Hi all,
Imagine the following scenario on a Xen machine:
* eth0 connected to vSwitch0
* vSwitch0 has two internal ports veth0, veth1
* it has 'fake' bridges vnet10, vnet20 (with tag 10 and 20)
* proxyarp is enabled on those fake bridges;
* veth0 is used only for forwarding,
* veth1 is used only for input/output.
I have been allocated 4 IP addresses. My hoster routes the first
three to veth0's MAC/IP. The fourth IP is routed to veth1's MAC/IP.
That is why I have specific mac addresses on veth0 and veth1.
So with veth0 and veth1 each using one IP, I put one virtual machine on
vnet10 and one on vnet20. Then I use ip routes and rules to route the
traffic.
So traffic flow goes like this:
eth0 <--> vswitch0 <--> veth0 <--> vnet10 <--> VM1
| <--> veth1
This all works and I can use iptables on the Xen host to restrict
traffic to itself and its VMs.
However, now I want add another function namely "post iptables port
mirroring." So traffic comes in from the provider to either veth0 or
veth1. Then I want to filter it using iptables and only then I want the
data which has not been dropped or rejected to be mirrored to another
port (vmir0) for use with Snort.
The question is, how can I do this? Are there better ways to handle a
situation like mine?
I appreciate any help and insights.
Thanks, Fréderich.
_______________________________________________
discuss mailing list
discuss@openvswitch.org
http://openvswitch.org/mailman/listinfo/discuss
