...
 
Commits (2)
......@@ -24,25 +24,31 @@ from typing import List
"""
Remove the ipt_NETFLOW module if it exists and then insert it with the new parameters
"""
MODPROBE_TEMPLATE = "sudo modprobe -rq ipt_NETFLOW; sudo modprobe ipt_NETFLOW destination={collector_ip}:{port} protocol=9"
MODPROBE_TEMPLATE = "sudo modprobe -r ipt_NETFLOW;" \
"sudo modprobe ipt_NETFLOW destination={collector_ip}:{port} protocol=9 active_timeout={active_timeout}"
IPTABLES_LINE_TEMPLATE = "sudo ip6tables -D {table} -j NETFLOW 2>/dev/null; sudo ip6tables -I {table} -j NETFLOW"
IPTABLES_DELETE_LINE_TEMPLATE = "sudo ip6tables -D {table} -j NETFLOW"
IPTABLES_COLLECT_LINE_TEMPLATE = "sudo ip6tables -I {table} -j NETFLOW"
def _write_iptables_commands(router_sessions, iptables_commands: List[str]) -> None:
ssh_helper.run_commands_on_many_hosts(router_sessions, iptables_commands)
def _write_iptables_commands(router_sessions, iptables_commands: List[str]) -> List[str]:
outputs = ssh_helper.run_commands_on_many_hosts(router_sessions, iptables_commands)
return outputs
def _write_modprobe_commands(router_sessions, modprobe_commands: List[str]) -> None:
ssh_helper.run_commands_on_many_hosts(router_sessions, modprobe_commands)
def _write_modprobe_commands(router_sessions, modprobe_commands: List[str]) -> List[str]:
outputs = ssh_helper.run_commands_on_many_hosts(router_sessions, modprobe_commands)
return outputs
def _build_iptables_lines(number: int) -> List[str]:
def _build_iptables_lines(number: int, template: str) -> List[str]:
"""
Build the iptables to collect all netflow traffic
:param number: Build this many copies. There is nothing node-unique about the iptables command.
:param template: Use this template. Should be one of the constants defined above.
"""
line = " && ".join([IPTABLES_LINE_TEMPLATE.format(
line = " && ".join([template.format(
table=table,
) for table in ["INPUT", "OUTPUT", "FORWARD"]])
return [line] * number
......@@ -57,6 +63,7 @@ def _build_modprobe_lines(netgraph: networkx.Graph, port_nums: List[int], collec
lines: List[str] = [MODPROBE_TEMPLATE.format(
collector_ip=collector_ip,
port=port,
active_timeout=15, # Report active flows every 15 seconds
) for port in port_nums]
return lines
......@@ -83,12 +90,14 @@ def configure(netgraph: networkx.Graph, collector_node: str, border_routers: Lis
router_sessions = [netgraph._node[node]['session'] for node in border_routers]
port_nums: List[int] = _get_port_nums(netgraph, border_routers)
iptables_delete_lines: List[str] = _build_iptables_lines(len(border_routers), IPTABLES_DELETE_LINE_TEMPLATE)
modprobe_lines: List[str] = _build_modprobe_lines(netgraph, port_nums, collector_node)
iptables_collect_lines: List[str] = _build_iptables_lines(len(border_routers), IPTABLES_COLLECT_LINE_TEMPLATE)
iptables_lines: List[str] = _build_iptables_lines(len(border_routers))
# Deleting the iptables rules is expected to fail when no such rules exist. Run it with no error checking.
ssh_helper.unchecked_run_commands_on_many_hosts(router_sessions, iptables_delete_lines)
_write_modprobe_commands(router_sessions, modprobe_lines)
_write_iptables_commands(router_sessions, iptables_lines)
_write_iptables_commands(router_sessions, iptables_collect_lines)
if __name__ == "__main__":
......