hw/net/virtio-net.c | 12 +- include/net/filter.h | 6 + include/net/net.h | 6 + net/filter-mirror.c | 379 ++++++++++++++++++++++++++++++++++++++++++- net/filter.c | 17 +- net/net.c | 10 +- 6 files changed, 417 insertions(+), 13 deletions(-)
Hi, All This series adds AF_PACKET-based capture and injection datapath support for the vhost TAP device in filter Example Usage(not change with exist upstream code) ============= Primary VM (mirror incoming packets to secondary via chardev socket): -netdev tap,id=net0,vhost=on,... -chardev socket,id=mirror0,host=...,port=...,server=on,wait=off -object filter-redirector,id=vm1redir,netdev=net0,outdev=mirror0... Secondary VM (receive mirrored packets): -netdev tap,id=net0,vhost=on,... -chardev socket,id=red0,host=...,port=...,reconnect-ms=.. -object filter-buffer,id=swbuf,netdev=net0,queue=tx,interval=1000000,status=off..... -object filter-redirector,id=r1,netdev=net0,queue=tx,indev=red0,status=off,enable_when _stopped=true.... \ changset =========== change in v2: 1. add support for filter-buffer 2. remove the in_netdev and out_netdev for AF_PACKET bind port, now only use netdev when the vhost=on start use AF_PACKET to capture and inject, when use vhost=off will use the existing code 3. add CAP_NET_RAW check 4. address the comment change in v3: 1. reuse the exist Capture/inject process Testing ======= - Tested with vhost=on/off TAP device on x86_64 known issue: ============ 1. compilation should be disabled on non-Linux platforms.will fix in next version. 2. Sometimes the secondary VM receives duplicate packets. will fix this in next version. Cindy Lu (7): net/filter-mirror: keep mirroring while stopped virtio-net: keep tap read polling disabled while vhost owns RX net/filter-redirector: add AF_PACKET netdev setup helpers net/filter-redirector: add AF_PACKET capture path net/filter-redirector: add AF_PACKET inject path net/filter: allow filters on vhost TAP backends net/filter-redirector: check CAP_NET_RAW before creating AF_PACKET hw/net/virtio-net.c | 12 +- include/net/filter.h | 6 + include/net/net.h | 6 + net/filter-mirror.c | 379 ++++++++++++++++++++++++++++++++++++++++++- net/filter.c | 17 +- net/net.c | 10 +- 6 files changed, 417 insertions(+), 13 deletions(-) -- 2.52.0
On Mon, Mar 30, 2026 at 5:09 PM Cindy Lu <lulu@redhat.com> wrote: > > Hi, All > > This series adds AF_PACKET-based capture and injection datapath > support for the vhost TAP device in filter > > Example Usage(not change with exist upstream code) > ============= > Primary VM (mirror incoming packets to secondary via chardev socket): > > -netdev tap,id=net0,vhost=on,... > -chardev socket,id=mirror0,host=...,port=...,server=on,wait=off > -object filter-redirector,id=vm1redir,netdev=net0,outdev=mirror0... > > Secondary VM (receive mirrored packets): > > -netdev tap,id=net0,vhost=on,... > -chardev socket,id=red0,host=...,port=...,reconnect-ms=.. Is this for packet socket? > -object filter-buffer,id=swbuf,netdev=net0,queue=tx,interval=1000000,status=off..... > -object filter-redirector,id=r1,netdev=net0,queue=tx,indev=red0,status=off,enable_when > _stopped=true.... \ > > changset > =========== > change in v2: > 1. add support for filter-buffer > 2. remove the in_netdev and out_netdev for AF_PACKET bind port, now only use netdev > when the vhost=on start use AF_PACKET to capture and inject, when use vhost=off will use > the existing code > 3. add CAP_NET_RAW check > 4. address the comment > > change in v3: > 1. reuse the exist Capture/inject process > > Testing > ======= > - Tested with vhost=on/off TAP device on x86_64 > > known issue: > ============ > 1. compilation should