pretag.map.example

! Pre-Tagging map -- upon matching a set of given conditions, pre_tag_map does 
! return numerical (set_tag, set_tag2) or string (label) IDs.
!
! File syntax is key-based. Position of keys inside the same row (rule) is not
! relevant; Spaces are not allowed (ie. 'id = 1' is not valid). The first full
! match wins (like in firewall rules). Negative values mean negations (ie. match
! data NOT entering interface 2: 'in=-2'); 'set_tag', 'set_tag2', 'set_label',
! 'filter' and 'ip' keys don't support negative values. 'label', 'jeq', 'return'
! and 'stack' keys can be used to alter the standard rule evaluation flow.
!
! nfacctd: valid keys: set_tag, set_tag2, set_label, set_tos, ip, in, out,
! engine_type, engine_id, flowset_id, nexthop, bgp_nexthop, filter, v8agg,
! sampling_rate, sample_type, direction, src_mac, dst_mac, vlan, cvlan;
! mandatory keys for each rule: ip.
!
! sfacctd: valid keys: set_tag, set_tag2, set_label, set_tos, ip, in, out,
! nexthop, bgp_nexthop, filter, agent_id, sampling_rate, sample_type, src_mac,
! dst_mac, vlan; mandatory keys for each rule: ip.
!
! pmacctd: valid keys: set_tag, set_tag2, set_label and filter.
!
! sfacctd, nfacctd when in 'tee' mode: valid keys: set_tag, set_tag2, set_label,
! ip; mandatory keys for each rule: ip.
!
! BGP-related keys are independent of the collection method in use, hence apply
! to all daemons (BGP daemon must be enabled): src_as, dst_as, src_comms, comms,
! peer_src_as, peer_dst_as, src_local_pref, local_pref, mpls_vpn_rd.
!
! list of currently supported keys follows:
!
! 'set_tag'		SET: tag assigned to a matching packet, flow or sample;
!			tag can be also defined auto-increasing, ie. <tag #>++;
!			its use is mutually exclusive to set_tag2 and set_label
!			within the same rule. The resulting value is written to
!			the 'tag' field when using memory tables and 'agent_id'
!			when using a SQL plugin (unless a schema v9 is used).
!			Legacy name for this primitive is 'id'.  
! 'set_tag2'		SET: tag assigned to a matching packet, flow or sample;
!			tag can be also defined auto-increasing, ie. <tag #>++;
!			its use is mutually exclusive to set_tag and set_label
!			within the same rule. The resulting value is written to
!			the 'tag2' field when using memory tables and 'agent_id2'
!			when using a SQL plugin (unless a schema v9 is used).
!			If using a SQL plugin, read more about the 'agent_id2'
!			field in the 'sql/README.agent_id2' document. Legacy
!			name for this primitive is 'id2'.
! 'set_label'		SET: string label assigned to a matching packet, flow
!			or sample; its use is mutually exclusive to tags within
!			the same rule. The resulting value is written to the
!			'label' field.
! 'set_tos'             SET: Matching packets are set their 'tos' primitive to
!			the specified value. Currently valid only in nfacctd. If
!			collecting ingress NetFlow at both trusted and untrusted
!			borders, e.g., this is useful to selectively override ToS
!			values read only at untrusted ones. 
! 'ip'                  MATCH: in nfacctd this is compared against the source
!                       IP address of the device originating NetFlow packets;
!                       in sfacctd this is compared against the AgentId field
!                       of received sFlow samples. Expected argument are an IP
!			address or prefix (ie. XXX.XXX.XXX.XXX/NN) 
! 'in'  		MATCH: Input interface. In NFv9/IPFIX this is compared
!			against IE #10 and, if not existing, against IE #252.  
! 'out' 		MATCH: Output interface. In NFv9/IPFIX this is compared
!			against IE #14 and, if not existing, against IE #253. 
! 'engine_type'		MATCH: in NFv5 this is compared against the 'engine_type'
!			header field. In NFv9 it's compared against the 3rd octet
!			of the 'source_id' header field. Provides uniqueness with
!			respect to the routing engine on the exporting device.
