From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.1 required=3.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 73069C10F14 for ; Thu, 3 Oct 2019 19:24:50 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 3B4962086A for ; Thu, 3 Oct 2019 19:24:50 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=lunn.ch header.i=@lunn.ch header.b="v3TsQQIN" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730442AbfJCTYt (ORCPT ); Thu, 3 Oct 2019 15:24:49 -0400 Received: from vps0.lunn.ch ([185.16.172.187]:59944 "EHLO vps0.lunn.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726677AbfJCTYt (ORCPT ); Thu, 3 Oct 2019 15:24:49 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lunn.ch; s=20171124; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID: Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=1BrlSjv6vwSv4W1qqTm9dg1F7gAdd8/6RdqBpyNHUhc=; b=v3TsQQIN53cZYebf6yhxBhOpfj BN5dffGyGn7Z8CXaOjqRBkGIk6QhavBUPiyvMQZ7iSq0n2ycDPkpV5EpZTZ0oZbSHHeXnOMHrLF4j VG6bt6Ruj6v5DuoJfz4YlU8WQTJXs5x5I7MkeQYmy/i06HPJGoKw/3YeVIZjIgEhFRvU=; Received: from andrew by vps0.lunn.ch with local (Exim 4.92.2) (envelope-from ) id 1iG6iT-00065Z-RN; Thu, 03 Oct 2019 21:24:45 +0200 Date: Thu, 3 Oct 2019 21:24:45 +0200 From: Andrew Lunn To: Vladimir Oltean Cc: f.fainelli@gmail.com, vivien.didelot@gmail.com, davem@davemloft.net, netdev@vger.kernel.org Subject: Re: [PATCH net-next] net: dsa: Allow port mirroring to the CPU port Message-ID: <20191003192445.GD21875@lunn.ch> References: <20191002233750.13566-1-olteanv@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20191002233750.13566-1-olteanv@gmail.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On Thu, Oct 03, 2019 at 02:37:50AM +0300, Vladimir Oltean wrote: > On a regular netdev, putting it in promiscuous mode means receiving all > traffic passing through it, whether or not it was destined to its MAC > address. Then monitoring applications such as tcpdump can see all > traffic transiting it. > > On Ethernet switches, clearly all ports are in promiscuous mode by > definition, since they accept frames destined to any MAC address. > However tcpdump does not capture all frames transiting switch ports, > only the ones destined to, or originating from the CPU port. > > To be able to monitor frames with tcpdump on the CPU port, extend the tc > matchall classifier and mirred action to support the DSA master port as > a possible mirror target. > > Tested with: > tc qdisc add dev swp2 clsact > tc filter add dev swp2 ingress matchall skip_sw \ > action mirred egress mirror dev eth2 > tcpdump -i swp2 Humm. O.K, i don't like this for a few reasons. egress mirror dev eth2 Frames are supported to egress eth2. But in fact they will ingress on eth2. That is not intuitive. I'm also no sure how safe this it is to ingress mirror packets on the master interface. Will they have DSA tags? I think that will vary from device to device. Are we going to see some packets twice? Once for the mirror, and a second time because they are destined to the CPU? Do we end up processing the packets twice? For your use case of wanting to see packets in tcpdump, i think we are back to the discussion of what promisc mode means. I would prefer that when a DSA slave interface is put into promisc mode for tcpdump, the switch then forwards a copy of frames to the CPU, without duplication. That is a much more intuitive model. Andrew