SNMP support.

Author: aabc

IPT-NETFLOW-MIB.my

@@ -8,13 +8,18 @@ IPTABLES_CFLAGS = @IPTABLES_CFLAGS@
 IPTABLES_MODULES = @IPTABLES_MODULES@
 DEPMOD = depmod -a
 CARGS = @CARGS@
+SNMPTGSO = /usr/lib/snmp/dlmod/@SNMPTARGET@
+SNMPCONF = /etc/snmp/snmpd.conf
+SNMPLINE = dlmod netflow $(SNMPTGSO)
+CC = gcc
 
 # https://www.kernel.org/doc/Documentation/kbuild/modules.txt
 # https://www.kernel.org/doc/Documentation/kbuild/makefiles.txt
 obj-m = ipt_NETFLOW.o
 ccflags-y = @KOPTS@
 
-all: ipt_NETFLOW.ko libipt_NETFLOW.so libip6t_NETFLOW.so
+all: ipt_NETFLOW.ko libipt_NETFLOW.so libip6t_NETFLOW.so @SNMPTARGET@
+
 ipt_NETFLOW.ko: version.h ipt_NETFLOW.c ipt_NETFLOW.h Makefile
 	@echo Compiling for kernel $(KVERSION)
 	make -C $(KDIR) M=$(CURDIR) modules
@@ -25,6 +30,7 @@ sparse: | version.h ipt_NETFLOW.c ipt_NETFLOW.h Makefile
 	make -C $(KDIR) M=$(CURDIR) modules C=1
 	@touch ipt_NETFLOW.ko
 minstall: | ipt_NETFLOW.ko
+	@echo " *"
 	make -C $(KDIR) M=$(CURDIR) modules_install INSTALL_MOD_PATH=$(DESTDIR)
 	$(DEPMOD)
 mclean:
@@ -34,6 +40,26 @@ lclean:
 clean: mclean lclean
 	-rm -f *.so *.o modules.order version.h
 
+snmp_NETFLOW.so: snmp_NETFLOW.c
+	$(CC) `net-snmp-config --cflags` -fPIC -shared -g -O0 -o $@ $< `net-snmp-config --libs`
+
+sinstall: | snmp_NETFLOW.so IPT-NETFLOW-MIB.my
+	@echo " *"
+	install -D IPT-NETFLOW-MIB.my $(DESTDIR)/usr/share/snmp/mibs/IPT-NETFLOW-MIB.my
+	install -D snmp_NETFLOW.so $(DESTDIR)$(SNMPTGSO)
+	@if ! egrep -qs "^ *$(SNMPLINE)" $(SNMPCONF); then \
+	echo " *"; \
+	echo " *  Add this line to $(SNMPCONF) to enable IPT-NETFLOW-MIB:"; \
+	echo " *"; \
+	echo " *     $(SNMPLINE)"; \
+	echo " *"; \
+	fi
+	@if killall -0 snmpd >/dev/null 2>&1; then \
+	  echo " *  (snmpd needs restart for changes to take effect.)"; \
+	else \
+	  echo " *  (snmpd is not started.)"; \
+	fi
+
 %_sh.o: libipt_NETFLOW.c
 	gcc -O2 -Wall -Wunused $(IPTABLES_CFLAGS) -fPIC -o $@ -c libipt_NETFLOW.c
 
@@ -48,10 +74,11 @@ version.h: ipt_NETFLOW.c ipt_NETFLOW.h Makefile
 	fi > version.h
 
 linstall: | libipt_NETFLOW.so libip6t_NETFLOW.so
+	@echo " *"
 	install -D libipt_NETFLOW.so $(DESTDIR)$(IPTABLES_MODULES)/libipt_NETFLOW.so
 	install -D libip6t_NETFLOW.so $(DESTDIR)$(IPTABLES_MODULES)/libip6t_NETFLOW.so
 
-install: minstall linstall
+install: minstall linstall @SNMPINSTALL@
 
 uninstall:
 	-rm -f $(DESTDIR)$(IPTABLES_MODULES)/libipt_NETFLOW.so

Makefile.in

@@ -32,6 +32,8 @@ ipt_NETFLOW linux 2.6.x-3.x kernel module by <abc@telekom.ru> -- 2008-2014.
    * Deterministic (systematic count-based), random and hash Flow Sampling.
      With appropriate differences in support of v5, v9, and IPFIX.
 
