feature/netflow-module-disable-enable

[jrouzierinverse]

Description

Allow the netflow kernel module to be disabled

Impacts

pfacct netflow

Enhancements

• Allow the netflow kernel module to be disabled

Issue

fixes #6214

Delete branch after merge

NO

Checklist

• Document the feature
• Add unit tests
• Add acceptance tests (TestLink)

[nqb]

@satkunas, could you take a quick look on this PR to be sure everything is OK on GUI part ?

[satkunas]

@nqb it looks good

[nqb]

Webadmin part works as expected.

However, when I set netflow_kernel_module=disabled and restart pfacct, I see following lines in logs:

Jul 01 08:32:17 packetfence systemd[1]: Starting PacketFence GO Accounting Server Daemon...
Jul 01 08:32:19 packetfence packetfence[1469]: pfcmd.pl(1469) INFO: netflow is disabled or the netflow kernel module is disabled (pf::cmd::pf::confignetflow::_run)
Jul 01 08:32:19 packetfence pfacct[1581]: t=2021-07-01T08:32:19+0000 lvl=info msg="File descriptor limit is: 4096" pid=1581
Jul 01 08:32:19 packetfence pfacct[1581]: t=2021-07-01T08:32:19+0000 lvl=info msg="Starting listening to netflow at '127.0.0.1:2056'" pid=1581
Jul 01 08:32:19 packetfence systemd[1]: Started PacketFence GO Accounting Server Daemon.

=> Kernel module is still loaded and pfacct is still listening on udp/2056. I try to restart a second time and to reboot without any effect.

[nqb]

@jrouzierinverse, could you provide a feedback on this PR ?

[jrouzierinverse]

The expected results is the kernel module not loaded but pfacct is still listening to netflow traffic.
Was the kernel module still loaded after the reboot.

[nqb]

Was the kernel module still loaded after the reboot.

Yes, I described in my previous comment. Even after a reboot, kernel module is still loaded.

[julsemaan]

@nqb and @jrouzierinverse, what prevents this from being merged?

[jrouzierinverse]

@nqb identified an issue with this where the module was still loaded.
I did not verify that issue yet.

[fdurand]

Isn´t it because even if $Config{advanced}{netflow_kernel_module} is disabled and netflow_enabled is enabled , we add the iptables rule "-I FORWARD -j NETFLOW" that load the kernel module ?

[fdurand]

@jrouzierinverse , @extrafu Just a concern, if iptables is using it and you want to disable it then you have to regenerate the iptables rules before using the command pfcmd confignetflow.
If you want to use it then you need to use the command pfcmd confignetflow then regenerate the iptables rules.

So there is no easy way to add it in the iptables systemd script, this have to be done manually.

[extrafu]

@fdurand Could we clearly document this somewhere or throw a warning when we toy-around "pfcmd service iptables" ?