Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nfacctd map all ASes but not own IPv4 network #789

Open
paulofragoso opened this issue May 31, 2024 · 11 comments
Open

nfacctd map all ASes but not own IPv4 network #789

paulofragoso opened this issue May 31, 2024 · 11 comments

Comments

@paulofragoso
Copy link

paulofragoso commented May 31, 2024
edited
Loading

Hi

I've a router R running Bird BGP and flows are sent from internal interface to server K running nfacctd and all IPs are correctly agregated to his AS IPv4 and IPv6 but only IPv4 from my AS is zeroed. There is some issue (or trick) to use IPv6 and IPv4 same time?

In lab only using IPv4 all works but using private AS and network.

Thanks,
Paulo.
@paololucente
Copy link
Member

Hi Paulo ( @paulofragoso ),

This is kind of expected since pmacct by default performs an iBGP peering with the router(s). So zero ASN (or null) would mean "my own ASN". Should this not be satisfactory you would have to ways around it:

  • you could establish an eBGP peering. As you may imagine this comes with trade-offs;
  • fix internal networks with a networks_file, essentially you would assign a (fictional, private?) ASN to relevant entities lying on your own address space / ASN;

How does it read? Let me know your thoughts.

Paolo

@paulofragoso
Copy link
Author

Hi Paolo,

If I put my real networks (IPv4 and IPv6) in networks.lst starting it with my real ASN only IPv6 address are aggregated with that ASN.

I'm curious about different behaviors, would not be IPv4/IPv6 with ASN? Or IPv4/IPv6 with zero? Why can I change only IPv6 behaviors?

Router peering is iBGP and with empty networks.lst I'm getting all internal network (IPv4/IPv4) with zero in ASN aggregation.

Thanks,
Paulo.

@paololucente
Copy link
Member

Hi Paulo,

Probably you will need to add also the following to your config:

nfacctd_net: fallback
nfacctd_bgp: fallback

Can you give this a try and let me know?

Paolo

@paulofragoso
Copy link
Author

Hi Paolo,

I've written tow itens above and I've got same behavior and now this error:

WARN: [/usr/local/etc/nfacctd.conf:11] Unknown key: nfacctd_bgp. Ignored.

Thanks,
Paulo.

@paololucente
Copy link
Member

Pardon me, nfacctd_as not nfacctd_bgp.

@paulofragoso
Copy link
Author

Hi Paolo,

My nfacctd.conf is that:

daemonize: false
logfile: /var/log/nfacctd.log
pre_tag_map: /usr/local/etc/pmacct/pretag.map
networks_file: /usr/local/etc/pmacct/networks.lst
nfacctd_ip: A.B.C.30
nfacctd_port: 2055
nfacctd_time_new: true
nfacctd_as: fallback
nfacctd_as_new:fallback
nfacctd_net: fallback
aggregate: src_host, dst_host, src_port, dst_port, src_as, dst_as, proto
!nfacctd_disable_checks: true
!
bgp_daemon: true
bgp_daemon_ip: A.B.C.30
bgp_daemon_port: 179
bgp_daemon_max_peers: 10
bgp_daemon_as: MYASN
bgp_agent_map: /usr/local/etc/pmacct/peering_agent.map
!
! "plugin2" plugin configuration DEBUG
!
plugins: memory[plugin2]
plugin_buffer_size[plugin2]: 102400
plugin_pipe_size[plugin2]: 10240000
imt_mem_pools_number: 256
imt_path[plugin2]: /var/spool/output/plugin2.pipe

and using networks.lst in this way:

MYASN,A.B.O.0/20
MYSAN,AAAA:BB::/32

only IPv4 is zeroed! Can be because we have only one session protocol against BIRD in IPv4?

...
# PMACCT:
protocol bgp PMACCT {
  description "pmacctd";
  local A.B.C.1 as MYASN;
  neighbor A.B.C.30 port 179 as MYASN;
  rr client;
  hold time 90;
  keepalive time 30;
  graceful restart;

  ipv4 {
    next hop self;
    import filter { reject; };
    export filter { accept; };
  };

  ipv6 {
    next hop address 127.0.0.1;
    import filter { reject; };
    export filter { accept; };
  };
}

Thanks,
Paulo.

