Hi, > On 10. Oct 2023, at 17:02, Jamal Hadi Salim <jhs@xxxxxxxxxxxx> wrote: > > This is a tough one - as it stands right now we dont see a good way > out. It's either "exploitable by root / userns" or break uapi. > Christian - can you send your "working" scripts, simplified if > possible, and we'll take a look. Sure, what kind of simplification are we talking about? Something like this? #### snip #!/bin/bash modprobe ifb modprobe act_mirred uplink=eth0 uplink_ingress=ifb0 tc qdisc add dev $uplink handle ffff: ingress ifconfig $uplink up tc filter add dev $uplink parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $uplink_ingress tc qdisc add dev $uplink_ingress root handle 1: hfsc default 1 tc class add dev $uplink_ingress parent 1: classid 1:999 hfsc rt m2 2.5gbit tc class add dev $uplink_ingress parent 1:999 classid 1:1 hfsc sc rate 50mbit #### snap This should provoke the error reliably. You might need to point it at whatever network interface is available but need to be prepared to loose connectivity. Christian Liebe Grüße, Christian Theune -- Christian Theune · ct@xxxxxxxxxxxxxxx · +49 345 219401 0 Flying Circus Internet Operations GmbH · https://flyingcircus.io Leipziger Str. 70/71 · 06108 Halle (Saale) · Deutschland HR Stendal HRB 21169 · Geschäftsführer: Christian Theune, Christian Zagrodnick
