = [ 'IN_IFACE', 'SRC_MAC', 'DST_MAC', 'SRC_IP', 'DST_IP', 'SRC_PORT', 'DST_PORT', 'PROTOCOL', 'TOS', 'PACKETS', 'FLOWS', 'BYTES' ]
+ table_body = []
+ # convert flows to list
+ for flow in flows:
+ table_body.append([flow['iface_in_name'], flow['mac_src'], flow['mac_dst'], flow['ip_src'], flow['ip_dst'], flow['port_src'], flow['port_dst'], flow['ip_proto'], flow['tos'], flow['packets'], flow['flows'], flow['bytes'] ])
+ # configure and fill table
+ table = tabulate(table_body, table_headers, tablefmt="simple")
+
+ # print formatted table
+ try:
+ print(table)
+ except IOError:
+ sys.exit(0)
+ except KeyboardInterrupt:
+ sys.exit(0)
+
+
+# define program arguments
+cmd_args_parser = argparse.ArgumentParser(description='show flow-accounting')
+cmd_args_parser.add_argument('--action', choices=['show', 'clear', 'restart'], required=True, help='command to flow-accounting daemon')
+cmd_args_parser.add_argument('--filter', choices=['interface', 'host', 'ports', 'top'], required=False, nargs='*', help='filter flows to display')
+cmd_args_parser.add_argument('--interface', required=False, help='interface name for output filtration')
+cmd_args_parser.add_argument('--host', type=_is_host, required=False, help='host address for output filtration')
+cmd_args_parser.add_argument('--ports', type=_is_ports, required=False, help='ports number for output filtration')
+cmd_args_parser.add_argument('--top', type=int, required=False, help='top records for output filtration')
+# parse arguments
+cmd_args = cmd_args_parser.parse_args()
+
+
+# main logic
+# do nothing if uacctd daemon is not running
+if not _uacctd_running():
+ print("flow-accounting is not active")
+ sys.exit(1)
+
+# restart pmacct daemon
+if cmd_args.action == 'restart':
+ # run command to restart flow-accounting
+ command = '/usr/bin/sudo /bin/systemctl restart uacctd'
+ return_code = subprocess.call(command.split(' '))
+ if not return_code == 0:
+ print("Failed to restart flow-accounting: command \"{}\" returned exit code: {}".format(command, return_code))
+ sys.exit(1)
+
+# clear in-memory collected flows
+if cmd_args.action == 'clear':
+ # run command to clear flows
+ command = "/usr/bin/pmacct -e -p {}".format(uacctd_pipefile)
+ return_code = subprocess.call(command.split(' '))
+ if not return_code == 0:
+ print("Failed to clear flows: command \"{}\" returned exit code: {}".format(command, return_code))
+ sys.exit(1)
+
+# show table with flows
+if cmd_args.action == 'show':
+ # get interfaces index and names
+ ifaces_dict = _get_ifaces_dict()
+ # get flows
+ flows_list = _get_flows_list()
+
+ # filter and format flows
+ tabledata = _flows_filter(flows_list, ifaces_dict)
+
+ # print flows
+ _flows_table_print(tabledata)
+
+sys.exit(0)