diff --git a/data/templates/pmacct/uacctd.conf.j2 b/data/templates/pmacct/uacctd.conf.j2
index aae0a06190..d2de80df4d 100644
--- a/data/templates/pmacct/uacctd.conf.j2
+++ b/data/templates/pmacct/uacctd.conf.j2
@@ -25,12 +25,6 @@ imt_mem_pools_number: 169
{% set _ = plugin.append('nfprobe['~ nf_server_key ~ ']') %}
{% endfor %}
{% endif %}
-{% if sflow.server is vyos_defined %}
-{% for server in sflow.server %}
-{% set sf_server_key = 'sf_' ~ server | dot_colon_to_dash %}
-{% set _ = plugin.append('sfprobe[' ~ sf_server_key ~ ']') %}
-{% endfor %}
-{% endif %}
{% if disable_imt is not defined %}
{% set _ = plugin.append('memory') %}
{% endif %}
@@ -61,20 +55,3 @@ nfprobe_timeouts[{{ nf_server_key }}]: expint={{ netflow.timeout.expiry_interval
{% endfor %}
{% endif %}
-
-{% if sflow.server is vyos_defined %}
-# sFlow servers
-{% for server, server_config in sflow.server.items() %}
-{# # prevent pmacct syntax error when using IPv6 flow collectors #}
-{% set sf_server_key = 'sf_' ~ server | dot_colon_to_dash %}
-sfprobe_receiver[{{ sf_server_key }}]: {{ server | bracketize_ipv6 }}:{{ server_config.port }}
-sfprobe_agentip[{{ sf_server_key }}]: {{ sflow.agent_address }}
-{% if sflow.sampling_rate is vyos_defined %}
-sampling_rate[{{ sf_server_key }}]: {{ sflow.sampling_rate }}
-{% endif %}
-{% if sflow.source_address is vyos_defined %}
-sfprobe_source_ip[{{ sf_server_key }}]: {{ sflow.source_address | bracketize_ipv6 }}
-{% endif %}
-
-{% endfor %}
-{% endif %}
diff --git a/data/templates/sflow/hsflowd.conf.j2 b/data/templates/sflow/hsflowd.conf.j2
index 5000956bda..6a1ba2956f 100644
--- a/data/templates/sflow/hsflowd.conf.j2
+++ b/data/templates/sflow/hsflowd.conf.j2
@@ -25,6 +25,9 @@ sflow {
pcap { dev={{ iface }} }
{% endfor %}
{% endif %}
+{% if enable_egress is vyos_defined %}
+ psample { group=1 egress=on }
+{% endif %}
{% if drop_monitor_limit is vyos_defined %}
dropmon { limit={{ drop_monitor_limit }} start=on sw=on hw=off }
{% endif %}
diff --git a/interface-definitions/include/version/flow-accounting-version.xml.i b/interface-definitions/include/version/flow-accounting-version.xml.i
index 5b01fe4b53..95d1e20db1 100644
--- a/interface-definitions/include/version/flow-accounting-version.xml.i
+++ b/interface-definitions/include/version/flow-accounting-version.xml.i
@@ -1,3 +1,3 @@
-
+
diff --git a/interface-definitions/system_flow-accounting.xml.in b/interface-definitions/system_flow-accounting.xml.in
index 83a2480a3f..4799205ad5 100644
--- a/interface-definitions/system_flow-accounting.xml.in
+++ b/interface-definitions/system_flow-accounting.xml.in
@@ -362,73 +362,6 @@
-
-
- sFlow settings
-
-
-
-
- sFlow agent IPv4 address
-
- auto
-
-
-
- ipv4
- sFlow IPv4 agent address
-
-
-
-
-
-
-
-
- sFlow sampling-rate
-
- u32
- Sampling rate (1 in N packets)
-
-
-
-
-
-
-
-
- sFlow destination server
-
- ipv4
- IPv4 server to export sFlow
-
-
- ipv6
- IPv6 server to export sFlow
-
-
-
-
-
-
-
-
- sFlow port number
-
- u32:1025-65535
- sFlow port number
-
-
-
-
-
- 6343
-
-
-
- #include
-
-
#include
diff --git a/interface-definitions/system_sflow.xml.in b/interface-definitions/system_sflow.xml.in
index aaf4033d85..2cd7a5d12f 100644
--- a/interface-definitions/system_sflow.xml.in
