- Update from version 1.7.6 to 1.7.8 - Update of rootfile not required - patch to remove Werror no longer required as the build with this version of pmacct had no problems with errors being flagged as warnings anymore unlike with the previous version. - Changelog The keys used are: !: fixed/modified feature, -: deleted feature, +: new feature 1.7.8 -- 31-12-2022 + Introduced support for eBPF for all daemons: if SO_REUSEPORT is supported by the OS and eBPF support is compiled in, this allows to load a custom load-balancer. To load-share, daemons have to be part of the same cluster_name and each be configured with a distinct cluster_id. + Introduced support for listening on VRF interfaces on Linux for all daemons. The feature can be enabled via nfacctd_interface, bgp_daemon_interface and equivalent knobs. Many thanks to Marcel Menzel ( @WRMSRwasTaken ) for this contribution. + pre_tag_map: introduced limited tagging / labelling support for BGP (pmbgpd), BMP (pmbmpd), Streaming Telemetry (pmtelemetryd) daemons. ip, set_tag, set_label keys being currently supported. + pre_tag_map: defined a new pre_tag_label_encode_as_map config knob to encode the output 'label' value as a map for JSON and Apache Avro encodings, ie. in JSON "label": { "key1": "value1", "key2": "value2" }. For keys and values to be correctly mapped, the '%' delimiter is used when composing a pre_tag_map, ie. "set_label=key1%value1,key2%value2 ip=0.0.0.0/0". Thanks to Salvatore Cuzzilla ( @scuzzilla ) for this contribution. + pre_tag_map: introduced support for IP prefixes for src_net and dst_net keys for indexed maps (maps_index set to true). Indexing being an hash map, this feature currently tests data against all defined IP prefix lenghts in the map for a match (first defined matching prefix wins). + pre_tag_map: introduced two new 'is_nsel', 'is_nel' keys to check for the presence of firewallEvent field (233) and natEvent field (230) in NetFlow/IPFIX respectively in order to infer whether data is NSEL / NEL. If set to 'true' this does match NSEL / NEL data, if set to 'false' it does match non NSEL / NEL data respectively. + Introduced a new mpls_label_stack primitive, encoded as a string and includes a comma-separated list of integers (label values). Thanks to Salvatore Cuzzilla ( @scuzzilla ) for this contribution. + Introduced a new fw_event primitive, to support NetFlow v9/ IPFIX firewallEvent 233 Information Element. + Introduced a new tunnel_tcp_flags primitive for pmacctd and sfacctd to record TCP flags for the inner layer of a tunneled technology (ie. VXLAN). Also tunnel_dst_port decoding was fixed for sfacctd. + Introduced support for in/out VLAN support for sfacctd. To be savy, 'in_vlan' and 'vlan' were muxed onto the same primitive depending on the daemon being used. Thanks to Jim Westfall ( @jwestfall69 ) for this contribution. + Introduced a new mpls_label_stack_encode_as_array config knob to encode the MPLS label stack as an array for JSON and Apache Avro encodings, ie. in JSON "mpls_label_stack": [ "0-label0", "1-label1", "2-label2", "3-label3", "4-label4", "5-label5" ] and in Avro "name": "mpls_label_stack", "type": { "type": "array", "items": { "type": "string" } }. Thanks to Salvatore Cuzzilla ( @scuzzilla ) for this contribution. + Introduced a new tcpflags_encode_as_array config knob to encode TCP flags as an array for JSON and Apache Avro, ie. in JSON "tcp_flags": [ "URG", "ACK", "PSH", "RST", "SYN", "FIN" ] and in Avro "name": "tcp_flags", "type": { "type": "array", "items": { "type": "string" } }. Thanks to Salvatore Cuzzilla ( @scuzzilla ) for this contribution. + Introduced a new fwd_status_encode_as_string config knob to encode the 'fwd_status' primitive in human-readable format like described by RFC-7270 Section 4.12 when JSON or Avro formats are selected for output. Thanks to Salvatore Cuzzilla ( @scuzzilla ) for this contribution. + Introduced a new protos_file to define a list of (known/ interesting/meaningful) IP protocols. Both protocol names, ie. "tcp", and protocol numbers, ie. 1 (for icmp), are accepted. IANA reserved protocol value 255 is used to bucket as 'others' those IP protocols not matching the ones defined in the list. + Introduced a new tos_file to define a list of (meaningful) IP ToS values; if tos_encode_as_dscp is set to true then DSCP values are expected as part of the file. The directive uses value 255 to bucket as 'others' those ToS/DSCP values not matching the ones defined in the list. + A new tos_encode_as_dscp config knob makes pmacct to honour only the 6 bits used by DSCP and report only on those. + BGP, BMP, Streaming Telemetry daemons: introduced a new dump_time_slots config knob to spread the load deriving by dumps over the configured refresh time interval. The interval is divided into time slots and nodes are assigned to such slots. The slot for each node is determined