Closed shermdog closed 1 year ago
lspgn
commented
1 year ago Hello, My apologies for the delay. Not fully sure of the implications if I were to fix it in the code. Agreed that FreeBSD shouldn't send that template field if not populated.
If I'm not mistaken, a custom mapping works and is probably the quickest fix:
netflowv9:
mapping:
- field: 1
destination: CustomInteger1I believe with v2, it should be possible to override the existing field.
Let me know how it goes
shermdog
commented
1 year ago Hi @lspgn - my particular use case makes it difficult to leverage custom mappings, as it's part of an agent. I was able to fork and comment out the problematic bits for my particular build. Happy to close this issue.
lspgn
commented
1 year ago Thank you @shermdog
You should be able to pass a NetFlowMapper to the producer if you're using it as a library. But a fork works too :)
Feel free to reopen if you have more questions
Hi Folks,
I've encountered an interesting bug / edge case with netflow v9 and ng_netflow from FreeBSD/OPNsense
The TL;DR is ng_netflow will always set
OUT_PKTS/OUT_BYTESas0and includes them afterIN_PKTS/IN_BYTEShttps://github.com/freebsd/freebsd-src/blob/release/13.2.0/sys/netgraph/netflow/netflow_v9.c#L278-L279 https://github.com/freebsd/freebsd-src/blob/release/13.2.0/sys/netgraph/netflow/netflow_v9.c#L78C1-L81
Unfortunately goflow2 has an implicit preference for OUT vs IN so I wind up with
0byte/packet flowshttps://github.com/netsampler/goflow2/blob/v1.3.4/producer/producer_nf.go#L289-L296
I believe the FreeBSD behaviour is suboptimal, but also very pesimistic that a fix could be implemented there in a timely manner, so I'd like to see if you all have an opinon on how this could be handled in goflow2.
My initial thought is to ignore
0OUT_PKTS/OUT_BYTESwhenIN_PKTS/IN_BYTEShas data, but wanted to get your thoughts on a solution.