+   * SNMP agent (for net-snmp) for remote management and monitoring.
+
    * Options Templates (v9/IPFIX) let export useful statistical,
      configurational, and informational records to collector.
      Such as metering, exporting, sampling stat and reliability stat, sampling 
@@ -65,7 +67,7 @@ ipt_NETFLOW linux 2.6.x-3.x kernel module by <abc@telekom.ru> -- 2008-2014.
 = INSTALLATION =
 ================
 
-   Four easy steps.
+   Five easy steps.
 
 ** 1. Prepare Kernel source
 
@@ -122,7 +124,23 @@ ipt_NETFLOW linux 2.6.x-3.x kernel module by <abc@telekom.ru> -- 2008-2014.
 
    c) Otherwise, for raw iptables source build it and make install.
 
-** 3. Now, to actually build the module run:
+** 3. Prepare net-snmp (optional)
+
+  In case you want to manage or monitor module performance via SNMP you
+  may install net-snmp. If you want to skip this step run configure
+  with --disable-snmp-agent option.
+
+  a) For Centos:
+
+      # yum install net-snmp net-snmp-devel
+
+  b) For Debian:
+
+      # apt-get install snmpd libsnmp-dev
+
+  c) Otherwise install net-snmp from www.net-snmp.org
+
+** 4. Now, to actually build the module run:
 
       ~/ipt-netflow# ./configure
       ~/ipt-netflow# make all install
@@ -143,7 +161,13 @@ ipt_NETFLOW linux 2.6.x-3.x kernel module by <abc@telekom.ru> -- 2008-2014.
      c) If you have sources in non-standard places or configure isn't able to
      find something run ./configure --help to see how to specify paths manually.
 
-** 4. After this point you should be able to load module and
+     d) On Debian:
+       `gcc: error: unrecognized command line option `-fstack-protector-strong''
+       `Makefile:43: recipe for target 'snmp_NETFLOW.so' failed'
+     Solution is to install gcc-4.9: apt-get install gcc-4.9
+       then compile with: make CC=gcc-4.9
+
+** 5. After this point you should be able to load module and
      use -j NETFLOW target in your iptables. See next section.
 
 
@@ -161,6 +185,16 @@ ipt_NETFLOW linux 2.6.x-3.x kernel module by <abc@telekom.ru> -- 2008-2014.
          install' you'll need to load nf_conntrack manually.
          Read below for explanation of natevents.
 
+     --enable-sampler
+         enables flow sampler. Read below for explanation of its configuration
+	 option.
+
+     --enable-sampler=hash
+         additionally enables 'hash' sampler.
+
+     --disable-snmp-agent
+         disables building net-snmp agent module, which is enabled by default.
+
      --enable-snmp-rules
          enables SNMP-index conversion rules. Read below for explanation
          of snmp-rules.
@@ -184,13 +218,6 @@ ipt_NETFLOW linux 2.6.x-3.x kernel module by <abc@telekom.ru> -- 2008-2014.
          ingress flows(0), in OUTPUT and POSTROUTING as egress flows(1), and
          in FORWARD will have flowDirection set to undefined value 255.
 
-     --enable-sampler
-         enables flow sampler. Read below for explanation of its configuration
-	 option.
-
-     --enable-sampler=hash
-         additionally enables 'hash' sampler.
-
      --disable-aggregation
          disables aggregation rules (they are enabled by default).
          Read below for explanation of aggregation.
@@ -220,6 +247,7 @@ ipt_NETFLOW linux 2.6.x-3.x kernel module by <abc@telekom.ru> -- 2008-2014.
      options ipt_NETFLOW destination=127.0.0.1:2055 protocol=9 natevents=1
 
 2. Statistics is in /proc/net/stat/ipt_netflow
+   Machine readable statistics is in /proc/net/stat/ipt_netflow_snmp
    To view boring slab statistics: grep ipt_netflow /proc/slabinfo
 
 3. You can view parameters and control them via sysctl, example:
@@ -267,13 +295,81 @@ ipt_NETFLOW linux 2.6.x-3.x kernel module by <abc@telekom.ru> -- 2008-2014.
    For details on how they are exported for different protocol versions see
    below.
 
