Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[sfacctd] Filtering traffic by interface #784

Closed
Tucaa opened this issue May 14, 2024 · 5 comments
Closed

[sfacctd] Filtering traffic by interface #784

Tucaa opened this issue May 14, 2024 · 5 comments
Assignees
@paololucente
Labels
question

Comments

@Tucaa
Copy link

Tucaa commented May 14, 2024

Hi Paolo,

I've been experimenting with the sfacctd daemon and I'm curious if it's possible to filter traffic only on specified interfaces. I need to apply this filter to a set of five tables, not all data. I attempted to add this filter as a pre_tag_filter in the pre-tag.map file. For testing purposes, I added the following to the pre-tag.map file:

set_tag=1 in_iface=100005
set_tag=2 out_iface =100005

In the sfacctd.conf file, I configured:
pre_tag_filter[mytable5in]: 1

However, this didn't yield the desired results.

I'm wondering if it's possible to filter traffic based on the inbound and outbound interfaces, and what would be the best approach to achieve this. Let me know if you need more information.

Milan
@paololucente
Copy link
Member

Hi Milan ( @Tucaa ),

The way i would recommend, yes, is pre_tag_map + pre_tag_filter. When you say "this didn't yield the desired results", can you characterize this better? For sure, i guess, you see the flows entering interface 100005 making it through but not those exiting. For that the map would need to be re-written as:

set_tag=1 in_iface=100005      label=in_ifaces   jeq=out_ifaces
set_tag=1 in_iface=X
set_tag=1 in_iface=Y
set_tag=1 in_iface=Z

set_tag=2 out_iface=100005     label=out_ifaces
set_tag=2 in_iface=X
set_tag=2 in_iface=Y
set_tag=2 in_iface=Z

In other words you influence the flow of evaluation of pre_tag_map using jeq (jump on equal, ie. go to another instruction set if you get a match, don't just exit) and label instructions (the label pointed to by the jeq).

Let me know if there is more.

Paolo

@Tucaa
Copy link
Author

Tucaa commented May 17, 2024

Regarding the results, the issue was with writing data to the database. I analyzed the syslog (see picture 1) and found that sfacctd did not write anything to the database table with the applied filter. I tried your suggested approach, but nothing changed. Additionally, there was a warning when sfacctd started (see picture 2). I read the documentation and tried replacing "in_iface/out_iface" with "in/out" (see picture 3). This made the warning disappear, but the results remained the same.
syslogss
warning
pre_tag

I am willing to send my configuration file and pre-tag.map via email for further analysis.

Milan

@paololucente
Copy link
Member

Hi Milan ( @Tucaa ),

Oversight from my side: in_iface and out_iface do not exist in the context of pre_tag_map. There is in (input interface) and out (output interface). Can you re-write in_iface as in and out_iface as out and give it another try?

Paolo

@Tucaa
Copy link
Author

Tucaa commented May 20, 2024

Hi Paolo,

Sorry about the delayed response. I've tried using the in and out keys (instead of in_iface and out_iface), and it works. Thank you for the assistance!

Milan

@paololucente
Copy link
Member

Perfect Milan, thanks for confirming. Paolo

@paololucente paololucente self-assigned this May 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@paololucente paololucente

Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@paololucente @Tucaa