search

hellt / netdevops.me

"Applying devops to networks" blog
https://netdevops.me
24 stars 3 forks source link

Fix tc script for pseudo-wire #6

Closed vincentbernat closed 3 years ago

hellt commented 3 years ago

thanks @vincentbernat !

vincentbernat commented 3 years ago

I have toyed a bit on how to not have locally generated traffic on the wire as well and from my tests, the following would work:

        # Drop locally-generated traffic. The idea is that
        # locally-generated trafic has a bound socket and a family.
        # Alternatively "pkt_type eq 0" also seems to work, but as it
        # means "to us", it seems more fragile.
        tc qdisc add dev $A root prio
        tc filter add dev $A basic match 'meta(sk_family gt 0)' action drop
        tc qdisc add dev $B root prio
        tc filter add dev $B basic match 'meta(sk_family gt 0)' action drop

        # Port mirroring
        tc qdisc add dev $A ingress
        tc filter add dev $A parent ffff: matchall action mirred egress redirect dev $B
        tc qdisc add dev $B ingress
        tc filter add dev $B parent ffff: matchall action mirred egress redirect dev $A

        # Promisc
        ip link set promisc on dev $A
        ip link set promisc on dev $B

It successfully filter regular traffic, things like LLDP and also traffic generated by the kernel, like router solicitation.