On a regular netdev, putting it in promiscuous mode means receiving all
traffic passing through it, whether or not it was destined to its MAC
address. Then monitoring applications such as tcpdump can see all
traffic transiting it.
On Ethernet switches, clearly all ports are in promiscuous mode by
definition, since they accept frames destined to any MAC address.
However tcpdump does not capture all frames transiting switch ports,
only the ones destined to, or originating from the CPU port.
To be able to monitor frames with tcpdump on the CPU port, extend the tc
matchall classifier and mirred action to support the DSA master port as
a possible mirror target.
Tested with:
tc qdisc add dev swp2 clsact
tc filter add dev swp2 ingress matchall skip_sw \
action mirred egress mirror dev eth2
tcpdump -i swp2
Signed-off-by: Vladimir Oltean <olte...@gmail.com>
---
net/dsa/slave.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/net/dsa/slave.c b/net/dsa/slave.c
index 75d58229a4bd..5db0a4f45e7b 100644
--- a/net/dsa/slave.c
+++ b/net/dsa/slave.c
@@ -872,7 +872,7 @@ static int dsa_slave_add_cls_matchall(struct net_device
*dev,
__be16 protocol = cls->common.protocol;
struct dsa_switch *ds = dp->ds;
struct flow_action_entry *act;
- struct dsa_port *to_dp;
+ const struct dsa_port *to_dp;
int err = -EOPNOTSUPP;
if (!ds->ops->port_mirror_add)
@@ -889,7 +889,11 @@ static int dsa_slave_add_cls_matchall(struct net_device
*dev,
if (!act->dev)
return -EINVAL;
- if (!dsa_slave_dev_check(act->dev))
+ if (dsa_slave_dev_check(act->dev))
+ to_dp = dsa_slave_to_port(act->dev);
+ else if (act->dev == dp->cpu_dp->master)
+ to_dp = dp->cpu_dp;
+ else
return -EOPNOTSUPP;
mall_tc_entry = kzalloc(sizeof(*mall_tc_entry), GFP_KERNEL);
@@ -900,8 +904,6 @@ static int dsa_slave_add_cls_matchall(struct net_device
*dev,
mall_tc_entry->type = DSA_PORT_MALL_MIRROR;
mirror = &mall_tc_entry->mirror;
- to_dp = dsa_slave_to_port(act->dev);
-
mirror->to_local_port = to_dp->index;
mirror->ingress = ingress;
--
2.17.1
