lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 6 Feb 2021 01:05:21 +0200
From:   Vladimir Oltean <olteanv@...il.com>
To:     Florian Fainelli <f.fainelli@...il.com>
Cc:     "David S . Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>, netdev@...r.kernel.org,
        Andrew Lunn <andrew@...n.ch>,
        Vivien Didelot <vivien.didelot@...il.com>
Subject: Re: [PATCH net-next] net: dsa: allow port mirroring towards foreign
 interfaces

On Fri, Feb 05, 2021 at 02:42:55PM -0800, Florian Fainelli wrote:
> How does the mirred action deal with that case? How does it know that
> packets delivered to the DSA master should be sent towards a foreign
> address, do I need to set-up two mirred rules? One that set-ups the
> filter on say sw0p0 to redirect egress to eth0 (DSA master) and another
> one to ingress filter on eth0 and egress mirror to eth1 (USB ethernet
> dongle)?

[ I should have posted this as RFC, somebody asked me if it's possible,
  I only tested ingress mirroring, saw something come out, and posted this.
  I didn't even study act_mirred.c to see why I got anything at all ]

For ingress mirroring there should be nothing special about the mirror
packets, it's just more traffic in the ingress data path where the qdisc
hook already exists.

For egress mirroring I don't think there's really any way for the mirred
action to take over the packets from what is basically the ingress qdisc
and into the egress qdisc of the DSA interface such that they will be
redirected to the selected mirror. I hadn't even thought about egress
mirroring. I suppose with more API, we could have DSA do introspection
into the frame header, see it's an egress-mirrored packet, and inject it
into the egress qdisc of the net device instead of doing netif_rx.

The idea with 2 mirrors might work however it's not amazing and I was
thinking that if we bother to do something at all, we could as well try
to think it through and come up with something that's seamless for the
user.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