1436535 – [RFE] Support port mirroring (SPAN)

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1436535 - [RFE] Support port mirroring (SPAN)

Summary: [RFE] Support port mirroring (SPAN)

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	NetworkManager
Sub Component:
Version:	8.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Beniamino Galvani
QA Contact:	Vladimir Benes
Docs Contact:	Ioanna Gkioka
URL:
Whiteboard:
Depends On:	1546802
Blocks:	909199 1477926 1654714 1875967 1894575
TreeView+	depends on / blocked

Reported:	2017-03-28 06:40 UTC by Edward Haas
Modified:	2021-07-14 04:30 UTC (History)
CC List:	22 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-05-18 13:29:37 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Edward Haas 2017-03-28 06:40:39 UTC

There are several scenarios in which there is a need to duplicate traffic that passes through a device to a target device/remote.

Two common use cases for such a setup are: Intrusion detection(IDS/IPS) and traffic analysis.

RHV provides the ability to mirror traffic from a bridge or interface to a vnic, allowing the application on the VM to monitor the traffic. It is implemented through tc rules.

Comment 6 Lubomir Rintel 2018-01-15 16:10:27 UTC

*** Bug 909236 has been marked as a duplicate of this bug. ***

Comment 11 Vladimir Benes 2018-02-19 12:24:00 UTC

I was trying to set up some basic env. Taken from http://backreference.org/2014/06/17/port-mirroring-with-linux-bridges/ I tried this:

To do this, we need to attach a classifier (filter in tc speak) to the relevant qdisc. Simply put, a filter tries to match packets according to some criteria and, if the match succeeds, performs certain actions on them.

Let's start with the code to mirror incoming traffic for an interface, which is simpler. The first thing to do is to establish an ingress qdisc for the interface, as there's none by default:

# tc qdisc add dev bond0 ingress

This creates an ingress qdisc for bond0 and gives it the ffff: identifier (it's always ffff:, for any interface, so no surprises):

# tc qdisc show dev bond0
qdisc ingress ffff: parent ffff:fff1 ----------------

Now, as said, we attach a filter to it. This filter simply matches all packets, and mirrors them to dummy0. A filter is attached to a qdisc, so it must have a reference to the parent. Here's the syntax to create the filter:

# tc filter add dev bond0 parent ffff: \
    protocol all \
    u32 match u8 0 0 \
    action mirred egress mirror dev dummy0


I was able to catch basic dhcp response while upping bond0.0 and listening on dummy0. But I am unable to set this up via NM.

Comment 13 Lubomir Rintel 2019-04-09 14:39:52 UTC

https://github.com/NetworkManager/NetworkManager/pull/338

Comment 16 Filip Pokryvka 2019-05-27 14:19:10 UTC

(In reply to Lubomir Rintel from comment #13)
> https://github.com/NetworkManager/NetworkManager/pull/338

Could you please provide some info, how to set up mirroring as mentioned in c#11 in NetworkManager?

If I try to set the tc.tfilters via nmcli, any help I get is this:

   The valid syntax is: '[root | parent <handle>] [handle <handle>] <kind>'

How to fit 'protocol all u32 match u8 0 0 action mirred egress mirror dev dummy0' into that syntax? I can not read that from pull request above.

Thanks for help.

Comment 18 Vladimir Benes 2019-07-01 14:21:21 UTC

cannot make it in 7.7, moving to 7.8

Comment 19 Vladimir Benes 2019-07-01 14:22:25 UTC

to provide more details:
it still doesn't work as expected, we need to give it more care. 7.8.

Comment 20 Lubomir Rintel 2019-09-17 14:59:57 UTC

https://gitlab.freedesktop.org/NetworkManager/NetworkManager/merge_requests/277

Comment 22 Beniamino Galvani 2020-06-18 12:19:00 UTC

Upstream merge request:

 https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/545

Port mirroring in NM can be configured in the following way:

 nmcli connection add type ethernet ifname eth3 con-name mirror autoconnect no
 nmcli connection modify mirror +tc.qdisc "root prio handle 10:"
 nmcli connection modify mirror +tc.qdisc "ingress handle ffff:"
 nmcli connection modify mirror +tc.tfilter "parent ffff: matchall action mirred egress mirror dev dummy1"
 nmcli connection modify mirror +tc.tfilter "parent 10:   matchall action mirred egress mirror dev dummy1"
 nmcli connection up mirror

This will mirror all traffic (ingress and egress) on eth3 to dummy1.

Comment 23 Beniamino Galvani 2020-07-27 07:04:09 UTC

Alternative version using the 'clsact' qdisc:

    nmcli connection modify mirror +tc.qdisc "clsact"
    nmcli connection modify mirror +tc.tfilter "parent ffff:fff3 matchall action mirred egress mirror dev dummy1"
    nmcli connection modify mirror +tc.tfilter "parent ffff:fff2  matchall action mirred egress mirror dev dummy1"

(supported since https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/e6acf64859fc1b4cc125608604cf38ae77c85367 )

Comment 28 Vladimir Benes 2020-10-01 10:31:57 UTC

two CI tests added:
https://gitlab.freedesktop.org/NetworkManager/NetworkManager-ci/-/merge_requests/642

Comment 33 errata-xmlrpc 2021-05-18 13:29:37 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: NetworkManager and libnma security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1574

Note You need to log in before you can comment on or make changes to this bug.

acardace
aloughla
amusil
atragler
bgalvani
danken
dholler
edwardh
fgiudici
fleitner
fpokryvk
jmaxwell
lmiksik
lrintel
mboisver
rkhan
sdubewar
sukulkar
thaller
till
tpelka
vbenes