Hello I am working on a school project whose goal is to implement a traffic mirroring function inside bridge kernel module. I implemented the function that lets: - select the mirrored interface(s) - select ingress, egress or both traffic to be mirrored - select the output interface(s) Examples: a) brctl mirror br0 eth0 ingress brclt mirror br0 eth1 destination All incoming traffic on eth0 will be mirrored on eth1. b) brctl mirror br0 eth0 egress brclt mirror br0 eth1 destination All outgoing traffic from eth0 will be mirrored on eth1. c) brctl mirror br0 eth0 both brclt mirror br0 eth1 destination All incoming and outgoing traffic coming on or from eth0 will be mirrored on eth1. Following is the patch against kernel v3.12. I also implemented the userspace counterpart, I'll send the patch in another mail. Thank you for giving some feedback on the code and about its possible commit into kernel main tree. diff -urBb old/br_forward.c new/br_forward.c --- old/br_forward.c 2013-11-12 14:55:59.054134721 +0100 +++ new/br_forward.c 2013-11-12 14:35:28.262134745 +0100 @@ -62,6 +62,30 @@ } +void br_mirror_xmit(const struct net_bridge_port *p, struct sk_buff *skb, u8 mask) +{ + struct net_bridge_port *pos; + struct sk_buff *clone; + /* See if port has mirroring activated on incoming packet + ,outgoing packet or both depending on mask */ + if(p->mirror_state & mask) + { + /* Look at each bridge port if one is a mirroring destination */ + + list_for_each_entry(pos,&p->br->port_list,list) + { + if(pos->mirror_state & BR_MIRROR_DST) + { + /* Set clone device so it is sent on destination port */ + clone = skb_copy(skb, GFP_ATOMIC); + clone->dev = pos->dev; + skb_push(clone, ETH_HLEN); + dev_queue_xmit(clone); + } + } + } +} + static void __br_deliver(const struct net_bridge_port *to, struct sk_buff *skb) { skb = br_handle_vlan(to->br, nbp_get_vlan_info(to), skb); @@ -70,6 +94,8 @@ skb->dev = to->dev; + br_mirror_xmit(to,skb,BR_MIRROR_TX); + if (unlikely(netpoll_tx_running(to->br->dev))) { if (packet_length(skb) > skb->dev->mtu && !skb_is_gso(skb)) kfree_skb(skb); diff -urBb old/br_input.c new/br_input.c --- old/br_input.c 2013-11-12 14:55:59.054134721 +0100 +++ new/br_input.c 2013-11-12 14:35:28.262134745 +0100 @@ -216,6 +216,8 @@ } } + br_mirror_xmit(p,skb,BR_MIRROR_RX); + forward: switch (p->state) { case BR_STATE_FORWARDING: diff -urBb old/br_private.h new/br_private.h --- old/br_private.h 2013-11-12 14:55:59.054134721 +0100 +++ new/br_private.h 2013-11-13 15:57:33.668402893 +0100 @@ -159,6 +159,12 @@ u32 designated_cost; unsigned long designated_age; + /* Mirroring */ +#define BR_MIRROR_RX 0x01 +#define BR_MIRROR_TX 0x02 +#define BR_MIRROR_DST 0x04 + u8 mirror_state; + struct timer_list forward_delay_timer; struct timer_list hold_timer; struct timer_list message_age_timer; @@ -424,6 +430,7 @@ bool unicast); extern void br_flood_forward(struct net_bridge *br, struct sk_buff *skb, struct sk_buff *skb2, bool unicast); +extern void br_mirror_xmit(const struct net_bridge_port *p, struct sk_buff *skb, u8 mask); /* br_if.c */ extern void br_port_carrier_check(struct net_bridge_port *p); diff -urBb old/br_sysfs_if.c new/br_sysfs_if.c --- old/br_sysfs_if.c 2013-11-12 14:55:59.054134721 +0100 +++ new/br_sysfs_if.c 2013-11-12 14:35:28.262134745 +0100 @@ -161,6 +161,18 @@ BRPORT_ATTR_FLAG(learning, BR_LEARNING); BRPORT_ATTR_FLAG(unicast_flood, BR_FLOOD); +static ssize_t show_mirror_state(struct net_bridge_port *p, char *buf) +{ + return sprintf(buf, "%d\n", p->mirror_state); +} +static int store_mirror_state(struct net_bridge_port *p, unsigned long v) +{ + p->mirror_state = v; + return 0; +} +static BRPORT_ATTR(mirror_state, S_IRUGO | S_IWUSR, + show_mirror_state, store_mirror_state); + #ifdef CONFIG_BRIDGE_IGMP_SNOOPING static ssize_t show_multicast_router(struct net_bridge_port *p, char *buf) { @@ -199,6 +211,7 @@ &brport_attr_root_block, &brport_attr_learning, &brport_attr_unicast_flood, + &brport_attr_mirror_state, #ifdef CONFIG_BRIDGE_IGMP_SNOOPING &brport_attr_multicast_router, &brport_attr_multicast_fast_leave, _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
