summaryrefslogtreecommitdiff
path: root/src/conf_mode/system_flow-accounting.py
blob: 206f513c806942f336626fec576091cc32671b54 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
#!/usr/bin/env python3
#
# Copyright (C) 2018-2023 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import os
import re

from sys import exit
from ipaddress import ip_address

from vyos.base import Warning
from vyos.config import Config
from vyos.config import config_dict_merge
from vyos.configverify import verify_vrf
from vyos.ifconfig import Section
from vyos.template import render
from vyos.utils.process import call
from vyos.utils.process import cmd
from vyos.utils.process import run
from vyos.utils.network import is_addr_assigned
from vyos import ConfigError
from vyos import airbag
airbag.enable()

uacctd_conf_path = '/run/pmacct/uacctd.conf'
systemd_service = 'uacctd.service'
systemd_override = f'/run/systemd/system/{systemd_service}.d/override.conf'
nftables_nflog_table = 'raw'
nftables_nflog_chain = 'VYOS_PREROUTING_HOOK'
egress_nftables_nflog_table = 'inet mangle'
egress_nftables_nflog_chain = 'FORWARD'

# get nftables rule dict for chain in table
def _nftables_get_nflog(chain, table):
    # define list with rules
    rules = []

    # prepare regex for parsing rules
    rule_pattern = '[io]ifname "(?P<interface>[\w\.\*\-]+)".*handle (?P<handle>[\d]+)'
    rule_re = re.compile(rule_pattern)

    # run nftables, save output and split it by lines
    nftables_command = f'nft -a list chain {table} {chain}'
    tmp = cmd(nftables_command, message='Failed to get flows list')
    # parse each line and add information to list
    for current_rule in tmp.splitlines():
        if 'FLOW_ACCOUNTING_RULE' not in current_rule:
            continue
        current_rule_parsed = rule_re.search(current_rule)
        if current_rule_parsed:
            groups = current_rule_parsed.groupdict()
            rules.append({ 'interface': groups["interface"], 'table': table, 'handle': groups["handle"] })

    # return list with rules
    return rules

def _nftables_config(configured_ifaces, direction, length=None):
    # define list of nftables commands to modify settings
    nftable_commands = []
    nftables_chain = nftables_nflog_chain
    nftables_table = nftables_nflog_table

    if direction == "egress":
        nftables_chain = egress_nftables_nflog_chain
        nftables_table = egress_nftables_nflog_table

    # prepare extended list with configured interfaces
    configured_ifaces_extended = []
    for iface in configured_ifaces:
        configured_ifaces_extended.append({ 'iface': iface })

    # get currently configured interfaces with nftables rules
    active_nflog_rules = _nftables_get_nflog(nftables_chain, nftables_table)

    # compare current active list with configured one and delete excessive interfaces, add missed
    active_nflog_ifaces = []
    for rule in active_nflog_rules:
        interface = rule['interface']
        if interface not in configured_ifaces:
            table = rule['table']
            handle = rule['handle']
            nftable_commands.append(f'nft delete rule {table} {nftables_chain} handle {handle}')
        else:
            active_nflog_ifaces.append({
                'iface': interface,
            })

    # do not create new rules for already configured interfaces
    for iface in active_nflog_ifaces:
        if iface in active_nflog_ifaces and iface in configured_ifaces_extended:
            configured_ifaces_extended.remove(iface)

    # create missed rules
    for iface_extended in configured_ifaces_extended:
        iface = iface_extended['iface']
        iface_prefix = "o" if direction == "egress" else "i"
        rule_definition = f'{iface_prefix}ifname "{iface}" counter log group 2 snaplen {length} queue-threshold 100 comment "FLOW_ACCOUNTING_RULE"'
        nftable_commands.append(f'nft insert rule {nftables_table} {nftables_chain} {rule_definition}')
        # Also add IPv6 ingres logging
        if nftables_table == nftables_nflog_table:
            nftable_commands.append(f'nft insert rule ip6 {nftables_table} {nftables_chain} {rule_definition}')