@paololucente
Copy link
Member

Hi Paulo,

Thank you for all this info. Can you also please send me the output of nfacctd -V? This will say which version of the daemon you are running.

Is MYASN the same ASN with which the router is configured? If so, you can skip bgp_daemon_as as that is meant to form eBGP peerings, ie. MYASN != router ASN. All the rest looks good, you are travelling both v4 and v6 AFs as part of the same BGP session with v4 transport (i infer that from bgp_daemon_ip). Also flows are sent with v4 transport, i infer that from nfacctd_ip.

It is possible you are running into a bug. Can you test leaving only v4 addresses in the networks_file and remove all v6 ones?

Paolo

@paulofragoso
Copy link
Author

Hi Paolo,

# nfacctd -V
NetFlow Accounting Daemon, nfacctd 1.7.8-git [RELEASE]

Arguments:
 '--disable-avro' '--disable-debug' '--enable-geoipv2' '--enable-kafka' '--enable-l2' '--disable-mysql' '--enable-pgsql' '--disable-rabbitmq' '--disable-redis' '--disable-sqlite3' '--enable-jansson' '--prefix=/usr/local' '--localstatedir=/var' '--mandir=/usr/local/share/man' '--disable-silent-rules' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd14.0' 'build_alias=amd64-portbld-freebsd14.0' 'CC=cc' 'CFLAGS=-O2 -pipe  -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-I/usr/local/include -isystem /usr/local/include' 'PKG_CONFIG=pkgconf' 'PKG_CONFIG_LIBDIR=/usr/ports/net-mgmt/pmacct/work/.pkgconfig:/usr/local/libdata/pkgconfig:/usr/local/share/pkgconfig:/usr/libdata/pkgconfig' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing  -isystem /usr/local/include ' '--enable-traffic-bins' '--enable-bgp-bins' '--enable-bmp-bins' '--enable-st-bins'

Libs:
cdada 0.4.0
libpcap version 1.10.4
PostgreSQL 150007
rdkafka 2.3.0
jansson 2.14
MaxmindDB 1.9.1

Plugins:
memory
print
nfprobe
sfprobe
tee
postgresql
kafka

System:
FreeBSD 14.0-RELEASE FreeBSD 14.0-RELEASE #0 releng/14.0-n265380-f9716eee8ab4: Fri Nov 10 05:57:23 UTC 2023     root@releng1.nyi.freebsd.org:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64

Compiler:
clang 16.0.6

For suggestions, critics, bugs, contact me: Paolo Lucente <paolo@pmacct.net>.

MYASN is same in the router. Skipping bgp_daemon_as I get same behavior where IPv4 is zeroed don't care about what are in pmacct/networks.lst

Thanks,
Paulo.

@paololucente
Copy link
Member

Thanks Paulo,

I will try to reproduce at my end. Meanwhile: did you try my last suggestion (that would help me in the troubleshooting), ie. Can you test leaving only v4 addresses in the networks_file and remove all v6 ones?

Paolo

@paulofragoso
Copy link
Author

Hi Paolo,

My test was:

# diff nfacctd.conf-orig nfacctd.conf
18d17
< bgp_daemon_as: MYASN
# cat pmacct/networks.lst
MYASN,A.B.O.0/20

All IPv4/IPv6 from MYASN is zeroed

Now I'm running without bgp_daemon_as and I've got same results.

Thanks,
Paulo.

@paololucente
Copy link
Member

Hi Paulo ( @paulofragoso ),

I recently tested master code with a similar setup -- and reminded myself of this issue still open. Did you get to the bottom of it? I got both v4 and v6 in a networks_file and all resolves to the specified ASNs just fine. One knob i did use and i don't see it mentioned in the thread above is networks_file_no_lpm, disable longest-prefix-match for prefixes specified in the networks_file. With fallback/longest configured for nfacctd_as/nfacctd_net, this is a good idea to make sure the definitions in the file win over the rest.

Paolo

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@paololucente @paulofragoso