+++ b/interface-definitions/system_sflow.xml.in
@@ -106,6 +106,12 @@
+
+
+ Enable egress sampling
+
+
+
#include
diff --git a/smoketest/config-tests/bgp-big-as-cloud b/smoketest/config-tests/bgp-big-as-cloud
index 03efef868d..d6c17b3d26 100644
--- a/smoketest/config-tests/bgp-big-as-cloud
+++ b/smoketest/config-tests/bgp-big-as-cloud
@@ -836,7 +836,6 @@ set system flow-accounting interface 'eth0.4089'
set system flow-accounting netflow engine-id '1'
set system flow-accounting netflow server 192.0.2.55 port '2055'
set system flow-accounting netflow version '9'
-set system flow-accounting sflow server 1.2.3.4 port '1234'
set system flow-accounting syslog-facility 'daemon'
set system host-name 'vyos'
set system login user vyos authentication encrypted-password '$6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/'
@@ -845,6 +844,9 @@ set system name-server '2001:db8::1'
set system name-server '2001:db8::2'
set system name-server '192.0.2.1'
set system name-server '192.0.2.2'
+set system sflow interface 'eth0.4088'
+set system sflow interface 'eth0.4089'
+set system sflow server 1.2.3.4 port '1234'
set system syslog global facility all level 'all'
set system syslog global preserve-fqdn
set system time-zone 'Europe/Zurich'
diff --git a/smoketest/scripts/cli/test_system_flow-accounting.py b/smoketest/scripts/cli/test_system_flow-accounting.py
index 5151342209..9d79427892 100755
--- a/smoketest/scripts/cli/test_system_flow-accounting.py
+++ b/smoketest/scripts/cli/test_system_flow-accounting.py
@@ -97,111 +97,6 @@ def test_basic(self):
self.assertIn(f'syslog: {syslog}', uacctd)
self.assertIn(f'plugins: memory', uacctd)
- def test_sflow(self):
- sampling_rate = '4000'
- source_address = '192.0.2.1'
- dummy_if = 'dum3841'
- agent_address = '192.0.2.2'
-
- sflow_server = {
- '1.2.3.4' : { },
- '5.6.7.8' : { 'port' : '6000' },
- }
-
- self.cli_set(['interfaces', 'dummy', dummy_if, 'address', agent_address + '/32'])
- self.cli_set(['interfaces', 'dummy', dummy_if, 'address', source_address + '/32'])
- self.cli_set(base_path + ['disable-imt'])
-
- # You need to configure at least one interface for flow-accounting
- with self.assertRaises(ConfigSessionError):
- self.cli_commit()
- for interface in Section.interfaces('ethernet'):
- self.cli_set(base_path + ['interface', interface])
-
-
- # You need to configure at least one sFlow or NetFlow protocol, or not
- # set "disable-imt" for flow-accounting
- with self.assertRaises(ConfigSessionError):
- self.cli_commit()
-
- self.cli_set(base_path + ['sflow', 'agent-address', agent_address])
- self.cli_set(base_path + ['sflow', 'sampling-rate', sampling_rate])
- self.cli_set(base_path + ['sflow', 'source-address', source_address])
- for server, server_config in sflow_server.items():
- self.cli_set(base_path + ['sflow', 'server', server])
- if 'port' in server_config:
- self.cli_set(base_path + ['sflow', 'server', server, 'port', server_config['port']])
-
- # commit changes
- self.cli_commit()
-
- uacctd = read_file(uacctd_conf)
-
- # when 'disable-imt' is not configured on the CLI it must be present
- self.assertNotIn(f'imt_path: /tmp/uacctd.pipe', uacctd)
- self.assertNotIn(f'imt_mem_pools_number: 169', uacctd)
- self.assertNotIn(f'plugins: memory', uacctd)
-