    # change nftables
    for command in nftable_commands:
        cmd(command, raising=ConfigError)


def _nftables_trigger_setup(operation: str) -> None:
    """Add a dummy rule to unlock the main pmacct loop with a packet-trigger

    Args:
        operation (str): 'add' or 'delete' a trigger
    """
    # check if a chain exists
    table_exists = False
    if run('nft -snj list table ip pmacct') == 0:
        table_exists = True

    if operation == 'delete' and table_exists:
        nft_cmd: str = 'nft delete table ip pmacct'
        cmd(nft_cmd, raising=ConfigError)
    if operation == 'add' and not table_exists:
        nft_cmds: list[str] = [
            'nft add table ip pmacct',
            'nft add chain ip pmacct pmacct_out { type filter hook output priority raw - 50 \\; policy accept \\; }',
            'nft add rule ip pmacct pmacct_out oif lo ip daddr 127.0.254.0 counter log group 2 snaplen 1 queue-threshold 0 comment NFLOG_TRIGGER'
        ]
        for nft_cmd in nft_cmds:
            cmd(nft_cmd, raising=ConfigError)


def get_config(config=None):
    if config:
        conf = config
    else:
        conf = Config()
    base = ['system', 'flow-accounting']
    if not conf.exists(base):
        return None

    flow_accounting = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)

    # We have gathered the dict representation of the CLI, but there are
    # default values which we need to conditionally update into the
    # dictionary retrieved.
    default_values = conf.get_config_defaults(**flow_accounting.kwargs,
                                              recursive=True)

    # delete individual flow type defaults - should only be added if user
    # sets this feature
    for flow_type in ['sflow', 'netflow']:
        if flow_type not in flow_accounting and flow_type in default_values:
            del default_values[flow_type]

    flow_accounting = config_dict_merge(default_values, flow_accounting)

    return flow_accounting

def verify(flow_config):
    if not flow_config:
        return None

    # check if at least one collector is enabled
    if 'sflow' not in flow_config and 'netflow' not in flow_config and 'disable_imt' in flow_config:
        raise ConfigError('You need to configure at least sFlow or NetFlow, ' \
                          'or not set "disable-imt" for flow-accounting!')

    # Check if at least one interface is configured
    if 'interface' not in flow_config:
        raise ConfigError('Flow accounting requires at least one interface to ' \
                          'be configured!')

    # check that all configured interfaces exists in the system
    for interface in flow_config['interface']:
        if interface not in Section.interfaces():
            # Changed from error to warning to allow adding dynamic interfaces
            # and interface templates
            Warning(f'Interface "{interface}" is not presented in the system')

    # check sFlow configuration
    if 'sflow' in flow_config:
        # check if at least one sFlow collector is configured
        if 'server' not in flow_config['sflow']:
            raise ConfigError('You need to configure at least one sFlow server!')

        # check that all sFlow collectors use the same IP protocol version
        sflow_collector_ipver = None
        for server in flow_config['sflow']['server']:
            if sflow_collector_ipver:
                if sflow_collector_ipver != ip_address(server).version:
                    raise ConfigError("All sFlow servers must use the same IP protocol")
            else:
                sflow_collector_ipver = ip_address(server).version

        # check if vrf is defined for Sflow
        verify_vrf(flow_config)
        sflow_vrf = None
        if 'vrf' in flow_config:
            sflow_vrf = flow_config['vrf']

        # check agent-id for sFlow: we should avoid mixing IPv4 agent-id with IPv6 collectors and vice-versa
        for server in flow_config['sflow']['server']:
            if 'agent_address' in flow_config['sflow']:
                if ip_address(server).version != ip_address(flow_config['sflow']['agent_address']).version:
                    raise ConfigError('IPv4 and IPv6 addresses can not be mixed in "sflow agent-address" and "sflow '\
                                      'server". You need to set the same IP version for both "agent-address" and '\
                                      'all sFlow servers')

        if 'agent_address' in flow_config['sflow']:
            tmp = flow_config['sflow']['agent_address']
            if not is_addr_assigned(tmp, sflow_vrf):
                raise ConfigError(f'Configured "sflow agent-address {tmp}" does not exist in the system!')