+7. For SNMP support you will need to add this command into snmpd.conf to
+   enable IPT-NETFLOW-MIB in SNMP agent:
+
+      dlmod netflow /usr/lib/snmp/dlmod/snmp_NETFLOW.so
+
+   Restart snmpd for changes to take effect. Don't forget to properly configure
+   access control. Example simplest configuration may looks like (note that this
+   is whole /etc/snmp/snmpd.conf):
+
+      rocommunity public 127.0.0.1
+      dlmod netflow /usr/lib/snmp/dlmod/snmp_NETFLOW.so
+
+   Note, that this config will also allow _full_ read-only access to the whole
+   linux MIB. To install IPT-NETFLOW-MIB locally, copy file IPT-NETFLOW-MIB.my
+   into ~/.snmp/mibs/
+   To check that MIB is installed well you may issue:
+
+     $ snmptranslate -m IPT-NETFLOW-MIB -IR -Tp iptNetflowMIB
+
+   This should output IPT-NETFLOW-MIB in tree form.
+
+   To check that snmp agent is working well issue:
+
+     $ snmpwalk -v 1 -c public 127.0.0.1 -m IPT-NETFLOW-MIB iptNetflowMIB
+
+   Should output full MIB. If MIB is not installed try:
+
+     $ snmpget -v 1 -c public 127.0.0.1 .1.3.6.1.4.1.37476.9000.10.1.1.1.1.0
+
+   Which should output STRING: "ipt_NETFLOW".
+
+   MIB profides access to very similar statistics that you have in
+   /proc/net/stat/ipt_netflow, you can read description of objects in
+   text file IPT-NETFLOW-MIB.my
+
+   If you want to access to SNMP stat in machine readable form for your
+   scripts there is file /proc/net/stat/ipt_netflow_snmp
+
+   Note: Using of SNMP v2c or v3 is mandatory for most tables, because
+   this MIB uses 64-bit counters (Counter64) which is not supported in old
+   SNMP v1. You shoudl understand that 32-bit counter will wrap on 10Gbit
+   traffic in just 3.4 seconds! So, always pass option `-v2c' or `-v3'
+   to net-snmp utils. Or, for example, configure option `defVersion 2c'
+   in ~/.snmp/snmp.conf  You can also have `defCommunity public' ov v3
+   auth parameters (defSecurityName, defSecurityLevel, defPassphrase)
+   set there (man snmp.conf).
+
+   Examples for dumping typical IPT-NETFLOW-MIB objects:
+
+   - Module info (similar to modinfo, SNMPv1 is ok for following two objects):
+
+     $ snmpwalk -v 1 -c public 127.0.0.1 -m IPT-NETFLOW-MIB iptNetflowModule
+
+   - Read-write sysctl-like parameters (yes, they are writable via snmpset, you
+     may need to configure write access to snmpd, though):
+
+     $ snmpwalk -v 1 -c public 127.0.0.1 -m IPT-NETFLOW-MIB iptNetflowSysctl
+
+   - Global performance stat of the module (note -v2c, because rest of the
+     objects require SNMP v2c or SNMP v3):
+
+     $ snmpwalk -v2c -c public 127.0.0.1 -m IPT-NETFLOW-MIB iptNetflowTotals
+
+   - Per-CPU (metering) and per-socket (exporting) statistics in table format:
+
+     $ snmptable -v2c -c public 127.0.0.1 -m IPT-NETFLOW-MIB iptNetflowCpuTable
+     $ snmptable -v2c -c public 127.0.0.1 -m IPT-NETFLOW-MIB iptNetflowSockTable
+
 
 ===========
 = OPTIONS =
 ===========
 
    Options can be passed as parameters to module or changed dynamically
-   via  sysctl net.netflow
+   via  sysctl net.netflow  or  IPT-NETFLOW-MIB::iptNetflowSysctl
 
    protocol=5
      - what version of NetFlow protocol to use. Default is 5.
@@ -435,8 +531,8 @@ ipt_NETFLOW linux 2.6.x-3.x kernel module by <abc@telekom.ru> -- 2008-2014.
   Statistics is your friend to fine tune and understand netflow module
   performance.
 
-  To see stat:
-  # cat /proc/net/stat/ipt_netflow
+  To see stat in human readable form:
+    # cat /proc/net/stat/ipt_netflow
 
   How to interpret the data:
 

README

@@ -260,6 +260,7 @@ show_help() {
   echo "  --enable-sampler=hash  enables Hash sampler"
   echo "  --disable-aggregation  disables aggregation rules"
   echo "  --enable-promisc       enables promisc hack"
+  echo "  --disable-snmp-agent   disables net-snmp agent"
   exit 0
 }
 