- for server, server_config in sflow_server.items():
- plugin_name = server.replace('.', '-')
- if 'port' in server_config:
- self.assertIn(f'sfprobe_receiver[sf_{plugin_name}]: {server}', uacctd)
- else:
- self.assertIn(f'sfprobe_receiver[sf_{plugin_name}]: {server}:6343', uacctd)
-
- self.assertIn(f'sfprobe_agentip[sf_{plugin_name}]: {agent_address}', uacctd)
- self.assertIn(f'sampling_rate[sf_{plugin_name}]: {sampling_rate}', uacctd)
- self.assertIn(f'sfprobe_source_ip[sf_{plugin_name}]: {source_address}', uacctd)
-
- self.cli_delete(['interfaces', 'dummy', dummy_if])
-
- def test_sflow_ipv6(self):
- sampling_rate = '100'
- sflow_server = {
- '2001:db8::1' : { },
- '2001:db8::2' : { 'port' : '6000' },
- }
-
- self.cli_set(base_path + ['disable-imt'])
-
- # You need to configure at least one interface for flow-accounting
- with self.assertRaises(ConfigSessionError):
- self.cli_commit()
- for interface in Section.interfaces('ethernet'):
- self.cli_set(base_path + ['interface', interface])
-
-
- # You need to configure at least one sFlow or NetFlow protocol, or not
- # set "disable-imt" for flow-accounting
- with self.assertRaises(ConfigSessionError):
- self.cli_commit()
-
- self.cli_set(base_path + ['sflow', 'sampling-rate', sampling_rate])
- for server, server_config in sflow_server.items():
- self.cli_set(base_path + ['sflow', 'server', server])
- if 'port' in server_config:
- self.cli_set(base_path + ['sflow', 'server', server, 'port', server_config['port']])
-
- # commit changes
- self.cli_commit()
-
- uacctd = read_file(uacctd_conf)
-
- # when 'disable-imt' is not configured on the CLI it must be present
- self.assertNotIn(f'imt_path: /tmp/uacctd.pipe', uacctd)
- self.assertNotIn(f'imt_mem_pools_number: 169', uacctd)
- self.assertNotIn(f'plugins: memory', uacctd)
-
- for server, server_config in sflow_server.items():
- tmp_srv = server
- tmp_srv = tmp_srv.replace(':', '-')
-
- if 'port' in server_config:
- self.assertIn(f'sfprobe_receiver[sf_{tmp_srv}]: {bracketize_ipv6(server)}', uacctd)
- else:
- self.assertIn(f'sfprobe_receiver[sf_{tmp_srv}]: {bracketize_ipv6(server)}:6343', uacctd)
- self.assertIn(f'sampling_rate[sf_{tmp_srv}]: {sampling_rate}', uacctd)
-
def test_netflow(self):
engine_id = '33'
max_flows = '667'
@@ -288,8 +183,8 @@ def test_netflow(self):
self.assertIn(f'nfprobe_timeouts[nf_{tmp_srv}]: expint={tmo_expiry}:general={tmo_flow}:icmp={tmo_icmp}:maxlife={tmo_max}:tcp.fin={tmo_tcp_fin}:tcp={tmo_tcp_generic}:tcp.rst={tmo_tcp_rst}:udp={tmo_udp}', uacctd)
-
self.cli_delete(['interfaces', 'dummy', dummy_if])
+
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_system_sflow.py b/smoketest/scripts/cli/test_system_sflow.py
index 74c0654736..700253e2b9 100755
--- a/smoketest/scripts/cli/test_system_sflow.py
+++ b/smoketest/scripts/cli/test_system_sflow.py
@@ -96,6 +96,39 @@ def test_sflow(self):
for interface in Section.interfaces('ethernet'):
self.assertIn(f'pcap {{ dev={interface} }}', hsflowd)
+ def test_sflow_ipv6(self):
+ sampling_rate = '100'
+ default_polling = '30'
+ default_port = '6343'
+ sflow_server = {
+ '2001:db8::1': {},
+ '2001:db8::2': {'port': '8023'},
+ }
+
+ for interface in Section.interfaces('ethernet'):
+ self.cli_set(base_path + ['interface', interface])
+
