2 Very funky action. I do plan to add to a few more things to it
3 This is the basic stuff. Idea borrowed from the way ethernet switches
4 mirror and redirect packets.
8 mirred <DIRECTION> <ACTION> [index INDEX] <dev DEVICENAME>
10 DIRECTION := <ingress | egress>
11 ACTION := <mirror | redirect>
12 INDEX is the specific policy instance id
13 DEVICENAME is the devicename
16 Mirroring essentially takes a copy of the packet whereas redirecting
17 steals the packet and redirects to specified destination.
20 Host A is hooked up to us on eth0
22 tc qdisc add dev lo ingress
23 # redirect all packets arriving on ingress of lo to eth0
24 tc filter add dev lo parent ffff: protocol ip prio 10 u32 \
25 match u32 0 0 flowid 1:2 action mirred egress redirect dev eth0
27 On host A start a tcpdump on interface connecting to us.
29 on our host ping -c 2 127.0.0.1
31 Ping would fail sinc all packets are heading out eth0
32 tcpudmp on host A would show them
34 if you substitute the redirect with mirror above as in:
35 tc filter add dev lo parent ffff: protocol ip prio 10 u32 \
36 match u32 0 0 flowid 1:2 action mirred egress mirror dev eth0
38 Then you should see the packets on both host A and the local
39 stack (i.e ping would work).
41 Even more funky example:
44 #allow 1 out 10 packets to randomly make it to the
45 # host A (Randomness uses the netrand generator)
47 tc filter add dev lo parent ffff: protocol ip prio 10 u32 \
48 match u32 0 0 flowid 1:2 \
49 action drop random determ ok 10\
50 action mirred egress mirror dev eth0
54 # for packets coming from 10.0.0.9:
55 #Redirect packets on egress (to ISP A) if you exceed a certain rate
56 # to eth1 (to ISP B) if you exceed a certain rate
59 tc qdisc add dev eth0 handle 1:0 root prio
61 tc filter add dev eth0 parent 1:0 protocol ip prio 6 u32 \
62 match ip src 10.0.0.9/32 flowid 1:16 \
63 action police rate 100kbit burst 90k ok \
64 action mirred egress mirror dev eth1
68 A more interesting example is when you mirror flows to a dummy device
69 so you could tcpdump them (dummy by defaults drops all devices it sees).
70 This is a very useful debug feature.