using its IP address. Thanks to Raphael Barazzutti ( @rbarazzutti ) for this contribution. + BGP, BMP daemons: End-of-RIB messages are now being exposed in the output feed in order to facilitate tracking their arrival (or not!). + pmtelemetryd: aligned daemon to the latest Unyte UDP-Notif API (0.6.1) and related standardization draft-ietf-netconf-udp-notif + RPKI daemon: added case for input "asn" value being integer (ie. "asn" : 2914) on top of the string case (ie. "asn" : "AS2914"). + Kafka, amqp plugins: introduced a new writer_id_string config knob to allow to customize the the "writer_id" field value. A few variables are supported along with static text definitions. + Added a new aggregate_unknown_etype config knob to account also frames with EtherTypes for which there is no decoding support and allow to aggregate them by the available Ethernet L2 fields (ie. 'src_mac', 'dst_mac', 'vlan', 'cos', 'etype'). Thanks to @singularsyntax for this contribution. + Added a new bgp_daemon_add_path_ignore config knob to ignore (do not advertise back) the ADD-PATH capability advertised by remote BGP peers. + nfacctd, sfacctd: extended the possibility to run daemons from a user with non root privileges to these daemons. + nfacctd: if Information Element 90 (MPLS VPN RD) is present in NetFlow v9/IPFIX, make it available for BGP/BMP correlation. + pmacctd, sfacctd: introduced basic support for QinQ, 802.1AD. + [print|kafka|amqp]_preprocess: added suppport for 'maxp', 'maxb' and 'maxf' keys when preprocessing aggregates of non- SQL plugins. Thanks to Andrew R. Lake ( @arlake228 ) for this contribution. + nDPI: newer versions of the library (ie. >= 4.0) bring changes to the API. pmacct is now aligned to compile against these. At the same time support for nDPI 3.x was dropped. ! fix, plugin_common.[ch]: when stitching feature was enabled, ie. nfacctd_stitching, timestamp_min was never reset. Also both timestamp_min and timestamp_max were clamped to sec granularity. ! fix, BGP, BMP daemons: added a tmp_bgp_daemon_origin_type_int to print out BGP "origin" field as int (legacy behaviour) instead of string (current behaviour). In a future major release the legacy behaviour will be dropped. ! fix, BGP, BMP daemons: MPLS labels are now encoded in both JSON and Apache Avro as 'mpls_label' instead of 'label'. This is to align behaviour with pre_tag_map where 'label' has a different semantic. ! fix, BGP, BMP daemons: resolved memory leak when encoding log messaging (logmsg) in Avro format with Schema Registry support. ! fix, BGP daemon: improved handling of ADD-PATH capability, making it per-AF (as it is supposed to be) and not global. ! fix, BMP daemon: now checking that ADD-PATH capability is enabled at both ends of the monitored session (check both BGP OPEN in a Peer Up message) in order to infer that the capability exchange was successful. Also some heuristics were added to conciliate BGP Open vs BGP Update 4-bytes ASN reality. ! fix, nfacctd: improved parsing of NetFlow v9 Options data particularly when multiple IEs are packed as part of a flowset. ! fix, nfacctd: corrected parsing of Information Element 351 (layer2SegmentId). ! fix, pmacctd: improved processing of pcap_interfaces_map for cases where the same interface is present multiple times (maybe with different directions). Also, if the map is empty then bail out at startup. ! fix, pmacctd: SEGV when ICMP/ICMPv6 traffic was processed and 'flows' primitive was enabled. ! fix, pmacctd: sampling_rate primitive value was not reported correctly when 'sampling_rate' config directive was specified. ! fix, pmbgpd, pmpmbd, pmtelemtryd: changed SIGCHLD handler to prevent zombification of last spawned data dump writer. ! fix, Kafka plugin: moved the schema registration from the dump writer to the plugin process in order to register the schemas only once at plugin startup and not on every start of a writer process. Thanks to Uwe Storbeck ( @ustorbeck ) for this contribution. ! fix, Kafka plugin: a check for kafka_partition was missing, leading the plugin to always use the default partitioner instead of sending data to the configured fixed partition. Thanks to Martin Pels ( @rodecker ) for this contribution. ! fix, nfprobe plugin: BGP data enrichment was not working due to a mistakenly moved pointer. ! fix, sfprobe plugin: AS-PATH was being populated even when null; added a check to see if the destination AS is not zero in order to put the destination AS into the AS-PATH for sFlow packets. Thanks to Marcel Menzel ( @WRMSRwasTaken ) for this contribution. ! fix, networks_file: remove_dupes() was making partial commits of valid rows hence creating data inconsistencies. ! fix, pre_tag_map: resolved a potential string overflow that was being triggered in pretag_append_label() when data would be assigned more than one single label. Also now allow ',' chars in