! 'engine_id'		MATCH: in NFv5 this is compared against the 'engine_id'
!			header field. In NFv9 it's compared against the 4th octet
!			of the 'source_id' header field. It provides uniqueness
!			with respect to the particular line card on the exporting
!			device.
! 'flowset_id'		MATCH: In NFv9/IPFIX this is compared against the flowset
!			ID field of the flowset header.
! 'nexthop'		MATCH: IPv4/IPv6 address of the next-hop router. In NFv9/
!			IPFIX this is compared against IE #15.
! 'bgp_nexthop'		MATCH: IPv4/IPv6 address of the next-hop BGP router. In
!			MPLS-enabled networks this can be also matched against top
!			label address where available (ie. egress NetFlow v9/IPFIX
!			exports). In NFv9/IPFIX this is compared against IE #18
!			for IPv4 and IE #62 for IPv6.
! 'filter'		MATCH: incoming packets are mateched against the supplied
!			filter expression (expected in libpcap syntax); the filter
!			needs to be enclosed in quotes ('). 
! 'v8agg'		MATCH: in NFv8 this is compared against the aggregation
!			method in use. Valid values are in the range 0 > value
!			> 15. 
! 'agent_id'		MATCH: in sFlow v5 it's compared against the subAgentId
!			field. sFlow v2/v4 do not carry such field, hence it does
!			not apply.
! 'sampling_rate'       MATCH: in sFlow v2/v4/v5 this is compared against the
!			sampling rate field; it also works against NetFlow v5.
!			NetFlow v9 and IPFIX are unsupported instead.
! 'sample_type'         MATCH: in sFlow v2/v4/v5 this is compared against the
!			sample type field. Expected in <Enterprise>:<Format>
!			notation. In NetFlow/IPIX three keywords are supported:
!			"flow" to denote templates suitable to transport flow
!			traffic data, "event" to denote templates suitable to
!			flag events and "option" to denote NetFlow/IPFIX option
!			records data.
! 'direction'		MATCH: In NetFlow v9 and IPFIX this is compared against
!			the direction (61) field, which only valid values are 0
!			(ingress) and 1 (egress) flow.
! 'src_as'		MATCH: source Autonomous System Number. In pmacctd, if
!			the BGP daemon is not enabled it works only against a
!			Networks map (see 'networks_file' directive); in nfacctd
!			and sfacctd it works against a Networks Map, the source
!			ASN field in either sFlow or NetFlow datagrams. Since
!			0.12, this can be compared against the corresponding BGP
!			RIB of the exporting device ('bgp_daemon' configuration
!			directive).
! 'dst_as'              MATCH: destination Autonomous System Number. Same 'src_as'
!			remarks hold here. Please read them above.
! 'peer_src_as'		MATCH: peering source Autonomous System Number. This is
!			compared against the corresponding (or mapped) BGP RIB
!			of the exporting device (see 'bgp_daemon' configuration
!			directive).
! 'peer_dst_as'		MATCH: peering destination Autonomous System Number. Same
!			'peer_src_as' remarks hold here. Please read them above.
! 'local_pref'		MATCH: destination IP prefix BGP Local Preference attribute.
!			This is compared against the BGP RIB of the exporting
!			device.  
! 'comms'		MATCH: Destination IP prefix BGP standard communities;
!			multiple elements, up to 16, can be supplied, comma-
!			separated (no spaces allowed); the check is successful
!			if any of the communities is matched. This is compared
!			against the BGP RIB of the exporting device. See examples
!			below.
! 'mpls_vpn_rd'		MATCH: Destination IP prefix BGP-signalled MPLS L2/L3
!			VPN Route Distinguisher (RD) value. Encoding types #0, #1
!			and #2 are supported as per rfc4364. See example below.
! 'src_mac'		MATCH: In NetFlow v9 and IPFIX this is compared against
!			IE #56, in sFlow against source MAC address field part
!			of the Extended Switch object.
