Add support for MPLS label stack

Will Rigby · Will Rigby · commit 6a10da13dc15 · 2015-03-13T15:18:07.000-04:00
See RFCs 3954 and 5642

* New class in util.rb for MPLS stack labels
* New entries for MPLS stack entries 1-10
* Build an array for the MPLS stack, rather than just
  putting the raw mpls_label_x fields on the event
diff --git a/lib/logstash/codecs/netflow.rb b/lib/logstash/codecs/netflow.rb
@@ -201,6 +201,8 @@ def decode(payload, &block)
 
             event[@target]['flowset_id'] = record.flowset_id
 
+            mpls_stack_ended = false
+
             r.each_pair do |k,v|
               case k.to_s
               when /_switched$/
@@ -209,6 +211,15 @@ def decode(payload, &block)
                 # v9 did away with the nanosecs field
                 micros = 1000000 - (millis % 1000)
                 event[@target][k.to_s] = Time.at(seconds, micros).utc.strftime("%Y-%m-%dT%H:%M:%S.%3NZ")
+              when /^mpls_label_\d+$/
+                event[@target]["mpls_label_stack"] ||= []
+                unless mpls_stack_ended
+                  event[@target]["mpls_label_stack"] << {
+                    "label" => v.label,
+                    "traffic_class" => v.traffic_class
+                  }
+                  mpls_stack_ended = ! v.end_of_stack.zero?
+                end
               else
                 event[@target][k.to_s] = v
               end
diff --git a/lib/logstash/codecs/netflow/netflow.yaml b/lib/logstash/codecs/netflow/netflow.yaml
@@ -137,7 +137,7 @@
 - :uint8
 - :mpls_top_label_type
 47:
-- :uint32
+- :ip4_addr
 - :mpls_top_label_ip_addr
 48:
 - 4
@@ -201,6 +201,36 @@
 - :skip
 69:
 - :skip
+70:
+- :mpls_stack_entry
+- :mpls_label_1
+71:
+- :mpls_stack_entry
+- :mpls_label_2
+72:
+- :mpls_stack_entry
+- :mpls_label_3
+73:
+- :mpls_stack_entry
+- :mpls_label_4
+74:
+- :mpls_stack_entry
+- :mpls_label_5
+75:
+- :mpls_stack_entry
+- :mpls_label_6
+76:
+- :mpls_stack_entry
+- :mpls_label_7
+77:
+- :mpls_stack_entry
+- :mpls_label_8
+78:
+- :mpls_stack_entry
+- :mpls_label_9
+79:
+- :mpls_stack_entry
+- :mpls_label_10
 80:
 - :mac_addr
 - :in_dst_mac
diff --git a/lib/logstash/codecs/netflow/util.rb b/lib/logstash/codecs/netflow/util.rb
@@ -51,6 +51,24 @@ def get
   end
 end
 
+# The three-bit field was originally labeled 'Experimental',
+# but has since been re-named to Traffic Class (see RFC 5642)
+class MplsStackEntry < BinData::Record
+  endian :big
+
+  bit20  :label
+  bit3   :traffic_class
+  bit1   :end_of_stack
+
+  def to_i
+    self.label
+  end
+
+  def to_s
+    self.label.to_s
+  end
+end
+
 class Header < BinData::Record
   endian :big
   uint16 :version
