On Sat, Aug 25, 2012 at 5:58 AM, Fréderich Nord <fn...@i2pmail.org> wrote:
> On Fri, 24 Aug 2012 12:33:51 +0000 (UTC) > Fréderich Nord <fn...@i2pmail.org> wrote: > > > However, now I want add another function namely "post iptables port > > mirroring." So traffic comes in from the provider to either veth0 or > > veth1. Then I want to filter it using iptables and only then I want > > the data which has not been dropped or rejected to be mirrored to > > another port (vmir0) for use with Snort. > > > > The question is, how can I do this? Are there better ways to handle a > > situation like mine? > > After roaming Google's search results with so many keywords I found the > answer to the second question: "yes, use openFlow." > > In particular the email that can be found here seems to contain a fairly > similar question: > > http://www.mail-archive.com/discuss@openvswitch.org/msg03464.html > > Oliver asked how he could use efficient openflow rules to filter > certain traffic. Ben replied with this suggestion: > > > You don't need a table per VM. Use table 0 to check your ingress > > rules and resubmit to table 1 if they pass. Use table 1 to check > > egress rules and forward to the destination if they pass. > > I am interested to learn how I can do this so that I can filter ingress > and egress on the eth0 port. Perhaps I can extend this later for > traffic between ports of the internal hosts. But how do tables work in > the openvswitch sense? > > I would appreciate it if someone can help me with examples regarding > this idea, using OpenVSwitch of course: > > * explicitly accept traffic from eth0 (my ISP) to IP A, B, C and vice > versa; > * drop all other traffic; > * Mirror (copy, duplicate) all accepted traffic to one certain port > so that it can be analysed (using Snort in my case). > * Suggestions for how to handle DNAT/SNAT, which still requires > iptables if i understand correctly. > > Sadly I have not received a reply to my other emails but I really hope > someone is willing to help me out. Or please tell me if I am asking > the wrong questions. OpenVSwitch interests me, I am eager to learn more, > and I will be appreciative of any help I can get. So I would be much > obliged. > If you haven't already, reading man pages of ovs-vswitchd.conf.db and ovs-vsctl for information about mirroring will help. Reading man pages of ovs-ofctl for openflow rules will help. Thanks, Guru > > Kind regards, Fréderich. > _______________________________________________ > discuss mailing list > discuss@openvswitch.org > http://openvswitch.org/mailman/listinfo/discuss >
_______________________________________________ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