! 'dst_mac'             MATCH: In NetFlow v9 and IPFIX this is compared against
!                       IE #57, in sFlow against destination MAC address field
!			part of the Extended Switch object.
! 'vlan'		MATCH: In NetFlow v9 and IPFIX this is compared against
!			IE #58 and, if not existing, against IE #242, in sFlow
!			against in/out VLAN ID fields part of the Extended Switch
!			object.
! 'cvlan'		MATCH: In NetFlow v9 and IPFIX this is compared against
!                       IE #245.
! 'label'		SET: Mark the rule with label's value. Labels don't need
!			to be unique: when jumping, the first matching label wins.
!			Label value 'next' is reserved for internal use and
!			hence must not be used in a map. Doing otherwise might
!			give unexpected results.
! 'jeq'			SET: Jump on EQual. Jumps to the supplied label in case
!			of rule match. Jumps are Only forward. Label "next" is
!			reserved and causes to go to the next rule, if any.
!			Before continuing the map workflow, tagged data can be
!			optionally returned to plugins (jeq=xxx return=true).
!			Disabled by default (ie. return=false). Beware setting
!			return=true, depending on configurations, can generate
!			spurious data or duplicates; the logics with which this
!			is intended to work is: plugins which include 'tag' in
!			their aggregation method will receive each tagged copy
!			(if not filtered out by the pre_tag_filter directive);
!			plugins not configured for tags will only receive a
!			single copy of the data.
! 'stack'		SET: Currently 'sum' (A + B) and 'or' (A | B) operators
!			are supported. This key makes sense only if JEQs are in
!			use. When matching, accumulate tags, using the specified
!			operator/function. By setting 'stack=sum', the resulting
!			tag would be: <tag>=<previous ID + current ID>. 
!
!
! Examples:
!
! Some examples applicable to NetFlow.
!
set_tag=1	ip=192.168.2.1	in=4
set_tag=10	ip=192.168.1.1 	in=5	out=3
set_tag=11	ip=192.168.1.1 	in=3	out=5
set_tag=12	ip=192.168.1.1	in=3 
set_tag=13	ip=192.168.1.1  nexthop=10.0.0.254
set_tag=14	ip=192.168.1.1  engine_type=1 engine_set_tag=0
set_tag=15	ip=192.168.1.1  in=3 filter='src net 192.168.0.0/24' 

!
! The following rule applies to sFlow, for example, to prevent aggregation of samples
! in conjunction with having 'timestamp_arrival' part of the aggregation method. In
! this example "1" is the selected floor value and "++" instructs to increase the
! value at every pre_tag_map iteration.
!
set_tag=1++	ip=0.0.0.0/0

!
! The following rule applies to 'pmacctd'; it will return an error if applied to either
! 'nfacctd' or 'sfacctd'
!
set_tag=21	filter='src net 192.168.0.0/16'

!
! A few examples sFlow-related. The format of the rules is the same of 'nfacctd' ones
! but some keys don't apply to it. 
!
set_tag=30 ip=192.168.1.1 
set_tag=31 ip=192.168.1.1 out=50
set_tag=32 ip=192.168.1.1 out=50 agent_set_tag=0 sampling_rate=512

!
! === JEQ example #1:
! - implicit 'return' defaults to false
! - 'set_tag' used to store input interface tags
! - 'set_tag2' used to store output interface tags
!
set_tag=1000 ip=192.168.1.1 in=1 jeq=eval_out 
set_tag=1001 ip=192.168.1.1 in=2 jeq=eval_out
set_tag=1002 ip=192.168.1.1 in=3 jeq=eval_out
! ... further INs
set_tag2=1000 ip=192.168.1.1 out=1 label=eval_out
set_tag2=1001 ip=192.168.1.1 out=2 
set_tag2=1002 ip=192.168.1.1 out=3 
! ... further OUTs
!
! ===
!
