opnsense / plugins

OPNsense plugin collection
https://opnsense.org/
BSD 2-Clause "Simplified" License
842 stars 638 forks source link

Telegraf ping and ping6 #4317

Closed alexwbaule closed 1 week ago

alexwbaule commented 1 week ago

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

Describe the bug

Configuring a "ping" on telegraf/input has some miss config itens about ipv4 and ipv6.

i will try to explain:

The ping and ping6 is the same binary on OPNSense (14.1-RELEASE-p5 FreeBSD 14.1-RELEASE-p5 stable/24.7-n267855-304cf693716 SMP amd64)

like is showing here:

root@firewall:/usr/local/etc # file /sbin/ping6 /sbin/ping
/sbin/ping6: setuid ELF 64-bit LSB pie executable, x86-64, version 1 (FreeBSD), dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 14.1, FreeBSD-style, stripped
/sbin/ping:  setuid ELF 64-bit LSB pie executable, x86-64, version 1 (FreeBSD), dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 14.1, FreeBSD-style, stripped
root@firewall:/usr/local/etc # md5sum /sbin/ping /sbin/ping6
bc58f788315098acddd6916821294c7d  /sbin/ping
bc58f788315098acddd6916821294c7d  /sbin/ping6

The telegraf configuration for ipv4 or ipv6 is simple, just changing the "binary" on ipv6 config, to ping6. But, its the same binary, and the correct flag to use ipv4 or ipv6 is not used. (call ping with -4 or -6).

if no flag is passed, the ping will sometimes get IPV6 response. (i think)

like is showing here:

root@firewall:/usr/local/etc # ping google.com
PING(56=40+8+8 bytes) 2804:14c:110::33 --> 2800:3f0:4001:809::200e
^C
--- google.com ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
root@firewall:/usr/local/etc # ping -4 google.com
PING google.com (142.251.132.238): 56 data bytes
64 bytes from 142.251.132.238: icmp_seq=0 ttl=113 time=17.952 ms
^C
--- google.com ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 17.952/17.952/17.952/0.000 ms
root@firewall:/usr/local/etc # ping -6 google.com
PING(56=40+8+8 bytes) 2804:14c:110::33 --> 2800:3f0:4001:809::200e
^C
--- google.com ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss

The telegraf.conf

[[inputs.ping]]
  method = "exec"
  urls = ['google.com','twitter.com','netcombo.com.br','g1.globo.com','digitalocean.com']
  count = 4

[[inputs.ping]]
  method = "exec"
  binary = "ping6"
  urls = ['google.com','digitalocean.com']
  count = 4

To Reproduce

Just set a ping input with a DNS

Expected behavior

telegraf ping must follow the correct config, following the documentation from telegraf. (https://github.com/influxdata/telegraf/blob/master/plugins/inputs/ping/README.md)

Describe alternatives you considered

Force the configuration specified ipv4 or ipv6 on config. like this:

[[inputs.ping]]
  method = "native"
  urls = ['google.com','twitter.com','netcombo.com.br','g1.globo.com','digitalocean.com']
  ipv4 = true
  count = 4

[[inputs.ping]]
  method = "native"
  urls = ['google.com','digitalocean.com']
  ipv6 = true
  count = 4

Using the "native" implementation, use the "go" internal telegraf implementation. (recommended)

Screenshots

If applicable, add screenshots to help explain your problem.

Relevant log files

If applicable, information from log files supporting your claim.

Additional context

Add any other context about the problem here.

Environment

Software version used and hardware type if relevant, e.g.:

14.1-RELEASE-p5 FreeBSD 14.1-RELEASE-p5 stable/24.7-n267855-304cf693716 SMP amd64

alexwbaule commented 1 week ago

One more thing.

the configuration is "mixed", the count is used only on "native", so the "ping" is eternal on this plugin.

I will do a PR.

myadoran commented 22 hours ago

image

Sorry to reopen this issue. After the PR linked to it was merged I upgraded, and started seeing errors like the ones above. The fix suggested here (https://github.com/influxdata/telegraf/tree/master/plugins/inputs/ping#linux-permissions) is to allow CAP_NET_RAW permissions, but this is aimed a Linux implementations.

Testing as root does not cause the issue and manually reverting the file to 'exec' instead of 'native' worked as well (though that does lead to the original issue, of course).

How can I allow the telegraf binary to be executed with the relevant permissions, and how can that be standardized on plugin install/upgrade for other users that run into this?

alexwbaule commented 21 hours ago

Hi @myadoran , i dont get errors like this, on normal situation, Only if there is a "ipv4 vs ipv6" resolution, like a hostname has a ipv6 and i force it to resolve in ipv4.

alexwbaule commented 17 hours ago

@myadoran , as a test, do it in your opnsense box, on a terminal (ssh into your opnsense).

ping and ping -6

Both commands respond ok ? with ping...

myadoran commented 15 hours ago

Both commands do run, but as my network has no IPv6 connectivity I just get the error "no route to host". Same with using ping6 instead of ping -6.

I'll keep searching!