@@ -281,15 +282,17 @@ do
     --kdir=*)      KDIR="$ac_optarg" ;;
     --enable-nat*)   KOPTS="$KOPTS -DENABLE_NAT" ;;
     --enable-debug*) KOPTS="$KOPTS -DENABLE_DEBUGFS" ;;
-    --enable-snmp*)  KOPTS="$KOPTS -DSNMP_RULES" ;;
     --enable-mac*)   KOPTS="$KOPTS -DENABLE_MAC" ;;
     --enable-vlan*)  KOPTS="$KOPTS -DENABLE_VLAN" ;;
     --enable-direc*) KOPTS="$KOPTS -DENABLE_DIRECTION" ;;
     --enable-sampl*hash) KOPTS="$KOPTS -DENABLE_SAMPLER -DSAMPLING_HASH" ;;
     --enable-sampl*) KOPTS="$KOPTS -DENABLE_SAMPLER" ;;
     --disable-aggr*) KOPTS="$KOPTS -DDISABLE_AGGR" ;;
-    --enable-promisc*) KOPTS="$KOPTS -DENABLE_PROMISC" ;;
-    --make) echo called from make ;;
+    --enable-promi*) KOPTS="$KOPTS -DENABLE_PROMISC" ;;
+    --enable-snmp-r*)  KOPTS="$KOPTS -DENABLE_SNMP" ;;
+    --disable-snmp-a*)   SKIPSNMP=1 ;;
+    --disable-net-snmp*) SKIPSNMP=1 ;;
+    --make) echo called from make; CARGS=`echo $CARGS | sed s/--make//g` ;;
     -Werror) KOPTS="$KOPTS -Werror" ;;
     --help|-h) show_help ;;
     -*) echo Invalid option: $ac_option; exit 1 ;;
@@ -410,6 +413,67 @@ kernel_check_features() {
   kernel_check_include include/linux/llist.h -DHAVE_LLIST
 }
 
+snmp_check() {
+  test "$SKIPSNMP" && return
+
+  echo -n "Searching for net-snmp-config... "
+  if type -p net-snmp-config > /dev/null; then
+    echo Yes `type -p net-snmp-config`
+  else
+    echo No.
+    SNMPCONFIG=no
+  fi
+
+  echo -n "Searching for net-snmp agent... "
+  if [ -s /etc/redhat-release ]; then
+    if ! rpm --quiet -q net-snmp; then
+      echo No.
+      SNMPADD="do:  yum install net-snmp"
+      if [ "$SNMPCONFIG" ]; then
+	SNMPADD="$SNMPADD net-snmp-devel"
+      fi
+    else
+      echo Yes.
+    fi
+    if [ "$SNMPCONFIG" ]; then
+      SNMPCONFIG="run:  yum install net-snmp-devel"
+    fi
+  elif [ -s /etc/debian_version ]; then
+    if ! dpkg -s snmpd >/dev/null 2>&1; then
+      echo No.
+      SNMPADD="do:  apt-get install snmpd"
+      if [ "$SNMPCONFIG" ]; then
+	SNMPADD="$SNMPADD libsnmp-dev"
+      fi
+    else
+      echo Yes.
+    fi
+    if [ "$SNMPCONFIG" ]; then
+      SNMPCONFIG="run:  apt-get install libsnmp-dev"
+    fi
+  elif [ -s /etc/snmp/snmpd.conf ]; then
+    echo Yes.
+  else
+    echo No.
+    SNMPADD="install net-snmp (www.net-snmp.org)"
+    SNMPCONFIG="reinstall net-snmp with agent support."
+  fi
+
+  if [ "$SNMPADD" ]; then
+    echo " Assuming you don't want net-snmp agent support".
+    echo " Otherwise $SNMPADD"
+    return
+  elif [ "$SNMPCONFIG" ]; then
+    echo "! You have net-snmp agent but not development package."
+    echo "! net-snmp agent will not be built, to fix:"
+    echo "!   $SNMPCONFIG"
+    return
+  fi
+
+  SNMPTARGET=snmp_NETFLOW.so
+  SNMPINSTALL=sinstall
+}
+
 kernel_find_version	#KVERSION
 test "$KLIBMOD" || KLIBMOD=$KVERSION
 echo "Kernel version: $KVERSION ($KHOW)"
@@ -428,11 +492,15 @@ iptables_src_version	#check that IPTSRC match to IPTVER
 iptables_inc		#IPTINC
 iptables_modules	#IPTLIB
 
+snmp_check
+
 REPLACE="\
 s!@CARGS@!$CARGS!;\
 s!@KVERSION@!$KVERSION!;\
 s!@KDIR@!$KDIR!;\
 s!@KOPTS@!$KOPTS!;\
+s!@SNMPTARGET@!$SNMPTARGET!;\
+s!@SNMPINSTALL@!$SNMPINSTALL!;\
 s!@IPTABLES_VERSION@!$IPTVER!;\
 s!@IPTABLES_CFLAGS@!$IPTCFLAGS $IPTINC!;\
 s!@IPTABLES_MODULES@!$IPTLIB!"