set_label. ! fix, maps_index: uninitialized var could cause SEGV in case no results are found in the map index. Also introduced support for catch-all rules, ie. "set_label=unknown". ! fix, maps_index: optimized the case of no 'ip' key specified (for nfacctd and sfacctd): when indexing is enabled, prevent recirculation from happening, ie. test v4 first then v6, since the 'ip' key is not going to be part of the hash serializer. ! fix, pretag.c: allow to allocate maps greater than 2GB in size. Also several optimizations were carried out yelding to a better memory utilization for allocated maps along with improved times to resolve JEQs. ! fix, pre_tag_label_filter: optimized and improved runtime evaluation part of this feature, avoiding a costly strdup() and returning immediately on certain basic mismatch conditions. ! fix, kafka_common.[ch]: a new p_kafka_produce_data_and_free() is invoked to optimize memory allocations and releases. ! fix, plugin_cmn_avro.c: when a schema registry is being defined, ie. kafka_avro_schema_registry, the logic to generate the schema name has been changed: use topic plus record name as the schema name, use underscore as separator within the record name, stop adding a "-value" suffix. Thanks to Uwe Storbeck ( @ustorbeck ) for this contribution. ! fix, util.c: roundoff_time() to reason always with the locally configured time, like for the rest of functional (as in non-data) timestamps, ie. refresh time, deadline, etc. ! fix, log.c: when log messages are longer than message buffer, the message gets cut off. As the trailing newline also gets cut off the message will be concatenated with the following message which makes the log hard to read. Thanks to Uwe Storbeck ( @ustorbeck ) for this contribution. - Completed the retirement of legacy packet classification based on home-grown code (Shared Objects) and the L7 layer project. - Removed the mpls_stck_depth primitive due to the introduction of the mpls_label_stack primitive. 1.7.7 -- 07-11-2021 + BGP, BMP, Streaming Telemetry daemons: introduced parallelization of dump events via a configurable amount of workers where the unit of parallelization is the exporter (BGP, BMP, telemetry exporter), ie. in a scenario where there are 4 workers and 4 exporters each worker is assigned one exporter data to dump. + pmtelemetryd: added support for draft-ietf-netconf-udp-notif: a UDP-based notification mechanism to collect data from networking devices. A shim header is proposed to facilitate the data streaming directly from the publishing process on network processor of line cards to receivers. The objective is a lightweight approach to enable higher frequency and less performance impact on publisher and receiver process compared to already established notification mechanisms. Many thanks to Alex Huang Feng ( @ahuangfeng ) and the whole Unyte team. + BGP, BMP, Streaming Telemetry daemons: now correctly honouring the supplied Kafka partition key for BGP, BMP and Telemetry msg logs and dump events. + BGP, BMP daemons: a new "rd_origin" field is added to output log/ dump to specify the source of Route Distinguisher information (ie. flow vs BGP vs BMP). + pre_tag_map: added ability to tag new NetFlow/IPFIX and sFlow sample_type types: "flow-ipv4", "flow-ipv6", "flow-mpls-ipv4" and "flow-mpls-ipv6". Also added a new "is_bi_flow" true/false key to tag (or exclude) NSEL bidirectional flows. Added as well a new "is_multicast" true/false config key to tag (or exclude) IPv4/IPv6 multicast destinations. + maps_index: enables indexing of maps to increase lookup speeds on large maps and/or sustained lookup rates. The feature has been remplemented using stream-lined structures from libcdada. This is a major work that helps preventing the unpredictable behaviours caused by the homegrown map indexing mechanism. Many thanks to Marc Sune ( @msune ). + maps_index: support for indexing src_net and dst_net keywords has been added. + Added <daemon_name>_ipv6_only config directives to optionally enable the IPV6_V6ONLY socket option. Also changed the wrong setsockopt() IPV6_BINDV6ONLY id to IPV6_V6ONLY. + Added log function to libserdes to debug transactions with the Schema Registry when kafka_avro_schema_registry is set. + nDPI: newer versions of the library (ie. >= 3.5) bring changes to the API. pmacct is now aligned to compile against these. + pmacctd: added pcap_arista_trailer_offset config directive since Arista has changed the structure of the trailer format in recent releases of EOS. Thanks to Jeremiah Millay ( @floatingstatic ) for his patch. + More improvements carried out on the Continuous Integration (CI) side by migrating from Travis CI to GitHub Actions. Huge thanks to Marc Sune ( @msune ) to make all of this possible. + More improvements also carried out in the space of the Docker images being created: optimized image size and a better