271 lines
9.2 KiB
Text
271 lines
9.2 KiB
Text
# $FreeBSD$
|
|
#
|
|
# Please read and meditate on netgraph(4), ipacctctl(8) and ngctl(8).
|
|
|
|
# Enable ng_ipacct (i.e. enable run startup script "ng_ipacct.sh")
|
|
#ng_ipacct_enable="YES"
|
|
|
|
# Enable kernel modules loading.
|
|
# On "ng_ipacct.sh start" all kernel modules specified
|
|
# in ${ng_ipacct_modules_list} will be loaded.
|
|
# Note: on "ng_ipacct.sh stop" only "ng_ipacct" will be unloaded.
|
|
ng_ipacct_modules_load="YES"
|
|
|
|
# Netgraph can load required ng_* modules automatically on the hook creation
|
|
# - except for "ng_ether". Generally, modules preloading is recommended.
|
|
# Do not add to this list modules which are statically compiled into kernel.
|
|
#ng_ipacct_modules_list="netgraph ng_ether ng_cisco ng_socket ng_tee ng_ipacct"
|
|
ng_ipacct_modules_list="netgraph ng_ether ng_ipacct"
|
|
|
|
# List of monitored interfaces. For each interface additional vars must be
|
|
# specified in corresponding variables 'ng_ipacct_IFACE_*'.
|
|
# See examples below.
|
|
#ng_ipacct_interfaces="xl0 cx0 vpn0"
|
|
|
|
# Default start/stop scripts.
|
|
#
|
|
# Single quotes are required to preserve newlines.
|
|
# '%%iface%%' will be automatically expanded with a relevant interface.
|
|
# This feature should be applied to use indentical rules
|
|
# for similar interfaces.
|
|
ng_ipacct_default_ether_start='
|
|
mkpeer %%iface%%: tee lower right
|
|
name %%iface%%:lower %%iface%%_tee
|
|
connect %%iface%%: lower upper left
|
|
|
|
mkpeer %%iface%%_tee: ipacct right2left %%iface%%_in
|
|
name %%iface%%_tee:right2left %%iface%%_ip_acct
|
|
connect %%iface%%_tee: %%iface%%_ip_acct: left2right %%iface%%_out
|
|
'
|
|
|
|
ng_ipacct_default_ether_stop='
|
|
shutdown %%iface%%_ip_acct:
|
|
shutdown %%iface%%_tee:
|
|
shutdown %%iface%%:
|
|
'
|
|
|
|
ng_ipacct_bpf_ether_start='
|
|
mkpeer %%iface%%: tee lower right
|
|
name %%iface%%:lower %%iface%%_tee
|
|
connect %%iface%%: lower upper left
|
|
|
|
mkpeer %%iface%%_tee: bpf right2left %%iface%%_in
|
|
name %%iface%%_tee:right2left %%iface%%_bpf
|
|
connect %%iface%%_tee: right2left left2right %%iface%%_out
|
|
|
|
mkpeer %%iface%%_bpf: ipacct %%iface%%_match_in %%iface%%_in
|
|
name %%iface%%_bpf:%%iface%%_match_in %%iface%%_ip_acct
|
|
connect %%iface%%_bpf: %%iface%%_ip_acct: %%iface%%_match_out %%iface%%_out
|
|
'
|
|
|
|
ng_ipacct_bpf_ether_stop='
|
|
shutdown %%iface%%_ip_acct:
|
|
shutdown %%iface%%_bpf:
|
|
shutdown %%iface%%_tee:
|
|
shutdown %%iface%%:
|
|
'
|
|
|
|
# EXAMPLE 1. Ethernet interface
|
|
|
|
# +-------------------------------+
|
|
# | |
|
|
# (upper) (left2right)-----------(xl0_in)
|
|
# | | | |
|
|
# xl0 +--(left)-xl0_tee-(right) xl0_ip_acct
|
|
# | | | |
|
|
# (lower) | (right2left)-----------(xl0_out)
|
|
# | |
|
|
# +----------+
|
|
#
|
|
# xl0 - ng_ether
|
|
# xl0_tee - ng_tee
|
|
# xl0_ip_acct - ng_ipacct
|
|
|
|
# Configuration for 'xl0_ip_acct' node:
|
|
|
|
ng_ipacct_xl0_dlt="EN10MB" # required line; see ipacctctl(8)
|
|
ng_ipacct_xl0_threshold="15000" # '5000' by default
|
|
