[ovs-discuss] Port mirroring

Fréderich Nord fnord at i2pmail.org
Sat Aug 25 12:58:31 UTC 2012


On Fri, 24 Aug 2012 12:33:51 +0000 (UTC)
Fréderich Nord <fnord at i2pmail.org> wrote:

> However, now I want add another function namely "post iptables port
> mirroring." So traffic comes in from the provider to either veth0 or
> veth1. Then I want to filter it using iptables and only then I want
> the data which has not been dropped or rejected to be mirrored to
> another port (vmir0) for use with Snort.
> 
> The question is, how can I do this? Are there better ways to handle a
> situation like mine?

After roaming Google's search results with so many keywords I found the
answer to the second question: "yes, use openFlow."

In particular the email that can be found here seems to contain a fairly
similar question:

http://www.mail-archive.com/discuss@openvswitch.org/msg03464.html

Oliver asked how he could use efficient openflow rules to filter
certain traffic. Ben replied with this suggestion:

> You don't need a table per VM.  Use table 0 to check your ingress
> rules and resubmit to table 1 if they pass.  Use table 1 to check
> egress rules and forward to the destination if they pass.

I am interested to learn how I can do this so that I can filter ingress
and egress on the eth0 port. Perhaps I can extend this later for
traffic between ports of the internal hosts. But how do tables work in
the openvswitch sense?

I would appreciate it if someone can help me with examples regarding
this idea, using OpenVSwitch of course:

* explicitly accept traffic from eth0 (my ISP) to IP A, B, C and vice
  versa;
* drop all other traffic;
* Mirror (copy, duplicate) all accepted traffic to one certain port
  so that it can be analysed (using Snort in my case).
* Suggestions for how to handle DNAT/SNAT, which still requires
  iptables if i understand correctly.

Sadly I have not received a reply to my other emails but I really hope
someone is willing to help me out. Or please tell me if I am asking
the wrong questions. OpenVSwitch interests me, I am eager to learn more,
and I will be appreciative of any help I can get. So I would be much
obliged.

Kind regards, Fréderich.



More information about the discuss mailing list