This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] Re: Network isolation - PCI passthrough question

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Re: Network isolation - PCI passthrough question
From: Jean Baptiste FAVRE <xen-users@xxxxxxxxxxx>
Date: Mon, 20 Dec 2010 15:55:49 +0100
Delivery-date: Mon, 20 Dec 2010 06:57:05 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <ienqak$hic$1@xxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <4D0F6353.9020305@xxxxxxxxxxx> <ienqak$hic$1@xxxxxxxxxxxxxxx>
Reply-to: xen-users@xxxxxxxxxxxxxxxxxxx
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv: Gecko/20101207 Lightning/1.0b2 Thunderbird/3.1.7
Le 20/12/2010 15:47, Mike Fröhner a écrit :
> Am 20.12.2010 15:08, schrieb Jean Baptiste FAVRE:
>> Hello,
>> I thinking about using PCI passthrough to dedicated a domU as firewall.
>> I understand PCI passthrough concept. When done, my domU will see
>> network card and the dom0 won't any more. So I'll be able to filter all
>> trafic from outside, since it will go through network domU.
>> Then, how will I be able to connect other domU (and maybe dom0) to the
>> network domU ?
>> In a normal way, creating domU makes dom0 creating vif interfaces and
>> bridge (in my configuration) it. But once netowkr will be isolated in a
>> specific domU, dom0 won't be able to interact with it, will it ?
> How many network cards do you have in this computer? I think you'll need
> minimal 2 nics. One for dom0 and domU (vif) to communicate and one for
> PCI passthrough. As you understood right, dom0 won't see the PCI
> passthrought nic.
>> Any link/help/explanation appreciated.
>> Regards,
>> JB


For now, I have 2 nics within a bond interface.
What I would like to achieve is to have a dedicated domU acting as
firewall for all other domU like in Qubes-os project
That means, I want to passthrough both nics to one domU called "netDomU"
and connect all "regular" domU networks to "netDomU".

But since dom0 won't see any network card, how can I create vif interfaces ?

But maybe PCI passthrough won't be the solution for that purpose ?


Xen-users mailing list