ng_ipacct_xl0_verbose="yes" # 'yes' by default
|
|
ng_ipacct_xl0_saveuid="yes" # 'no' by default
|
|
ng_ipacct_xl0_savetime="no" # 'no' by default
|
|
ng_ipacct_xl0_start=${ng_ipacct_default_ether_start}
|
|
ng_ipacct_xl0_stop=${ng_ipacct_default_ether_stop}
|
|
ng_ipacct_xl0_checkpoint_script="path/to/your/script --checkpoint-and-save xl0"
|
|
# this script is called on "stop" (to save accumulated
|
|
# data) or via "rc.d/ng_ipacct.sh checkpoint"
|
|
|
|
# EXAMPLE 2. Cronyx Sigma WAN adapter with HDLC encapsulation
|
|
|
|
# cx0_hdlc-(downstream)----(rawdata)-cx0
|
|
# |
|
|
# (inet) (left2right)--------------------(cx0_in)
|
|
# | | |
|
|
# (left)-cx0_tee-(right)---(inet)-ng0 cx0_ip_acct
|
|
# | |
|
|
# (right2left)--------------------(cx0_out)
|
|
#
|
|
# cx0 - ng_cx
|
|
# cx0_hdlc - ng_cisco
|
|
# cx0_tee - ng_tee
|
|
# cx0_ip_acct - ng_ipacct
|
|
|
|
# Configuration for 'cx0_ip_acct' node:
|
|
|
|
ng_ipacct_cx0_dlt="RAW"
|
|
ng_ipacct_cx0_start='
|
|
mkpeer %%iface%%: cisco rawdata downstream
|
|
name %%iface%%:rawdata %%iface%%_hdlc
|
|
mkpeer %%iface%%_hdlc: tee inet left
|
|
name %%iface%%_hdlc:inet %%iface%%_tee
|
|
mkpeer %%iface%%_tee: iface right inet
|
|
|
|
mkpeer %%iface%%_tee: ipacct right2left %%iface%%_in
|
|
name %%iface%%_tee:right2left %%iface%%_ip_acct
|
|
connect %%iface%%_tee: %%iface%%_ip_acct: left2right %%iface%%_out
|
|
'
|
|
ng_ipacct_cx0_stop='
|
|
shutdown %%iface%%_ip_acct:
|
|
shutdown %%iface%%_tee:
|
|
shutdown %%iface%%_hdlc:
|
|
'
|
|
|
|
# EXAMPLE 3. PPTP (via mpd), divert traffic to ng_ksocket
|
|
|
|
# ipfw add tee 4001 ip from any to any via ng0 in
|
|
# ipfw add tee 4002 ip from any to any via ng0 out
|
|
|
|
# USER-LEVEL | KERNEL-LEVEL
|
|
# |
|
|
# div4 *.4001 ------> | ----> ks_vpn0_in
|
|
# | |
|
|
# | (inet/raw/divert)------(vpn0_in)
|
|
# | |
|
|
# | vpn0_ip_acct
|
|
# | |
|
|
# | (inet/raw/divert)------(vpn0_out)
|
|
# | |
|
|
# div4 *.4002 ------> | ----> ks_vpn0_out
|
|
#
|
|
# ks_vpn0_in - ng_ksocket
|
|
# ks_vpn0_out - ng_ksocket
|
|
# vpn0_ip_acct - ng_ipacct
|
|
|
|
ng_ipacct_vpn0_dlt="RAW"
|
|
ng_ipacct_vpn0_start='
|
|
mkpeer ipacct dummy dummy
|
|
name .:dummy %%iface%%_ip_acct
|
|
|
|
mkpeer %%iface%%_ip_acct: ksocket %%iface%%_in inet/raw/divert
|
|
name %%iface%%_ip_acct:%%iface%%_in ks_%%iface%%_in
|
|
msg ks_%%iface%%_in: bind inet/0.0.0.0:4001
|
|
|
|
mkpeer %%iface%%_ip_acct: ksocket %%iface%%_out inet/raw/divert
|
|
name %%iface%%_ip_acct:%%iface%%_out ks_%%iface%%_out
|
|
msg ks_%%iface%%_out: bind inet/0.0.0.0:4002
|
|
|
|
rmhook .:dummy
|
|
'
|
|
ng_ipacct_vpn0_stop='
|
|
shutdown %%iface%%_ip_acct:
|
|
'
|
|
|
|
# EXAMPLE 4. Ethernet interface with BPF
|
|
|
|
# +-------------------------------+
|
|
# | |
|
|
# (upper) (left2right)-----(xl0_in) (xl0_match_in)----(xl0_in)
|
|
# | | | | | |
|
|
# xl0 +--(left)-xl0_tee-(right) xl0_bpf xl0_ip_acct
|
|
# | | | | | |
|
|
# (lower) | (right2left)----(xl0_out) (xl0_match_out)--(xl0_out)
|
|
# | |
|
|
# +----------+
|
|
#
|
|
# xl0 - ng_ether
|
|
# xl0_tee - ng_tee
|
|
# xl0_bpf - ng_bpf
|
|
# xl0_ip_acct - ng_ipacct
|
|
