IPFIX: Add IPFIX output plugin

This patch adds an IPFIX output plugin to ulogd2. It generates NetFlow/IPFIX
traces and sends them to a remote server (collector) via TCP or UDP.

Based on original work by Holger Eitzenberger <holger@eitzenberger.org>.

How to test this
----------------

I am currently testing this with the NFCT input and Wireshark.

Place the following in ulogd.conf:

      # this will print all flows on screen
      loglevel=1

      # load NFCT and IPFIX plugins
      plugin="/lib/ulogd/ulogd_inpflow_NFCT.so"
      plugin="/lib/ulogd/ulogd_output_IPFIX.so"

      stack=ct1:NFCT,ipfix1:IPFIX

      [ct1]
      netlink_socket_buffer_size=217088
      netlink_socket_buffer_maxsize=1085440
      accept_proto_filter=tcp,sctp

      [ipfix1]
      oid=1
      host="127.0.0.1"
      #port=4739
      #send_template="once"

I am currently testing it by launching a plain NetCat listener on port
4739 (the default for IPFIX) and then running Wireshark and see that it
dissects the IPFIX/NetFlow traffic correctly (obviously this relies on
the Wireshark NetFlow dissector being correct).

First:

      nc -vvvv -l 127.0.0.1 4739

Then:

      sudo ulogd -vc ulogd.conf

Signed-off-by: Ander Juaristi <a@juaristi.eus>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 89 insertions, 0 deletions

diff --git a/output/ipfix/ipfix.h b/output/ipfix/ipfix.h
new file mode 100644
index 0000000..cdb5a6f
--- /dev/null
+++ b/output/ipfix/ipfix.h
@@ -0,0 +1,89 @@
+/*
+ * ipfix.h
+ *
+ * Holger Eitzenberger <holger@eitzenberger.org>, 2009.
+ */
+#ifndef IPFIX_H
+#define IPFIX_H
+
+#include <stdint.h>
+#include <netinet/in.h>
+
+
+struct ipfix_hdr {
+#define IPFIX_VERSION			0xa
+	uint16_t version;
+	uint16_t len;
+	uint32_t time;
+	uint32_t seqno;
+	uint32_t oid;				/* Observation Domain ID */
+	uint8_t data[];
+} __packed;
+
+#define IPFIX_HDRLEN	sizeof(struct ipfix_hdr)
+
+/*
+ * IDs 0-255 are reserved for Template Sets.  IDs of Data Sets are > 255.
+ */
+struct ipfix_templ_hdr {
+	uint16_t id;
+	uint16_t cnt;
+	uint8_t data[];
+} __packed;
+
+struct ipfix_set_hdr {
+#define IPFIX_SET_TEMPL			2
+#define IPFIX_SET_OPT_TEMPL		3
+	uint16_t id;
+	uint16_t len;
+	uint8_t data[];
+} __packed;
+
+#define IPFIX_SET_HDRLEN		sizeof(struct ipfix_set_hdr)
+
+struct ipfix_msg {
+	struct llist_head link;
+	uint8_t *tail;
+	uint8_t *end;
+	unsigned nrecs;
+	struct ipfix_set_hdr *last_set;
+	uint8_t data[];
+};
+
+struct vy_ipfix_data {
+	struct in_addr saddr;
+	struct in_addr daddr;
+	uint16_t ifi_in;
+	uint16_t ifi_out;
+	uint32_t packets;
+	uint32_t bytes;
+	uint32_t start;				/* Unix time */
+	uint32_t end;				/* Unix time */
+	uint16_t sport;
+	uint16_t dport;
+	uint32_t aid;				/* Application ID */
+	uint8_t l4_proto;
+	uint8_t dscp;
+	uint16_t __padding;
+} __packed;
+
+#define VY_IPFIX_SID		256
+
+#define VY_IPFIX_FLOWS		36
+#define VY_IPFIX_PKT_LEN	(IPFIX_HDRLEN + IPFIX_SET_HDRLEN \
+							 + VY_IPFIX_FLOWS * sizeof(struct vy_ipfix_data))
+
+/* template management */
+size_t ipfix_rec_len(uint16_t);
+
+/* message handling */
+struct ipfix_msg *ipfix_msg_alloc(size_t, uint32_t);
+void ipfix_msg_free(struct ipfix_msg *);
+struct ipfix_hdr *ipfix_msg_hdr(const struct ipfix_msg *);
+size_t ipfix_msg_len(const struct ipfix_msg *);
+void *ipfix_msg_data(struct ipfix_msg *);
+struct ipfix_set_hdr *ipfix_msg_add_set(struct ipfix_msg *, uint16_t);
+void *ipfix_msg_add_data(struct ipfix_msg *, size_t);
+int ipfix_dump_msg(const struct ipfix_msg *);
+
+#endif /* IPFIX_H */