lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 13 Aug 2019 09:47:41 -0700
From:   Cong Wang <xiyou.wangcong@...il.com>
To:     Martin Olsson <martin.olsson+netdev@...torsecurity.com>
Cc:     netdev <netdev@...r.kernel.org>
Subject: Re: tc - mirred ingress not supported at the moment

On Tue, Aug 13, 2019 at 4:05 AM Martin Olsson
<martin.olsson+netdev@...torsecurity.com> wrote:
> Q1: Why was 'ingress' not implemented at the same time as 'egress'?

Because you are using an old iproute2.

ingress support is added by:
https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=5eca0a3701223619a513c7209f7d9335ca1b4cfa


> 2)
> Ok, so I have to use 'egress':
> # tc filter add dev eno2 parent ffff: prio 999  protocol all matchall
> action mirred egress redirect dev mon0


So you redirect packets from eno2's ingress to mon0's egress.


>
> Since the mirred action forces me to use 'egress' as the direction on
> the dest interface, all kinds of network statistics tools show
> incorrect counters. :-(
> eno2 is a pure sniffer interface (it is connected to the SPAN dest
> port of a switch).
> All packets (matchall) on eno2 are mirrored to mon0.
>
> # ip -s link show dev eno2
>     ...
>     ...
>     RX: bytes  packets  errors  dropped overrun mcast
>     13660757   16329    0       0       0       0
>     TX: bytes  packets  errors  dropped carrier collsns
>     0          0        0       0       0       0
> # ip -s link show dev mon0
>     ...
>     ...
>     RX: bytes  packets  errors  dropped overrun mcast
>     0          0        0       0       0       0
>     TX: bytes  packets  errors  dropped carrier collsns
>     13660757   16329    0       0       0       0
>
> eno2 and mon0 should be identical, but they are inverted.

Yes, this behavior is correct. The keyword "egress" in your cmdline
already says so.

>
> Q2: So... Can the 'ingress' option please be implemented? (I'm no
> programmer, so unfortunetly I can't do it myself).

It is completed, you need to update your iproute2 and kernel.

Thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