net[shemminger]!shemminger | 00fa848 | 2004-12-08 20:13:56 +0000 | [diff] [blame] | 1 | |
| 2 | Very funky action. I do plan to add to a few more things to it |
| 3 | This is the basic stuff. Idea borrowed from the way ethernet switches |
| 4 | mirror and redirect packets. |
| 5 | |
| 6 | Usage: |
| 7 | |
| 8 | mirred <DIRECTION> <ACTION> [index INDEX] <dev DEVICENAME> |
| 9 | where: |
| 10 | DIRECTION := <ingress | egress> |
| 11 | ACTION := <mirror | redirect> |
| 12 | INDEX is the specific policy instance id |
| 13 | DEVICENAME is the devicename |
| 14 | |
jamal | f649f59 | 2006-07-18 08:56:40 -0400 | [diff] [blame^] | 15 | Direction Ingress is not supported at the moment. It will be in the |
| 16 | future as well as mirror/redirecting to a socket. |
net[shemminger]!shemminger | 00fa848 | 2004-12-08 20:13:56 +0000 | [diff] [blame] | 17 | |
| 18 | Mirroring essentially takes a copy of the packet whereas redirecting |
| 19 | steals the packet and redirects to specified destination. |
| 20 | |
jamal | f649f59 | 2006-07-18 08:56:40 -0400 | [diff] [blame^] | 21 | What NOT to do if you dont want your machine to crash: |
| 22 | ------------------------------------------------------ |
| 23 | |
| 24 | Do not create loops! |
| 25 | Loops are not hard to create in the egress qdiscs. |
| 26 | |
| 27 | Here are simple rules to follow if you dont want to get |
| 28 | hurt: |
| 29 | A) Do not have the same packet go to same netdevice twice |
| 30 | in a single graph of policies. Your machine will just hang! |
| 31 | This is design intent _not a bug_ to teach you some lessons. |
| 32 | |
| 33 | In the future if there are easy ways to do this in the kernel |
| 34 | without affecting other packets not interested in this feature |
| 35 | I will add them. At the moment that is not clear. |
| 36 | |
| 37 | Some examples of bad things to do: |
| 38 | 1) redirecting eth0 to eth0 |
| 39 | 2) eth0->eth1-> eth0 |
| 40 | 3) eth0->lo-> eth1-> eth0 |
| 41 | |
| 42 | B) Do not redirect from one IFB device to another. |
| 43 | Remember that IFB is a very specialized case of packet redirecting |
| 44 | device. Instead of redirecting it puts packets at the exact spot |
| 45 | on the stack it found them from. |
| 46 | This bad policy will actually not crash your machine but your |
| 47 | packets will all be dropped (this is much simpler to detect |
| 48 | and resolve and is only affecting users of ifb as opposed to the |
| 49 | whole stack). |
| 50 | |
| 51 | In the case of A) the problem has to do with a recursive contention |
| 52 | for the devices queue lock and in the second case for the transmit lock. |
| 53 | |
net[shemminger]!shemminger | 00fa848 | 2004-12-08 20:13:56 +0000 | [diff] [blame] | 54 | Some examples: |
jamal | f649f59 | 2006-07-18 08:56:40 -0400 | [diff] [blame^] | 55 | ------------ |
| 56 | |
| 57 | 1) Mirror all packets arriving on eth0 to be sent out on eth1. |
| 58 | You may have a sniffer or some accounting box hooked up on eth1. |
| 59 | |
| 60 | tc qdisc add dev lo eth0 |
| 61 | tc filter add dev eth0 parent ffff: protocol ip prio 10 u32 \ |
| 62 | match u32 0 0 flowid 1:2 action mirred egress mirror dev eth1 |
| 63 | |
| 64 | If you replace "mirror" with "redirect" then not a copy but rather |
| 65 | the original packet is sent to eth1. |
| 66 | |
| 67 | 2) Host A is hooked up to us on eth0 |
net[shemminger]!shemminger | 00fa848 | 2004-12-08 20:13:56 +0000 | [diff] [blame] | 68 | |
| 69 | tc qdisc add dev lo ingress |
| 70 | # redirect all packets arriving on ingress of lo to eth0 |
| 71 | tc filter add dev lo parent ffff: protocol ip prio 10 u32 \ |
| 72 | match u32 0 0 flowid 1:2 action mirred egress redirect dev eth0 |
| 73 | |