+ self.cli_set(base_path + ['sampling-rate', sampling_rate])
+ for server, server_config in sflow_server.items():
+ self.cli_set(base_path + ['server', server])
+ if 'port' in server_config:
+ self.cli_set(base_path + ['server', server, 'port', server_config['port']])
+
+ # commit changes
+ self.cli_commit()
+
+ # verify configuration
+ hsflowd = read_file(hsflowd_conf)
+
+ self.assertIn(f'sampling={sampling_rate}', hsflowd)
+ self.assertIn(f'polling={default_polling}', hsflowd)
+
+ for server, server_config in sflow_server.items():
+ if 'port' in server_config:
+ self.assertIn(f'collector {{ ip = {server} udpport = {server_config["port"]} }}', hsflowd)
+ else:
+ self.assertIn(f'collector {{ ip = {server} udpport = {default_port} }}', hsflowd)
+
def test_vrf(self):
interface = 'eth0'
server = '192.0.2.1'
diff --git a/smoketest/scripts/system/test_kernel_options.py b/smoketest/scripts/system/test_kernel_options.py
index 700e4cec7b..b51b0be1d0 100755
--- a/smoketest/scripts/system/test_kernel_options.py
+++ b/smoketest/scripts/system/test_kernel_options.py
@@ -128,5 +128,11 @@ def test_container_cpu(self):
tmp = re.findall(f'{option}=(y|m)', self._config_data)
self.assertTrue(tmp)
+ def test_psample_enabled(self):
+ # Psample must be enabled in the OS Kernel to enable egress flow for hsflowd
+ for option in ['CONFIG_PSAMPLE']:
+ tmp = re.findall(f'{option}=y', self._config_data)
+ self.assertTrue(tmp)
+
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/src/conf_mode/system_flow-accounting.py b/src/conf_mode/system_flow-accounting.py
index a12ee363dc..925c4a5627 100755
--- a/src/conf_mode/system_flow-accounting.py
+++ b/src/conf_mode/system_flow-accounting.py
@@ -18,7 +18,6 @@
import re
from sys import exit
-from ipaddress import ip_address
from vyos.config import Config
from vyos.config import config_dict_merge
@@ -159,9 +158,9 @@ def get_config(config=None):
# delete individual flow type defaults - should only be added if user
# sets this feature
- for flow_type in ['sflow', 'netflow']:
- if flow_type not in flow_accounting and flow_type in default_values:
- del default_values[flow_type]
+ flow_type = 'netflow'
+ if flow_type not in flow_accounting and flow_type in default_values:
+ del default_values[flow_type]
flow_accounting = config_dict_merge(default_values, flow_accounting)
@@ -171,9 +170,9 @@ def verify(flow_config):
if not flow_config:
return None
- # check if at least one collector is enabled
- if 'sflow' not in flow_config and 'netflow' not in flow_config and 'disable_imt' in flow_config:
- raise ConfigError('You need to configure at least sFlow or NetFlow, ' \
+ # check if collector is enabled
+ if 'netflow' not in flow_config and 'disable_imt' in flow_config:
+ raise ConfigError('You need to configure NetFlow, ' \
'or not set "disable-imt" for flow-accounting!')
# Check if at least one interface is configured
@@ -185,45 +184,7 @@ def verify(flow_config):
for interface in flow_config['interface']:
verify_interface_exists(flow_config, interface, warning_only=True)
- # check sFlow configuration
- if 'sflow' in flow_config:
- # check if at least one sFlow collector is configured
- if 'server' not in flow_config['sflow']:
- raise ConfigError('You need to configure at least one sFlow server!')