Userspace patch for the mirroring function made against bridge-utils 1.5 : ------------------------------------------------------------------------------------------ diff -urBb old/brctl/brctl_cmd.c new1/brctl/brctl_cmd.c --- old/brctl/brctl_cmd.c 2013-11-13 10:37:48.635728832 +0100 +++ new1/brctl/brctl_cmd.c 2013-11-13 10:59:58.915775559 +0100 @@ -438,6 +438,56 @@ return err != 0; } +static int br_cmd_mirror(int argc, char *const* argv) +{ + int mirror_state = 0, err; + const char *brname = *++argv; + const char *ifname = *++argv; + const char *ifmode = *++argv; + + if (!strcmp(ifmode, "dst") || !strcmp(ifmode, "destination") + || !strcmp(ifmode, "4")) + mirror_state |= BR_MIRROR_DST ; + + else if (!strcmp(ifmode, "both") || !strcmp(ifmode, "all") + || !strcmp(ifmode, "3")) + mirror_state |= (BR_MIRROR_RX | BR_MIRROR_TX); + + else if (!strcmp(ifmode, "tx") || !strcmp(ifmode, "egress") + || !strcmp(ifmode, "2")) + mirror_state |= BR_MIRROR_TX; + + else if (!strcmp(ifmode, "rx") || !strcmp(ifmode, "ingress") + || !strcmp(ifmode, "1")) + mirror_state |= BR_MIRROR_RX; + + else if (!strcmp(ifmode, "off") || !strcmp(ifmode, "no") + || !strcmp(ifmode, "0")) + mirror_state &= BR_MIRROR_OFF; + + else { + fprintf(stderr, "expect rx/tx/both/off/dst for argument\n"); + return 1; + } + if (if_nametoindex(ifname) == 0) { + fprintf(stderr, "interface %s does not exist!\n", + ifname); + return 1; + } else if (if_nametoindex(brname) == 0) { + fprintf(stderr, "bridge %s does not exist!\n", + brname); + return 1; + } + + err = br_set_mirror_state(brname, ifname, mirror_state); + + if (err) { + fprintf(stderr, "can't set %s to %s state on bridge %s: %s\n", + ifname,ifmode,brname, strerror(err)); + } + return err != 0; +} + static const struct command commands[] = { { 1, "addbr", br_cmd_addbr, "<bridge>\t\tadd bridge" }, { 1, "delbr", br_cmd_delbr, "<bridge>\t\tdelete bridge" }, @@ -469,6 +519,8 @@ "<bridge>\t\tshow bridge stp info"}, { 2, "stp", br_cmd_stp, "<bridge> {on|off}\tturn stp on/off" }, + { 3, "mirror", br_cmd_mirror, + "<bridge> <interface> {rx|tx|both|off|dst}\tset interface mirroring state" }, }; const struct command *command_lookup(const char *cmd) diff -urBb old/libbridge/libbridge_devif.c new1/libbridge/libbridge_devif.c --- old/libbridge/libbridge_devif.c 2013-11-13 10:37:39.767722700 +0100 +++ new1/libbridge/libbridge_devif.c 2013-11-13 11:05:23.431777935 +0100 @@ -272,6 +272,7 @@ fetch_tv(path, "forward_delay_timer", &info->forward_delay_timer_value); fetch_tv(path, "hold_timer", &info->hold_timer_value); info->hairpin_mode = fetch_int(path, "hairpin_mode"); + info->mirror_state = fetch_int(path, "mirror_state"); closedir(d); @@ -388,6 +389,11 @@ return port_set(bridge, port, "hairpin_mode", hairpin_mode, 0); } +int br_set_mirror_state(const char *bridge, const char *port, int mirror_state) +{ + return port_set(bridge, port, "mirror_state", mirror_state, 0); +} + static inline void __copy_fdb(struct fdb_entry *ent, const struct __fdb_entry *f) { diff -urBb old/libbridge/libbridge.h new1/libbridge/libbridge.h --- old/libbridge/libbridge.h 2013-11-13 10:51:53.359776785 +0100 +++ new1/libbridge/libbridge.h 2013-11-13 11:09:32.159787057 +0100 @@ -82,8 +82,14 @@ struct timeval forward_delay_timer_value; struct timeval hold_timer_value; unsigned char hairpin_mode; + unsigned char mirror_state; }; +#define BR_MIRROR_OFF 0x00 +#define BR_MIRROR_RX 0x01 +#define BR_MIRROR_TX 0x02 +#define BR_MIRROR_DST 0x04 + extern int br_init(void); extern int br_refresh(void); extern void br_shutdown(void); @@ -117,4 +123,6 @@ unsigned long skip, int num); extern int br_set_hairpin_mode(const char *bridge, const char *dev, int hairpin_mode); +extern int br_set_mirror_state(const char *brname, const char *dev, + int mirror_state); #endif _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.