It's something should be done with ng_netflow to prevent "unclassified loops", but as for now i just use special index=1 to mark traffic as unclassified when it comes from a "classificator" that way traffic goes to out1 iface.
ng_bpf test
First of all the idea of using ng_bpf will be pretty simple - doing match to first program, if it's not matched, then second, so on so force.
There is no need to use multiple ng_bpfs, one with looping links will be ok.
One thing for future consideration - to be really effective: recalculate time to time patterns and place according to frequency they are matched.
The other thing, which i already mentioned before is possibility of changing programs on fly.
Looks like a pretty simple task to generate and setup ng_bpf node according to file list with tcpdump signatures and some stats on signatures hit frequency.
Then, will need to check how an "old" bpf node can be switched to "new" one (need to check under heavy traffic processing).
Ok, up and running! Test version:
the biggest time waste was getting statistics about bpf, so the proper syntax is
ngctl msg bpf: getstats \"indata\"
where 'indata' is hook name.
So far so good.
Next:
- - high load testing, for that i'll have to get a copy of real-world traffic and feed an interface with it I think that after 3-4 hours under 100mbps it could be concluded that new scheme is functional.
- - code clean-up, remove debugging
- - check generated netflow - to see if correct classes are recorded there.
No comments:
Post a Comment