-
- # check that all sFlow collectors use the same IP protocol version
- sflow_collector_ipver = None
- for server in flow_config['sflow']['server']:
- if sflow_collector_ipver:
- if sflow_collector_ipver != ip_address(server).version:
- raise ConfigError("All sFlow servers must use the same IP protocol")
- else:
- sflow_collector_ipver = ip_address(server).version
-
- # check if vrf is defined for Sflow
- verify_vrf(flow_config)
- sflow_vrf = None
- if 'vrf' in flow_config:
- sflow_vrf = flow_config['vrf']
-
- # check agent-id for sFlow: we should avoid mixing IPv4 agent-id with IPv6 collectors and vice-versa
- for server in flow_config['sflow']['server']:
- if 'agent_address' in flow_config['sflow']:
- if ip_address(server).version != ip_address(flow_config['sflow']['agent_address']).version:
- raise ConfigError('IPv4 and IPv6 addresses can not be mixed in "sflow agent-address" and "sflow '\
- 'server". You need to set the same IP version for both "agent-address" and '\
- 'all sFlow servers')
-
- if 'agent_address' in flow_config['sflow']:
- tmp = flow_config['sflow']['agent_address']
- if not is_addr_assigned(tmp, sflow_vrf):
- raise ConfigError(f'Configured "sflow agent-address {tmp}" does not exist in the system!')
-
- # Check if configured sflow source-address exist in the system
- if 'source_address' in flow_config['sflow']:
- if not is_addr_assigned(flow_config['sflow']['source_address'], sflow_vrf):
- tmp = flow_config['sflow']['source_address']
- raise ConfigError(f'Configured "sflow source-address {tmp}" does not exist on the system!')
+ verify_vrf(flow_config)
# check NetFlow configuration
if 'netflow' in flow_config:
diff --git a/src/migration-scripts/flow-accounting/1-to-2 b/src/migration-scripts/flow-accounting/1-to-2
new file mode 100644
index 0000000000..5ffb1eec89
--- /dev/null
+++ b/src/migration-scripts/flow-accounting/1-to-2
@@ -0,0 +1,63 @@
+# Copyright 2021-2024 VyOS maintainers and contributors
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library. If not, see .
+
+# migrate 'system flow-accounting sflow' to 'system sflow'
+
+from vyos.configtree import ConfigTree
+
+base = ['system', 'flow-accounting']
+base_fa_sflow = base + ['sflow']
+base_sflow = ['system', 'sflow']
+
+def migrate(config: ConfigTree) -> None:
+ if not config.exists(base_fa_sflow):
+ # Nothing to do
+ return
+
+ if not config.exists(base_sflow):
+
+ for iface in config.return_values(base + ['interface']):
+ config.set(base_sflow + ['interface'], value=iface, replace=False)
+
+ if config.exists(base + ['vrf']):
+ vrf = config.return_value(base + ['vrf'])
+ config.set(base_sflow + ['vrf'], value=vrf)
+
+ if config.exists(base + ['enable-egress']):
+ config.set(base_sflow + ['enable-egress'])
+
+ if config.exists(base_fa_sflow + ['agent-address']):
+ address = config.return_value(base_fa_sflow + ['agent-address'])
+ config.set(base_sflow + ['agent-address'], value=address)
+
+ if config.exists(base_fa_sflow + ['sampling-rate']):
+ sr = config.return_value(base_fa_sflow + ['sampling-rate'])
+ config.set(base_sflow + ['sampling-rate'], value=sr)
+
+ for server in config.list_nodes(base_fa_sflow + ['server']):
+ config.set(base_sflow + ['server'])
+ config.set_tag(base_sflow + ['server'])
+ config.set(base_sflow + ['server', server])
+ tmp = base_fa_sflow + ['server', server]
+ if config.exists(tmp + ['port']):
+ port = config.return_value(tmp + ['port'])
+ config.set(base_sflow + ['server', server, 'port'], value=port)
+
+ if config.exists(base + ['netflow']):
+ # delete only sflow from flow-accounting if netflow is set
+ config.delete(base_fa_sflow)
+ else:
+ # delete all flow-accounting config otherwise
+ config.delete(base)