lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAAT+qEbOx8Jh3aFS-e7U6FyHo03sdcY6UoeGzwYQbO6WRjc3PQ@mail.gmail.com>
Date:   Tue, 13 Aug 2019 12:51:51 +0200
From:   Martin Olsson <martin.olsson+netdev@...torsecurity.com>
To:     netdev <netdev@...r.kernel.org>
Subject: tc - mirred ingress not supported at the moment

Two questions regarding tc-mirred:

1)
The manual ( https://www.linux.org/docs/man8/tc-mirred.html ) states:

  OPTIONS
    ingress
    egress
      Specify the direction in which the packet shall appear on the
destination interface.
      Currently only egress is implemented.

I verify to see if this is still true, and unfortunately it is:

# tc filter add dev eno2 parent ffff: prio 999  protocol all matchall
action mirred ingress redirect dev mon0
mirred ingress not supported at the moment
bad action parsing
parse_action: bad value (5:mirred)!
Illegal "action"

Q1: Why was 'ingress' not implemented at the same time as 'egress'?



2)
Ok, so I have to use 'egress':
# tc filter add dev eno2 parent ffff: prio 999  protocol all matchall
action mirred egress redirect dev mon0

Since the mirred action forces me to use 'egress' as the direction on
the dest interface, all kinds of network statistics tools show
incorrect counters. :-(
eno2 is a pure sniffer interface (it is connected to the SPAN dest
port of a switch).
All packets (matchall) on eno2 are mirrored to mon0.

# ip -s link show dev eno2
    ...
    ...
    RX: bytes  packets  errors  dropped overrun mcast
    13660757   16329    0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    0          0        0       0       0       0
# ip -s link show dev mon0
    ...
    ...
    RX: bytes  packets  errors  dropped overrun mcast
    0          0        0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    13660757   16329    0       0       0       0

eno2 and mon0 should be identical, but they are inverted.
When I graph all interfaces of the machine, the traffic graph for
'mon0' is incorrect since it shows 100% egress when the traffic really
is ingress.

As a human I can re-enterpret the mon0 graph when looking at it, but
it is harder for automated tools to do the right thing without
explicit node configuration/exceptions in the tool. This is annoying
when you have tools that graph hundreds of different types of nodes
with different kinds of interface types, and want all graphs to be
visually simillar for easy comparison.
Tool output that mon0 has sent 16329 packets is also plain wrong. It
has really *received* these packets.

Q2: So... Can the 'ingress' option please be implemented? (I'm no
programmer, so unfortunetly I can't do it myself).

/Martin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