! === JEQ example #2:
! - implicit 'return' defaults to false
! - 'id' structured hierarchically to store both input and output interface tags
!
set_tag=11000 ip=192.168.1.1 in=1 jeq=eval_out
set_tag=12000 ip=192.168.1.1 in=2 jeq=eval_out
set_tag=13000 ip=192.168.1.1 in=3 jeq=eval_out
! ... further INs
set_tag=100 ip=192.168.1.1 out=1 label=eval_out stack=sum
set_tag=101 ip=192.168.1.1 out=2 stack=sum
set_tag=102 ip=192.168.1.1 out=3 stack=sum
! ... further OUTs 
!
! ===
!
! === JEQ example #3:
! - 'return' set to true: upon matching, the packet is passed to the plugins along with its tag.
!   The pre_tag_map flow continues by following up the JEQ.
! - The above leads to duplicates. Hence a pre_tag_filter should be used to split packets among plugins.  
! - 'id' used to temporarily store both input and output interface tags
!
set_tag=1001 ip=192.168.1.1 in=1 jeq=eval_out return=true
set_tag=1002 ip=192.168.1.1 in=2 jeq=eval_out return=true
set_tag=1003 ip=192.168.1.1 in=3 jeq=eval_out return=true
! ... further INs
set_tag=2001 ip=192.168.1.1 out=1 label=eval_out 
set_tag=2002 ip=192.168.1.1 out=2 
set_tag=2003 ip=192.168.1.1 out=3 
! ... further OUTs
!
! pre_tag_filter[in]: 1001-1003
! pre_tag_filter[out]: 2001-2003
!
! ===
!
! === BGP standard communities example #1
! - check is successful if matches either 65000:1234 or 65000:2345
!
set_tag=100 ip=192.168.1.1 comms=65000:1234,65000:2345
!
! ===
!
! === BGP standard communities example #2
! - a series of checks can be piled up in order to mimic match-all
! - underlying logics is:
!   > tag=200 is considered a successful check;
!   > tag=0 or tag=100 is considered unsuccessful
!
set_tag=100 ip=192.168.1.1 comms=65000:1234 label=65000:1234 jeq=65000:2345
set_tag=100 ip=192.168.1.1 comms=65000:2345 label=65000:2345 jeq=65000:3456
! ... further set_tag=100 
set_tag=200 ip=192.168.1.1 comms=65000:3456 label=65000:3456
!
! ===
!
! === BGP/MPLS VPN Route Distinguisher (RD) example
! - check is successful if matches encoding type #0 with value 65512:1
!
set_tag=100 ip=192.168.1.1 mpls_vpn_rd=0:65512:1
!
! ===
!
! === sfprobe/nfprobe: determining semi-dynamically direction and ifindex 
! - Two steps approach:
!   > determine direction first (1=in, 2=out)
!   > then short circuit it to return an ifindex value
! - Configuration would look like the following fragment:
!   ...
!   nfprobe_direction: tag
!   nfprobe_ifindex: tag2
!   ...
!
set_tag=1 filter='ether dst 00:11:22:33:44:55' jeq=fivefive
set_tag=1 filter='ether dst 00:11:22:33:44:66' jeq=sixsix
set_tag=1 filter='ether dst 00:11:22:33:44:77' jeq=sevenseven
set_tag=2 filter='ether src 00:11:22:33:44:55' jeq=fivefive
set_tag=2 filter='ether src 00:11:22:33:44:66' jeq=sixsix
set_tag=2 filter='ether src 00:11:22:33:44:77' jeq=sevenseven
!
set_tag2=5 label=fivefive
set_tag2=6 label=sixsix
set_tag2=7 label=sevenseven
! 
! ===
!
! === Basic set_label example
! Tag as "blabla,blabla2" all NetFlow/sFlow data received from any exporter.
! If, ie. as a result of JEQ's in a pre_tag_map, multiple 'set_label' are
! applied, then default operation is append labels and separate by a comma.
!
set_label=blabla        ip=0.0.0.0/0    jeq=blabla2
set_label=blabla2       ip=0.0.0.0/0    label=blabla2
!
!
! pre_tag_label_filter[xxx]: -null
! pre_tag_label_filter[yyy]: blabla
! pre_tag_label_filter[zzz]: blabla, blabla2
!
! ===