        # Check if configured sflow source-address exist in the system
        if 'source_address' in flow_config['sflow']:
            if not is_addr_assigned(flow_config['sflow']['source_address'], sflow_vrf):
                tmp = flow_config['sflow']['source_address']
                raise ConfigError(f'Configured "sflow source-address {tmp}" does not exist on the system!')

    # check NetFlow configuration
    if 'netflow' in flow_config:
        # check if vrf is defined for netflow
        netflow_vrf = None
        if 'vrf' in flow_config:
            netflow_vrf = flow_config['vrf']

        # check if at least one NetFlow collector is configured if NetFlow configuration is presented
        if 'server' not in flow_config['netflow']:
            raise ConfigError('You need to configure at least one NetFlow server!')

        # Check if configured netflow source-address exist in the system
        if 'source_address' in flow_config['netflow']:
            if not is_addr_assigned(flow_config['netflow']['source_address'], netflow_vrf):
                tmp = flow_config['netflow']['source_address']
                raise ConfigError(f'Configured "netflow source-address {tmp}" does not exist on the system!')

        # Check if engine-id compatible with selected protocol version
        if 'engine_id' in flow_config['netflow']:
            v5_filter = '^(\d|[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]):(\d|[1-9]\d|1\d{2}|2[0-4]\d|25[0-5])$'
            v9v10_filter = '^(\d|[1-9]\d{1,8}|[1-3]\d{9}|4[01]\d{8}|42[0-8]\d{7}|429[0-3]\d{6}|4294[0-8]\d{5}|42949[0-5]\d{4}|429496[0-6]\d{3}|4294967[01]\d{2}|42949672[0-8]\d|429496729[0-5])$'
            engine_id = flow_config['netflow']['engine_id']
            version = flow_config['netflow']['version']

            if flow_config['netflow']['version'] == '5':
                regex_filter = re.compile(v5_filter)
                if not regex_filter.search(engine_id):
                    raise ConfigError(f'You cannot use NetFlow engine-id "{engine_id}" '\
                                      f'together with NetFlow protocol version "{version}"!')
            else:
                regex_filter = re.compile(v9v10_filter)
                if not regex_filter.search(flow_config['netflow']['engine_id']):
                    raise ConfigError(f'Can not use NetFlow engine-id "{engine_id}" together '\
                                      f'with NetFlow protocol version "{version}"!')

    # return True if all checks were passed
    return True

def generate(flow_config):
    if not flow_config:
        return None

    render(uacctd_conf_path, 'pmacct/uacctd.conf.j2', flow_config)
    render(systemd_override, 'pmacct/override.conf.j2', flow_config)
    # Reload systemd manager configuration
    call('systemctl daemon-reload')

def apply(flow_config):
    # Check if flow-accounting was removed and define command
    if not flow_config:
        _nftables_config([], 'ingress')
        _nftables_config([], 'egress')

        # Stop flow-accounting daemon and remove configuration file
        call(f'systemctl stop {systemd_service}')
        if os.path.exists(uacctd_conf_path):
            os.unlink(uacctd_conf_path)

        # must be done after systemctl
        _nftables_trigger_setup('delete')

        return

    # Start/reload flow-accounting daemon
    call(f'systemctl restart {systemd_service}')

    # configure nftables rules for defined interfaces
    if 'interface' in flow_config:
        _nftables_config(flow_config['interface'], 'ingress', flow_config['packet_length'])

        # configure egress the same way if configured otherwise remove it
        if 'enable_egress' in flow_config:
            _nftables_config(flow_config['interface'], 'egress', flow_config['packet_length'])
        else:
            _nftables_config([], 'egress')

    # add a trigger for signal processing
    _nftables_trigger_setup('add')


if __name__ == '__main__':
    try:
        config = get_config()
        verify(config)
        generate(config)
        apply(config)
    except ConfigError as e:
        print(e)
        exit(1)