tc - mirred ingress not supported at the moment

Tue, 13 Aug 2019 03:53:03 -0700 

Two questions regarding tc-mirred:

1)
The manual ( https://www.linux.org/docs/man8/tc-mirred.html ) states:

  OPTIONS
    ingress
    egress
      Specify the direction in which the packet shall appear on the
destination interface.
      Currently only egress is implemented.

I verify to see if this is still true, and unfortunately it is:

# tc filter add dev eno2 parent ffff: prio 999  protocol all matchall
action mirred ingress redirect dev mon0
mirred ingress not supported at the moment
bad action parsing
parse_action: bad value (5:mirred)!
Illegal "action"

Q1: Why was 'ingress' not implemented at the same time as 'egress'?



2)
Ok, so I have to use 'egress':
# tc filter add dev eno2 parent ffff: prio 999  protocol all matchall
action mirred egress redirect dev mon0

Since the mirred action forces me to use 'egress' as the direction on
the dest interface, all kinds of network statistics tools show
incorrect counters. :-(
eno2 is a pure sniffer interface (it is connected to the SPAN dest
port of a switch).
All packets (matchall) on eno2 are mirrored to mon0.

# ip -s link show dev eno2
    ...
    ...
    RX: bytes  packets  errors  dropped overrun mcast
    13660757   16329    0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    0          0        0       0       0       0
# ip -s link show dev mon0
    ...
    ...
    RX: bytes  packets  errors  dropped overrun mcast
    0          0        0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    13660757   16329    0       0       0       0

eno2 and mon0 should be identical, but they are inverted.
When I graph all interfaces of the machine, the traffic graph for
'mon0' is incorrect since it shows 100% egress when the traffic really
is ingress.

As a human I can re-enterpret the mon0 graph when looking at it, but
it is harder for automated tools to do the right thing without
explicit node configuration/exceptions in the tool. This is annoying
when you have tools that graph hundreds of different types of nodes
with different kinds of interface types, and want all graphs to be
visually simillar for easy comparison.
Tool output that mon0 has sent 16329 packets is also plain wrong. It
has really *received* these packets.

Q2: So... Can the 'ingress' option please be implemented? (I'm no
programmer, so unfortunetly I can't do it myself).

/Martin

Reply via email to