|
|
# Configuration for 'xl0_ip_acct' node:
|
|
|
|
ng_ipacct_xl0_dlt="EN10MB" # required line; see ipacctctl(8)
|
|
ng_ipacct_xl0_threshold="15000" # '5000' by default
|
|
ng_ipacct_xl0_verbose="yes" # 'yes' by default
|
|
ng_ipacct_xl0_saveuid="yes" # 'no' by default
|
|
ng_ipacct_xl0_savetime="no" # 'no' by default
|
|
ng_ipacct_xl0_start=${ng_ipacct_bpf_ether_start}
|
|
ng_ipacct_xl0_stop=${ng_ipacct_bpf_ether_stop}
|
|
ng_ipacct_xl0_checkpoint_script="path/to/your/script --checkpoint-and-save xl0"
|
|
# this script is called on "stop" (to save accumulated
|
|
# data) or via "rc.d/ng_ipacct.sh checkpoint"
|
|
ng_ipacct_xl0_afterstart_script="path/to/your/script --load-bpf-filters xl0"
|
|
# this script is called just after initialization
|
|
# of nodes to load filters into xl0_bpf
|
|
|
|
# EXAMPLE 5. Really _divert_ traffic to ng_ksocket
|
|
|
|
# ipfw add divert 4001 ip from any to any via em0 in
|
|
# ipfw add divert 4002 ip from any to any via em0 out
|
|
|
|
# USER-LEVEL | KERNEL-LEVEL
|
|
# |
|
|
# div4 *.4001 ->|-> ipfw_ks_in in-(ipfw_echo_in)
|
|
# | | |
|
|
# | (inet/raw/divert)---(left)-(ipfw_tee_in)-right
|
|
# | |
|
|
# | left2right---(ipfw_in)
|
|
# | |
|
|
# | ipfw_ip_acct
|
|
# | |
|
|
# | left2right---(ipfw_out)
|
|
# | |
|
|
# | (inet/raw/divert)---(left)-(ipfw_tee_out)-right
|
|
# | | |
|
|
# div4 *.4002 ->|-> ipfw_ks_out out-(ipfw_echo_out)
|
|
#
|
|
# ipfw_ks_in - ng_ksocket
|
|
# ipfw_ks_out - ng_ksocket
|
|
# ipfw_tee_in - ng_tee
|
|
# ipfw_tee_out - ng_tee
|
|
# ipfw_ip_acct - ng_ipacct
|
|
# ipfw_echo_in - ng_echo
|
|
# ipfw_echo_out - ng_echo
|
|
|
|
ng_ipacct_ks_start='
|
|
mkpeer ipacct dummy dummy
|
|
name .:dummy %%iface%%_ip_acct
|
|
|
|
mkpeer %%iface%%_ip_acct: tee %%iface%%_in left2right
|
|
name %%iface%%_ip_acct:%%iface%%_in %%iface%%_tee_in
|
|
mkpeer %%iface%%_ip_acct: tee %%iface%%_out left2right
|
|
name %%iface%%_ip_acct:%%iface%%_out %%iface%%_tee_out
|
|
|
|
mkpeer %%iface%%_tee_in: echo right in
|
|
name %%iface%%_tee_in:right %%iface%%_echo_in
|
|
mkpeer %%iface%%_tee_out: echo right out
|
|
name %%iface%%_tee_out:right %%iface%%_echo_out
|
|
|
|
mkpeer %%iface%%_tee_in: ksocket left inet/raw/divert
|
|
name %%iface%%_tee_in:left %%iface%%_ks_in
|
|
msg %%iface%%_ks_in: bind inet/0.0.0.0:4001
|
|
|
|
mkpeer %%iface%%_tee_out: ksocket left inet/raw/divert
|
|
name %%iface%%_tee_out:left %%iface%%_ks_out
|
|
msg %%iface%%_ks_out: bind inet/0.0.0.0:4002
|
|
|
|
rmhook .:dummy
|
|
'
|
|
ng_ipacct_ks_stop='
|
|
shutdown %%iface%%_ks_in:
|
|
shutdown %%iface%%_ks_out:
|
|
shutdown %%iface%%_tee_in:
|
|
shutdown %%iface%%_tee_out:
|
|
'
|
|
ng_ipacct_ks_dlt="RAW" # required line; see ipacctctl(8)
|
|
ng_ipacct_ks_threshold="15000" # '5000' by default
|
|
ng_ipacct_ks_verbose="yes" # 'yes' by default
|
|
ng_ipacct_ks_saveuid="yes" # 'no' by default
|
|
ng_ipacct_ks_savetime="no" # 'no' by default
|
|
ng_ipacct_ks_checkpoint_script="path/to/your/script --checkpoint-and-save ks"
|
|
# this script is called on "stop" (to save accumulated
|
|
# data) or via "rc.d/ng_ipacct.sh checkpoint"
|