Hi,
On 10. Oct 2023, at 17:02, Jamal Hadi Salim jhs@mojatatu.com wrote:
This is a tough one - as it stands right now we dont see a good way out. It's either "exploitable by root / userns" or break uapi. Christian - can you send your "working" scripts, simplified if possible, and we'll take a look.
Sure, what kind of simplification are we talking about? Something like this?
#### snip #!/bin/bash modprobe ifb modprobe act_mirred
uplink=eth0 uplink_ingress=ifb0
tc qdisc add dev $uplink handle ffff: ingress ifconfig $uplink up
tc filter add dev $uplink parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $uplink_ingress
tc qdisc add dev $uplink_ingress root handle 1: hfsc default 1 tc class add dev $uplink_ingress parent 1: classid 1:999 hfsc rt m2 2.5gbit tc class add dev $uplink_ingress parent 1:999 classid 1:1 hfsc sc rate 50mbit #### snap
This should provoke the error reliably. You might need to point it at whatever network interface is available but need to be prepared to loose connectivity.
Christian
Liebe Grüße, Christian Theune