be disabled on non-Linux platforms.will fix in next version. > 2. Sometimes the secondary VM receives duplicate packets. will fix this in next version. > > > Cindy Lu (7): > net/filter-mirror: keep mirroring while stopped > virtio-net: keep tap read polling disabled while vhost owns RX > net/filter-redirector: add AF_PACKET netdev setup helpers > net/filter-redirector: add AF_PACKET capture path > net/filter-redirector: add AF_PACKET inject path > net/filter: allow filters on vhost TAP backends > net/filter-redirector: check CAP_NET_RAW before creating AF_PACKET > > hw/net/virtio-net.c | 12 +- > include/net/filter.h | 6 + > include/net/net.h | 6 + > net/filter-mirror.c | 379 ++++++++++++++++++++++++++++++++++++++++++- > net/filter.c | 17 +- > net/net.c | 10 +- > 6 files changed, 417 insertions(+), 13 deletions(-) > > -- > 2.52.0 > Thanks
On Wed, Apr 1, 2026 at 10:16 AM Jason Wang <jasowang@redhat.com> wrote: > On Mon, Mar 30, 2026 at 5:09 PM Cindy Lu <lulu@redhat.com> wrote: > > > > Hi, All > > > > This series adds AF_PACKET-based capture and injection datapath > > support for the vhost TAP device in filter > > > > Example Usage(not change with exist upstream code) > > ============= > > Primary VM (mirror incoming packets to secondary via chardev socket): > > > > -netdev tap,id=net0,vhost=on,... > > -chardev socket,id=mirror0,host=...,port=...,server=on,wait=off > > -object filter-redirector,id=vm1redir,netdev=net0,outdev=mirror0... > > > > Secondary VM (receive mirrored packets): > > > > -netdev tap,id=net0,vhost=on,... > > -chardev socket,id=red0,host=...,port=...,reconnect-ms=.. > > Is this for packet socket? > > this is connect to the -chardev socket,id=red0,host=127.0.0.1,port=9003,reconnect-ms=1000 \ in the Primary VM to mirror the packet. should I also change this into packet socket ? I didn't change the inside filter process in this code and only change the capture and inject Thanks cindy > > -object > filter-buffer,id=swbuf,netdev=net0,queue=tx,interval=1000000,status=off..... > > -object > filter-redirector,id=r1,netdev=net0,queue=tx,indev=red0,status=off,enable_when > > _stopped=true.... \ > > > > changset > > =========== > > change in v2: > > 1. add support for filter-buffer > > 2. remove the in_netdev and out_netdev for AF_PACKET bind port, now only > use netdev > > when the vhost=on start use AF_PACKET to capture and inject, when use > vhost=off will use > > the existing code > > 3. add CAP_NET_RAW check > > 4. address the comment > > > > change in v3: > > 1. reuse the exist Capture/inject process > > > > Testing > > ======= > > - Tested with vhost=on/off TAP device on x86_64 > > > > known issue: > > ============ > > 1. compilation should be disabled on non-Linux platforms.will fix in > next version. > > 2. Sometimes the secondary VM receives duplicate packets. will fix this > in next version. > > > > > > Cindy Lu (7): > > net/filter-mirror: keep mirroring while stopped > > virtio-net: keep tap read polling disabled while vhost owns RX > > net/filter-redirector: add AF_PACKET netdev setup helpers > > net/filter-redirector: add AF_PACKET capture path > > net/filter-redirector: add AF_PACKET inject path > > net/filter: allow filters on vhost TAP backends > > net/filter-redirector: check CAP_NET_RAW before creating AF_PACKET > > > > hw/net/virtio-net.c | 12 +- > > include/net/filter.h | 6 + > > include/net/net.h | 6 + > > net/filter-mirror.c | 379 ++++++++++++++++++++++++++++++++++++++++++- > > net/filter.c | 17 +- > > net/net.c | 10 +- > > 6 files changed, 417 insertions(+), 13 deletions(-) > > > > -- > > 2.52.0 > > > > Thanks > >
© 2016 - 2026 Red Hat, Inc.