Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
There are several scenarios in which there is a need to duplicate traffic that passes through a device to a target device/remote.
Two common use cases for such a setup are: Intrusion detection(IDS/IPS) and traffic analysis.
RHV provides the ability to mirror traffic from a bridge or interface to a vnic, allowing the application on the VM to monitor the traffic. It is implemented through tc rules.
I was trying to set up some basic env. Taken from http://backreference.org/2014/06/17/port-mirroring-with-linux-bridges/ I tried this:
To do this, we need to attach a classifier (filter in tc speak) to the relevant qdisc. Simply put, a filter tries to match packets according to some criteria and, if the match succeeds, performs certain actions on them.
Let's start with the code to mirror incoming traffic for an interface, which is simpler. The first thing to do is to establish an ingress qdisc for the interface, as there's none by default:
# tc qdisc add dev bond0 ingress
This creates an ingress qdisc for bond0 and gives it the ffff: identifier (it's always ffff:, for any interface, so no surprises):
# tc qdisc show dev bond0
qdisc ingress ffff: parent ffff:fff1 ----------------
Now, as said, we attach a filter to it. This filter simply matches all packets, and mirrors them to dummy0. A filter is attached to a qdisc, so it must have a reference to the parent. Here's the syntax to create the filter:
# tc filter add dev bond0 parent ffff: \
protocol all \
u32 match u8 0 0 \
action mirred egress mirror dev dummy0
I was able to catch basic dhcp response while upping bond0.0 and listening on dummy0. But I am unable to set this up via NM.
(In reply to Lubomir Rintel from comment #13)
> https://github.com/NetworkManager/NetworkManager/pull/338
Could you please provide some info, how to set up mirroring as mentioned in c#11 in NetworkManager?
If I try to set the tc.tfilters via nmcli, any help I get is this:
The valid syntax is: '[root | parent <handle>] [handle <handle>] <kind>'
How to fit 'protocol all u32 match u8 0 0 action mirred egress mirror dev dummy0' into that syntax? I can not read that from pull request above.
Thanks for help.
Comment 22Beniamino Galvani
2020-06-18 12:19:00 UTC
Upstream merge request:
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/545
Port mirroring in NM can be configured in the following way:
nmcli connection add type ethernet ifname eth3 con-name mirror autoconnect no
nmcli connection modify mirror +tc.qdisc "root prio handle 10:"
nmcli connection modify mirror +tc.qdisc "ingress handle ffff:"
nmcli connection modify mirror +tc.tfilter "parent ffff: matchall action mirred egress mirror dev dummy1"
nmcli connection modify mirror +tc.tfilter "parent 10: matchall action mirred egress mirror dev dummy1"
nmcli connection up mirror
This will mirror all traffic (ingress and egress) on eth3 to dummy1.
Comment 23Beniamino Galvani
2020-07-27 07:04:09 UTC
Alternative version using the 'clsact' qdisc:
nmcli connection modify mirror +tc.qdisc "clsact"
nmcli connection modify mirror +tc.tfilter "parent ffff:fff3 matchall action mirred egress mirror dev dummy1"
nmcli connection modify mirror +tc.tfilter "parent ffff:fff2 matchall action mirred egress mirror dev dummy1"
(supported since https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/e6acf64859fc1b4cc125608604cf38ae77c85367 )
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: NetworkManager and libnma security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2021:1574