[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] virtual mirror port on xen


I try to get an Snortbased IDS running on a DomU, the IDS need to be able to intercept all packets regarding communication between DomUs and between the Dom0 and the physical network. It is obviously importend that other DomUs receive only their dedicated packets. This is pretty much known as a mirror port on "normal" switches.

I know that snort related threads had been discussed on this list already and i like to contribute my progress so far.

I got a basic idea from here http://support.citrix.com/article/ CTX116204. The Document describes how to put the "virtual switch" into a Hub by setting the aging of of the bridge to 0.

#brctl setageing eth0 0

That does the job, after this the domU receives all Packets as I desired. Unfortunately all DomUs get those Packets so I tried to solve this with ebtables.


I run xen 3.2.1 on debian lenny (Linux 2.6.26-2-xen-amd64 )

these are the VMs:

DomU A with IDS
DomU B normal VM
DomU C normal VM without network connection

DomU A should be able to intercept communication between B and C

I worked out the following ebtables rules:

ebtables -P FORWARD DROP
ebtables -A FORWARD -d 00:16:3e:4a:17:95/ff:ff:ff:ff:ff:00 -o vif5.0 - j ACCEPT # DOM B MAC & vif ebtables -A FORWARD -s 00:16:3e:4a:17:95/ff:ff:ff:ff:ff:00 -i vif5.0 - j ACCEPT # DOM B MAC & vif
ebtables -A FORWARD -o vif5.0 -j DROP

ebtables -A FORWARD -o vif6.0 -j ACCEPT                 # Dom A vif
ebtables -A FORWARD -i vif6.0 -j ACCEPT                 # Dom A vif

here is what the bridge looks like:

# brctl show
bridge name     bridge id               STP enabled     interfaces
eth0            8000.90e6ba36355f       no              peth0

# ebtables -L
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 5, policy: DROP
-d 0:16:3e:4a:17:0/ff:ff:ff:ff:ff:0 -o vif5.0 -j ACCEPT
-s 0:16:3e:4a:17:0/ff:ff:ff:ff:ff:0 -i vif5.0 -j ACCEPT
-o vif5.0 -j DROP
-o vif6.0 -j ACCEPT
-i vif6.0 -j ACCEPT

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

I test the setup by running tcpdump on the DomUs and sending icmp requests (simple ping) to the DomUs from an machine outside the Dom0.

DomU A works as expected and receives all Traffic.
DomU B receives the reply packets from Dom0
DomU C is unable to communicate with other hosts but also receives reply packets from Dom0

So my Problem is how to stop DomU B & C from receiving reply Packets not dedicated for them.

any Ideas or new concepts would be appreciated.


Michael Stegk

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.