Bug 1436535

Summary: [RFE] Support port mirroring (SPAN)
Product: Red Hat Enterprise Linux 8 Reporter: Edward Haas <edwardh>
Component: NetworkManagerAssignee: Beniamino Galvani <bgalvani>
Status: CLOSED ERRATA QA Contact: Vladimir Benes <vbenes>
Severity: medium Docs Contact: Ioanna Gkioka <igkioka>
Priority: medium    
Version: 8.3CC: acardace, aloughla, amusil, atragler, bgalvani, danken, dholler, edwardh, fgiudici, fleitner, fpokryvk, jmaxwell, lmiksik, lrintel, mboisver, rkhan, sdubewar, sukulkar, thaller, till, tpelka, vbenes
Target Milestone: rcKeywords: FutureFeature, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 13:29:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1546802    
Bug Blocks: 909199, 1477926, 1654714, 1875967, 1894575    

Description Edward Haas 2017-03-28 06:40:39 UTC 
There are several scenarios in which there is a need to duplicate traffic that passes through a device to a target device/remote.

Two common use cases for such a setup are: Intrusion detection(IDS/IPS) and traffic analysis.

RHV provides the ability to mirror traffic from a bridge or interface to a vnic, allowing the application on the VM to monitor the traffic. It is implemented through tc rules.
Comment 6 Lubomir Rintel 2018-01-15 16:10:27 UTC 
*** Bug 909236 has been marked as a duplicate of this bug. ***
Comment 11 Vladimir Benes 2018-02-19 12:24:00 UTC 
I was trying to set up some basic env. Taken from http://backreference.org/2014/06/17/port-mirroring-with-linux-bridges/ I tried this:

To do this, we need to attach a classifier (filter in tc speak) to the relevant qdisc. Simply put, a filter tries to match packets according to some criteria and, if the match succeeds, performs certain actions on them.

Let's start with the code to mirror incoming traffic for an interface, which is simpler. The first thing to do is to establish an ingress qdisc for the interface, as there's none by default:

# tc qdisc add dev bond0 ingress

This creates an ingress qdisc for bond0 and gives it the ffff: identifier (it's always ffff:, for any interface, so no surprises):

# tc qdisc show dev bond0
qdisc ingress ffff: parent ffff:fff1 ----------------

Now, as said, we attach a filter to it. This filter simply matches all packets, and mirrors them to dummy0. A filter is attached to a qdisc, so it must have a reference to the parent. Here's the syntax to create the filter:

# tc filter add dev bond0 parent ffff: \
    protocol all \
    u32 match u8 0 0 \
    action mirred egress mirror dev dummy0


I was able to catch basic dhcp response while upping bond0.0 and listening on dummy0. But I am unable to set this up via NM.
Comment 13 Lubomir Rintel 2019-04-09 14:39:52 UTC 
https://github.com/NetworkManager/NetworkManager/pull/338
Comment 16 Filip Pokryvka 2019-05-27 14:19:10 UTC 
(In reply to Lubomir Rintel from comment #13)
> https://github.com/NetworkManager/NetworkManager/pull/338

Could you please provide some info, how to set up mirroring as mentioned in c#11 in NetworkManager?

If I try to set the tc.tfilters via nmcli, any help I get is this:

   The valid syntax is: '[root | parent <handle>] [handle <handle>] <kind>'

How to fit 'protocol all u32 match u8 0 0 action mirred egress mirror dev dummy0' into that syntax? I can not read that from pull request above.

Thanks for help.
Comment 18 Vladimir Benes 2019-07-01 14:21:21 UTC 
cannot make it in 7.7, moving to 7.8
Comment 19 Vladimir Benes 2019-07-01 14:22:25 UTC 
to provide more details:
it still doesn't work as expected, we need to give it more care. 7.8.
Comment 20 Lubomir Rintel 2019-09-17 14:59:57 UTC 
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/merge_requests/277
Comment 22 Beniamino Galvani 2020-06-18 12:19:00 UTC 
Upstream merge request:

 https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/545

Port mirroring in NM can be configured in the following way:

 nmcli connection add type ethernet ifname eth3 con-name mirror autoconnect no
 nmcli connection modify mirror +tc.qdisc "root prio handle 10:"
 nmcli connection modify mirror +tc.qdisc "ingress handle ffff:"
 nmcli connection modify mirror +tc.tfilter "parent ffff: matchall action mirred egress mirror dev dummy1"
 nmcli connection modify mirror +tc.tfilter "parent 10:   matchall action mirred egress mirror dev dummy1"
 nmcli connection up mirror

This will mirror all traffic (ingress and egress) on eth3 to dummy1.
Comment 23 Beniamino Galvani 2020-07-27 07:04:09 UTC 
Alternative version using the 'clsact' qdisc:

    nmcli connection modify mirror +tc.qdisc "clsact"
    nmcli connection modify mirror +tc.tfilter "parent ffff:fff3 matchall action mirred egress mirror dev dummy1"
    nmcli connection modify mirror +tc.tfilter "parent ffff:fff2  matchall action mirred egress mirror dev dummy1"

(supported since https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/e6acf64859fc1b4cc125608604cf38ae77c85367 )
Comment 28 Vladimir Benes 2020-10-01 10:31:57 UTC 
two CI tests added:
https://gitlab.freedesktop.org/NetworkManager/NetworkManager-ci/-/merge_requests/642
Comment 33 errata-xmlrpc 2021-05-18 13:29:37 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: NetworkManager and libnma security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1574