layered pipeline. Thanks to Marc Sune ( @msune ) and Daniel Caballero ( @dcaba ) to make all of this possible. + libcdada shipped with pmacct was upgraded to version 0.3.5. Many thanks Marc Sune ( @msune ) for his work with libcdada. ! build system: several improvements carried out in this area, ie. improved MySQL checks, introduced pcap-config tool for libpcap, compiling on BSD/old compilers, etc. Monumental thanks to Marc Sune ( @msune ) for his continued help. ! fix, nfacctd: improved euristics to support the case of flows with both IPv4 and IPv6 source / destination addresses (either or populated). Also improved euristics to distinguish event data vs traffic data in NetFlow v9/IPFIX from Cisco 9300/9500, ASA firewalls and Cisco 4500X. ! fix, nfacctd: improved support for initiatorOctets (IE #231) and responderOctets (IE #232). Thanks to Esben Laursen ( @hyberdk ) for reporting the issue. ! fix, nfacctd: in NF_mpls_vpn_id_handler() double ntohl() calls were applied for the case of 'vrfid'-encoded mpls_vpn_rd field. ! fix, sfacctd: wrong ethertype set for VLAN-tagged, MPLS-labelled IPv6 traffic. Impacting BGP resolution among others. Thanks to Jeremiah Millay ( @floatingstatic ) for his help resolving the problem. ! fix, BGP, BMP daemons: parsing improvements: added a check for BGP Open message and BGP Open Options lengths. Strengthened parsing of Peer Up, Route Monitoring and Peer Down v4 messages. ! fix, BGP, BMP daemon: when using Avro encoding and Avro Schema Registry, attempt to reconnect if serdes schemas are voided. Also now checking for serdes schema definitions before doing a serdes_schema_serialize_avro() to avoid triggering a SEGV. Finally improved serdes logging. ! fix, BGP, Streaming Telemetry daemons: in daemon logs, summary counters for amount of tables / entries dumped were wrong. ! fix, BGP daemon: distinguish among null and zero value AIGP and Prefix SID attributes. Same applies for Local Preference and MED attributes. ! fix, BMP daemon: resolved a memory leak in bgp_peers_free(). Thanks to Pether Pothier ( @pothier-peter ) for his patch. Also resolved a leak caused by an invalid BGP message contained in a BMP Route Message v4. ! fix, BMP daemon: correctly setting peer_ip and peer_tcp_port JSON fields for Term messages. Also the correct bmp_router value when bmp_daemon_parse_proxy_header feature is enabled. ! fix, BMP daemon: several encoding issues when using Apache Avro ie. u_int64_t now correctly encoded with avro_value_set_long(), certain u_int32_t fields switched to avro_value_set_long() due to lack of unsignedness in Avro encoding, improved various aspectes of Avro-JSON format output, etc. ! fix, pmtelemetryd: wrong parsing of pm_tfind() output was leading to mistaken data attribution of UDP-based peers (always first peer to connect was being picked). ! fix, pmtelemetryd: when set, the pidfile config directive was not being correctly honoured. ! fix, RPKI: the RTR PDU element for maxLength is uint8, therefore it might have been possible to transmit incorrect RTR data. Thanks to Job Snijders ( @job ) for his patch. ! fix, SQL plugins: amended the text composition of SQL queries that are involving latitude and longitude keys. ! fix, MySQL plugin: check for 'unix:' prefix string only when a sql_host configuration directive is specified. ! fix, nfprobe: modernized Application Information export. Until the previous release pmacct was adhering to aging NBAR model whereas now NBAR2 has been implemented. Thanks to Rob Cowart ( @robcowart ) for helping out resolving this issue. ! fix, tee plugin: restored usefulness of tee_source_ip which was broken in 1.7.6. Thanks to Jeremiah Millay ( @floatingstatic ) for reporting the issue. ! fix, maps_index: indexing of mpls_pw_id was broken. Also now, when the feature is enabled, actual data is being referenced in the index structure instead of creating a copy of it; thanks to Sander van Delden ( @SanderDelden ) for reporting the memory leak that was resulting from the copy. ! fix, kafka_common.c: solved memory leak in p_kafka_set_topic() when Kafka session was getting in down state. Many thanks to Peter Pothier ( @pothier-peter ) for nailing the issue. ! fix, net_aggr.[ch]: when a networks_file is specified in the config, gracefully handle max memory structure depth; added also de-duplication of entries. ! fix, pmacct-defines.h: if PCAP_NETMASK_UNKNOWN is not defined, ie. in libpcap < 1.1.0, let's define it. ! fix, SO_REUSEPORT feature was being restricted to Linux only in previous releases: now it has been unlocked to all other OS that do support the feature. ! fix, split SO_REUSEPORT and SO_REUSEADDR setsockopt() calls. Thanks to @eduarrrd for reporting and resolving the issue. ! fix, several code warnings catched gcc9 and clang. - Obsoleted sql_history_since_epoch, pre_tag_map_entries and refresh_maps configuration directives.
Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- lfs/pmacct | 9 +++---- src/patches/pmacct-1.7.6-Werror.patch | 38 --------------------------- 2 files changed, 3 insertions(+), 44 deletions(-) delete mode 100644 src/patches/pmacct-1.7.6-Werror.patch
diff --git a/lfs/pmacct b/lfs/pmacct index 0f8834b51..7c8b32772 100644 --- a/lfs/pmacct +++ b/lfs/pmacct @@ -26,7 +26,7 @@ include Config
SUMMARY = Accounting and aggregation toolsuite for IPv4 and IPv6
-VER = 1.7.6 +VER = 1.7.8
THISAPP = pmacct-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = pmacct -PAK_VER = 4 +PAK_VER = 5
DEPS = libcdada @@ -49,7 +49,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = df04822e88f9409d335457031fb26ce4ae8b5da13cf2f55f8d6c78eb50dade62ef763d389ac81a509d9351e12844446ac73171e9966a5aeeecc0e5fb10219c73 +$(DL_FILE)_BLAKE2 = 1b95d48c479d59f2d4a7654e870e6f61c984c57c31aebbfb9fbf86f2d1027cde6a0f334489f33186bbb19ee7bdf94726f0053faa4829273de2d1975f58dff97f
install : $(TARGET)
@@ -82,9 +82,6 @@ $(subst %,%_BLAKE2,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && rm configure - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/pmacct-1.7.6-Werror.patch - cd $(DIR_APP) && ./autogen.sh cd $(DIR_APP) && ./configure \ --prefix=/usr \ --sysconfdir=/etc/pmacct \ diff --git a/src/patches/pmacct-1.7.6-Werror.patch b/src/patches/pmacct-1.7.6-Werror.patch deleted file mode 100644 index 57bb7d1ff..000000000 --- a/src/patches/pmacct-1.7.6-Werror.patch +++ /dev/null @@ -1,38 +0,0 @@ ---- pmacct-1.7.6/configure.ac.orig 2021-02-05 02:07:36.000000000 +0100 -+++ pmacct-1.7.6/configure.ac 2021-07-15 19:58:37.247916727 +0200 -@@ -1153,9 +1153,9 @@ AC_ARG_ENABLE(debug, - AC_MSG_RESULT(yes) - tmp_CFLAGS=`echo $CFLAGS | sed 's/O2/O0/g'` - CFLAGS="$tmp_CFLAGS" -- CFLAGS="$CFLAGS -g -Wall -Werror" -+ CFLAGS="$CFLAGS -g -Wall" - else -- CFLAGS="$CFLAGS -Wall -Werror" -+ CFLAGS="$CFLAGS -Wall" - AC_MSG_RESULT(no) - fi - ], - - ---- pmacct-1.7.6/src/external_libs/libcdada/configure.ac.orig 2021-02-07 16:29:15.000000000 +0100 -+++ pmacct-1.7.6/src/external_libs/libcdada/configure.ac 2021-07-16 09:04:30.858749121 +0200 -@@ -4,7 +4,7 @@ AC_INIT(LIBCDADA, m4_esyscmd_s(cat VERSI - AC_CONFIG_AUX_DIR([build-aux]) - AC_CONFIG_MACRO_DIR([m4]) - --AM_INIT_AUTOMAKE([-Wall -Werror foreign subdir-objects]) -+AM_INIT_AUTOMAKE([-Wall foreign subdir-objects]) - - AC_GNU_SOURCE - -@@ -24,8 +24,8 @@ LT_INIT - AC_ENABLE_STATIC - - # Some useful default flags --CFLAGS="-std=gnu89 -Werror -Wall $CFLAGS" --CXXFLAGS="-Werror -Wall $CXXFLAGS" -+CFLAGS="-std=gnu89 -Wall $CFLAGS" -+CXXFLAGS="-Wall $CXXFLAGS" - AC_DEFINE([__STDC_FORMAT_MACROS], [], [Description]) - - # Check for Python3