This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-users] virtual mirror port on xen

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] virtual mirror port on xen
From: Michael Stegk <lists.michael@xxxxxxxxx>
Date: Tue, 29 Jun 2010 08:21:55 +0200
Delivery-date: Mon, 28 Jun 2010 23:25:28 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx

I try to get an Snortbased IDS running on a DomU, the IDS need to be able to intercept all packets regarding communication between DomUs and between the Dom0 and the physical network. It is obviously importend that other DomUs receive only their dedicated packets. This is pretty much known as a mirror port on "normal" switches.

I know that snort related threads had been discussed on this list already and i like to contribute my progress so far.

I got a basic idea from here http://support.citrix.com/article/ CTX116204. The Document describes how to put the "virtual switch" into a Hub by setting the aging of of the bridge to 0.

#brctl setageing eth0 0

That does the job, after this the domU receives all Packets as I desired. Unfortunately all DomUs get those Packets so I tried to solve this with ebtables.


I run xen 3.2.1 on debian lenny (Linux 2.6.26-2-xen-amd64 )

these are the VMs:

DomU A with IDS
DomU B normal VM
DomU C normal VM without network connection

DomU A should be able to intercept communication between B and C

I worked out the following ebtables rules:

ebtables -P FORWARD DROP
ebtables -A FORWARD -d 00:16:3e:4a:17:95/ff:ff:ff:ff:ff:00 -o vif5.0 - j ACCEPT # DOM B MAC & vif ebtables -A FORWARD -s 00:16:3e:4a:17:95/ff:ff:ff:ff:ff:00 -i vif5.0 - j ACCEPT # DOM B MAC & vif
ebtables -A FORWARD -o vif5.0 -j DROP

ebtables -A FORWARD -o vif6.0 -j ACCEPT                 # Dom A vif
ebtables -A FORWARD -i vif6.0 -j ACCEPT                 # Dom A vif

here is what the bridge looks like:

# brctl show
bridge name     bridge id               STP enabled     interfaces
eth0            8000.90e6ba36355f       no              peth0

# ebtables -L
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 5, policy: DROP
-d 0:16:3e:4a:17:0/ff:ff:ff:ff:ff:0 -o vif5.0 -j ACCEPT
-s 0:16:3e:4a:17:0/ff:ff:ff:ff:ff:0 -i vif5.0 -j ACCEPT
-o vif5.0 -j DROP
-o vif6.0 -j ACCEPT
-i vif6.0 -j ACCEPT

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

I test the setup by running tcpdump on the DomUs and sending icmp requests (simple ping) to the DomUs from an machine outside the Dom0.

DomU A works as expected and receives all Traffic.
DomU B receives the reply packets from Dom0
DomU C is unable to communicate with other hosts but also receives reply packets from Dom0

So my Problem is how to stop DomU B & C from receiving reply Packets not dedicated for them.

any Ideas or new concepts would be appreciated.


Michael Stegk

Xen-users mailing list

<Prev in Thread] Current Thread [Next in Thread>