| 74 | On host A start a tcpdump on interface connecting to us. |
| 75 | |
| 76 | on our host ping -c 2 127.0.0.1 |
| 77 | |
jamal | f649f59 | 2006-07-18 08:56:40 -0400 | [diff] [blame^] | 78 | Ping would fail since all packets are heading out eth0 |
net[shemminger]!shemminger | 00fa848 | 2004-12-08 20:13:56 +0000 | [diff] [blame] | 79 | tcpudmp on host A would show them |
| 80 | |
| 81 | if you substitute the redirect with mirror above as in: |
| 82 | tc filter add dev lo parent ffff: protocol ip prio 10 u32 \ |
| 83 | match u32 0 0 flowid 1:2 action mirred egress mirror dev eth0 |
| 84 | |
| 85 | Then you should see the packets on both host A and the local |
| 86 | stack (i.e ping would work). |
| 87 | |
jamal | f649f59 | 2006-07-18 08:56:40 -0400 | [diff] [blame^] | 88 | 3) Even more funky example: |
net[shemminger]!shemminger | 00fa848 | 2004-12-08 20:13:56 +0000 | [diff] [blame] | 89 | |
| 90 | # |
| 91 | #allow 1 out 10 packets to randomly make it to the |
| 92 | # host A (Randomness uses the netrand generator) |
| 93 | # |
| 94 | tc filter add dev lo parent ffff: protocol ip prio 10 u32 \ |
| 95 | match u32 0 0 flowid 1:2 \ |
| 96 | action drop random determ ok 10\ |
| 97 | action mirred egress mirror dev eth0 |
| 98 | |
jamal | f649f59 | 2006-07-18 08:56:40 -0400 | [diff] [blame^] | 99 | 4) |
net[shemminger]!shemminger | 00fa848 | 2004-12-08 20:13:56 +0000 | [diff] [blame] | 100 | # for packets coming from 10.0.0.9: |
jamal | f649f59 | 2006-07-18 08:56:40 -0400 | [diff] [blame^] | 101 | #Redirect packets on egress, if exceeding a 100Kbps rate, |
| 102 | # to eth1 |
net[shemminger]!shemminger | 00fa848 | 2004-12-08 20:13:56 +0000 | [diff] [blame] | 103 | # |
| 104 | |
| 105 | tc qdisc add dev eth0 handle 1:0 root prio |
| 106 | |
| 107 | tc filter add dev eth0 parent 1:0 protocol ip prio 6 u32 \ |
| 108 | match ip src 10.0.0.9/32 flowid 1:16 \ |
| 109 | action police rate 100kbit burst 90k ok \ |
| 110 | action mirred egress mirror dev eth1 |
| 111 | |
| 112 | --- |
| 113 | |
| 114 | A more interesting example is when you mirror flows to a dummy device |
shemminger | 47836e1 | 2006-01-03 18:29:19 +0000 | [diff] [blame] | 115 | so you could tcpdump them (dummy by defaults drops all packets it sees). |
net[shemminger]!shemminger | 00fa848 | 2004-12-08 20:13:56 +0000 | [diff] [blame] | 116 | This is a very useful debug feature. |
| 117 | |
jamal | f649f59 | 2006-07-18 08:56:40 -0400 | [diff] [blame^] | 118 | Lets say you are policing packets from alias 192.168.200.200/32 |
| 119 | you dont want those to exceed 100kbps going out. |
| 120 | |
| 121 | tc filter add dev eth0 parent 1: protocol ip prio 10 u32 \ |
| 122 | match ip src 192.168.200.200/32 flowid 1:2 \ |
| 123 | action police rate 100kbit burst 90k drop |
| 124 | |
| 125 | If you run tcpdump on eth0 you will see all packets going out |
| 126 | with src 192.168.200.200/32 dropped or not |
| 127 | Extend the rule a little to see only the ones that made it out: |
| 128 | |
| 129 | tc filter add dev eth0 parent 1: protocol ip prio 10 u32 \ |
| 130 | match ip src 192.168.200.200/32 flowid 1:2 \ |
| 131 | action police rate 10kbit burst 90k drop \ |
| 132 | action mirred egress mirror dev dummy0 |
| 133 | |
| 134 | Now fire tcpdump on dummy0 to see only those packets .. |
| 135 | tcpdump -n -i dummy0 -x -e -t |
| 136 | |
| 137 | Essentially a good debugging/logging interface (sort of like |
| 138 | BSDs speacialized log device does without needing one). |
| 139 | |
| 140 | If you replace mirror with redirect, those packets will be |
| 141 | blackholed and will never make it out. This redirect behavior |
| 142 | changes with new patch (but not the mirror). |
| 143 | |
| 144 | cheers, |
| 145 | jamal |