NEL Port Block Allocation / Deallocation Events

[alruben]

Greetings and salutations.

My organization is starting to roll out cgNAT and we will be using port-block allocations as a method to cut down on the logging requirements. I've been doing a variety of testing the last few days and have come across nfdump as a tool that I think will work well for our logging efforts.

I've noticed however that the logs generated for the PBA events come up as "unknown" in nfdump:

zzz@nfxxx1:/opt/flows/cgn/2023-12-22# nfdump -o nel -R nfcapd.202312222030 | more
Date first seen Event Proto Src IP Addr:Port Dst IP Addr:Port X-Src IP Addr:Port X-Dst IP Addr:Port
2023-12-22 20:31:08.019 UNKNOWN 0 100.125.2.5:0 -> 0.0.0.0:0 xx.yy.135.112:0 -> 0.0.0.0:0

in detail:

Flow Record:
RecordCount = 5
Flags = 0x01 EVENT, Unsampled
Elements = 6: 1 2 12 20 25 26
size = 128
engine type = 7
engine ID = 186
export sysid = 1
Event time = 1703295068019 [2023-12-22 20:31:08.019]
received at = 1703295065305 [2023-12-22 20:31:05.305]
proto = 0 0
tcp flags = 0x00 ........
src port = 0
dst port = 0
src tos = 0
fwd status = 0
in packets = 0
in bytes = 0
src addr = 100.125.2.5
dst addr = 0.0.0.0
ip exporter = xx.yyy.133.148
src xlt ip = xx.yyy.135.112
dst xlt ip = 0.0.0.0
nat event = 17: UNKNOWN
pblock start = 65408
pblock end = 65535
pblock step = 0
pblock size = 0

Note that it says the NAT event is "17: UNKNOWN."

I brought this to the attention of the cgNAT developer we are using, and they pointed me to RFC 8158, section 4.3, "Definition of NAT events": https://www.rfc-editor.org/rfc/rfc8158.html#section-4.3

          +-------+------------------------------------+
          | Value | Event Name                         |
          +-------+------------------------------------+
          | 0     | Reserved                           |
          | 1     | NAT translation create (Historic)  |
          | 2     | NAT translation delete (Historic)  |
          | 3     | NAT Addresses exhausted            |
          | 4     | NAT44 session create               |
          | 5     | NAT44 session delete               |
          | 6     | NAT64 session create               |
          | 7     | NAT64 session delete               |
          | 8     | NAT44 BIB create                   |
          | 9     | NAT44 BIB delete                   |
          | 10    | NAT64 BIB create                   |
          | 11    | NAT64 BIB delete                   |
          | 12    | NAT ports exhausted                |
          | 13    | Quota Exceeded                     |
          | 14    | Address binding create             |
          | 15    | Address binding delete             |
          | 16    | Port block allocation              |
          | 17    | Port block de-allocation           |
          | 18    | Threshold Reached                  |
          +-------+------------------------------------+

How do we get these additional events added so they don't appear as "UNKNOWN" in the log?

Thanks!

[phaag]

I can add the missing events, no problem. I will create an issue from this discussion to track it.

[alruben]

Thanks. I could not ask for anything more!

[phaag]

I relay on user input and different use cases - so I am happy to help!
As I do not have those devices for testing, I would appreciate if you could send me a few minutes worth of pcap, sent to the collector to my email (see my email in the AUTHORS file) for testing. Maybe there are some more fields in your export stream I could add.
Many thanks

[phaag]

Added in latest master repo. Please check and test, if it works as expected.