- veth device from CNI/CNM plugin: eth0
- tap device that connects to the VM: tap0
tc qdisc add dev eth0 ingress
tc filter add dev eth0 parent ffff: protocol all u32 match u8 0 0 action mirred egress redirect dev tap0
tc qdisc add dev tap0 ingress
tc filter add dev tap0 parent ffff: protocol all u32 match u8 0 0 action mirred egress redirect dev eth0
tc qdisc add dev eth0 ingress
- Add a queuing discipline
- on
dev eth0
- attach the
ingress qdisc
Here the handle defaults to ffff:
tc filter add dev eth0 parent ffff: protocol all u32 match u8 0 0 action mirred egress redirect dev tap0
- Add a filter
- to device
dev eth0
- to parent (class) handle to which we are attaching, ffff: i.e. ingress which we created before (there is no need for
tc class add
in the ingress case as it does not support classful queuing discplines). - protocol all
- classifier u32
- parameters to the classifier u8 0 0, and the first byte of the packet with 0 and if the result is 0 (which it always will be) (i.e. always true)
- action mirred egress redirect dev eth0, redirect the packet to egress of dev eth0
http://geertj.blogspot.com/2010/12/network-security-monitoring-with-kvm.html