Proposed ntopng change



  • First, I don't know what I'm doing.  I just wanted to get that out of the way.  If this was linux, I'd be significantly more comfortable messing with files, etc.  However, until I booted pfSense, I never really messed with freeBSD…

    So, please understand that I'm not sending pull requests or such.  I'm clueless on how to build the packages to begin with.

    Oh, and I'm not entirely sure that this is PHP or some other language... over time, they all seem to blend into each other. ;)

    That being said, I noticed that the ntopng package wasn't treating my ipv6 addresses as local interfaces.  I had configured "Local Networks" to be "Consider selected interface networks local", but it was only considering my local IPv4 addresses as local.  That kind of sucks.  So, rather than complain here, I figured I'd hack around in a file called "/usr/local/pkg/ntopng.inc" until I got it right.  Thankfully, I also have "snort" that provided the example I needed for extracting ipv6 network addresses.

    Here's the change (but if this is pulled into the proper ntopng package, PLEASE look at this and make sure I didn't screw it up):

    
    --- ntopng.inc.orig     2016-08-22 09:38:37.906401000 -0400
    +++ ntopng.inc  2016-08-22 09:51:40.643878000 -0400
    @@ -102,6 +102,14 @@
                                    if (is_ipaddr(get_interface_ip($iface))) {
                                            $nets[] = gen_subnet(get_interface_ip($iface), get_interface_subnet($iface)) . '/' . get_interface_subnet($iface);
                                    }
    +                               // do the same thing for ipv6 - code copied from snortcfg
    +                               $ip6addr = get_interface_ipv6($iface);
    +                               // Trim off the interface designation (e.g., %em1) if present
    +                               if (strpos($ip6addr, "%") !== FALSE)
    +                                       $ip6addr = substr($ip6addr, 0, strpos($ip6addr, "%"));
    +                               if (is_ipaddrv6($ip6addr)) {
    +                                       $nets[] = gen_subnetv6($ip6addr, get_interface_subnetv6($iface)) . '/' . get_interface_subnetv6($iface);
    +                               }
                            }
                            if (!empty($nets)) {
                                    $local_networks = "--local-networks " . escapeshellarg(implode(",", $nets));
    
    

    While at it, it might be a good idea to ALWAYS add "fe80::/10" to the list of local subnets, as fe80::/10 is the ipv6 link local… it can't be anything other than local. :)

    Take care
    Gary



  • One oddity I've noticed with this change:  ipv6 addresses that ntopng "knows about" already still show as remote, but if you have iOS or Windows machines that use privacy extensions, the newly created "random" IPv6 addresses will show up as local.

    There's probably a way to nuke ntopng's data store so that everything resets (and it can determine that the stuff is local), but I'm unsure quite yet what that is.

    ALSO, if your "local" ipv6 addresses track a ipv6 PD on your WAN interface, and your ISP gives you a new prefix, ntopng doesn't automatically restart so it gets the new local network list.  For that… I have no clue.

    (Okay, to be completely honest here, I'm doing this the way I do most things:  jump in head first, and figure it out as I go along.  So, yeah - it's half-baked.)

    Edit:  oh... duh. Just go to the ntopng settings page and whack the "Delete (Historical) Data" button.  That resets the caches and then those local IPv6 ip addresses show up as local. :)



  • A more complete change that adds fe80/10 to all three cases (selected, lanonly and rfc1918), and adds the "lan" ipv6 if lanonly is selected.

    The changes are untested if ipv6 doesn't exist (isn't enabled) and the lanonly case is also untested.

    
    --- ntopng.inc.orig     2016-08-22 09:38:37.906401000 -0400
    +++ ntopng.inc  2016-08-22 16:06:57.214301000 -0400
    @@ -98,23 +98,47 @@
            switch ($ntopng_config['local_networks']) {
                    case "selected":
                            $nets = array();
    +                       // link-local is always local
    +                       $nets[] = "fe80::/10";
                            foreach ($ntopng_config['interface_array'] as $iface) {
                                    if (is_ipaddr(get_interface_ip($iface))) {
                                            $nets[] = gen_subnet(get_interface_ip($iface), get_interface_subnet($iface)) . '/' . get_interface_subnet($iface);
                                    }
    +                               // do the same thing for ipv6 - code copied from snortcfg
    +                               $ip6addr = get_interface_ipv6($iface);
    +                               // Trim off the interface designation (e.g., %em1) if present
    +                               if (strpos($ip6addr, "%") !== FALSE)
    +                                       $ip6addr = substr($ip6addr, 0, strpos($ip6addr, "%"));
    +                               if (is_ipaddrv6($ip6addr)) {
    +                                       $nets[] = gen_subnetv6($ip6addr, get_interface_subnetv6($iface)) . '/' . get_interface_subnetv6($iface);
    +                               }
                            }
                            if (!empty($nets)) {
                                    $local_networks = "--local-networks " . escapeshellarg(implode(",", $nets));
    -                       }
    +                       }
                            break;
                    case "lanonly":
    +                       $nets = array();
    +                       // ipv6 link local is always local
    +                       $nets[] = "fe80::/10";
                            if (is_ipaddr(get_interface_ip('lan'))) {
    -                               $local_networks = "--local-networks " . escapeshellarg(gen_subnet(get_interface_ip('lan'), get_interface_subnet('lan')) . '/' . get_interface_subnet('lan'));
    +                               $nets[] = gen_subnet(get_interface_ip('lan'), get_interface_subnet('lan')) . '/' . get_interface_subnet('lan');
    +                       }
    +                       // do the same thing for ipv6 - code copied from snortcfg
    +                       $ip6addr = get_interface_ipv6('lan');
    +                       // Trim off the interface designation (e.g., %em1) if present
    +                       if (strpos($ip6addr, "%") !== FALSE)
    +                               $ip6addr = substr($ip6addr, 0, strpos($ip6addr, "%"));
    +                       if (is_ipaddrv6($ip6addr)) {
    +                               $nets[] = gen_subnetv6($ip6addr, get_interface_subnetv6('lan')) . '/' . get_interface_subnetv6('lan');
    +                       }
    +                       if (!empty($nets)) {
    +                               $local_networks = "--local-networks " . escapeshellarg(implode(",", $nets));
                            }
                            break;
                    case "rfc1918":
                    default:
    -                       $local_networks = "--local-networks '192.168.0.0/16,172.16.0.0/12,10.0.0.0/8'";
    +                       $local_networks = "--local-networks 'fe80::/10,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8'";
                            break;
            }
    
    


  • += pull request:  https://github.com/pfsense/pfsense-packages/pull/1262

    (I really hope I didn't miss some guideline documentation on submitting pulls before doing that…)


Log in to reply