On Tue, Aug 13, 2019 at 4:05 AM Martin Olsson <martin.olsson+net...@sentorsecurity.com> wrote: > Q1: Why was 'ingress' not implemented at the same time as 'egress'?
Because you are using an old iproute2. ingress support is added by: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=5eca0a3701223619a513c7209f7d9335ca1b4cfa > 2) > Ok, so I have to use 'egress': > # tc filter add dev eno2 parent ffff: prio 999 protocol all matchall > action mirred egress redirect dev mon0 So you redirect packets from eno2's ingress to mon0's egress. > > Since the mirred action forces me to use 'egress' as the direction on > the dest interface, all kinds of network statistics tools show > incorrect counters. :-( > eno2 is a pure sniffer interface (it is connected to the SPAN dest > port of a switch). > All packets (matchall) on eno2 are mirrored to mon0. > > # ip -s link show dev eno2 > ... > ... > RX: bytes packets errors dropped overrun mcast > 13660757 16329 0 0 0 0 > TX: bytes packets errors dropped carrier collsns > 0 0 0 0 0 0 > # ip -s link show dev mon0 > ... > ... > RX: bytes packets errors dropped overrun mcast > 0 0 0 0 0 0 > TX: bytes packets errors dropped carrier collsns > 13660757 16329 0 0 0 0 > > eno2 and mon0 should be identical, but they are inverted. Yes, this behavior is correct. The keyword "egress" in your cmdline already says so. > > Q2: So... Can the 'ingress' option please be implemented? (I'm no > programmer, so unfortunetly I can't do it myself). It is completed, you need to update your iproute2 and kernel. Thanks.
