This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-users] Re: Network isolation - PCI passthrough question

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] Re: Network isolation - PCI passthrough question
From: Mike Fröhner <mikefroehner@xxxxxx>
Date: Mon, 20 Dec 2010 17:49:21 +0100
Delivery-date: Mon, 20 Dec 2010 08:51:17 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4D0F8314.4020908@xxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <4D0F6353.9020305@xxxxxxxxxxx> <ienqak$hic$1@xxxxxxxxxxxxxxx> <4D0F6E75.9060704@xxxxxxxxxxx> <ienv5g$bdh$1@xxxxxxxxxxxxxxx> <4D0F8314.4020908@xxxxxxxxxxx>
Reply-to: mikefroehner@xxxxxx
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20101208 Lightning/1.0b2 Thunderbird/3.1.7
Am 20.12.2010 17:23, schrieb Jean Baptiste FAVRE:
Le 20/12/2010 17:10, Mike Fröhner a écrit :
Am 20.12.2010 15:55, schrieb Jean Baptiste FAVRE:
Le 20/12/2010 15:47, Mike Fröhner a écrit :
Am 20.12.2010 15:08, schrieb Jean Baptiste FAVRE:
I thinking about using PCI passthrough to dedicated a domU as firewall.

I understand PCI passthrough concept. When done, my domU will see
network card and the dom0 won't any more. So I'll be able to filter all
trafic from outside, since it will go through network domU.

Then, how will I be able to connect other domU (and maybe dom0) to the
network domU ?

In a normal way, creating domU makes dom0 creating vif interfaces and
bridge (in my configuration) it. But once netowkr will be isolated in a
specific domU, dom0 won't be able to interact with it, will it ?

How many network cards do you have in this computer? I think you'll need
minimal 2 nics. One for dom0 and domU (vif) to communicate and one for
PCI passthrough. As you understood right, dom0 won't see the PCI
passthrought nic.

Any link/help/explanation appreciated.



For now, I have 2 nics within a bond interface.
What I would like to achieve is to have a dedicated domU acting as
firewall for all other domU like in Qubes-os project
That means, I want to passthrough both nics to one domU called "netDomU"
and connect all "regular" domU networks to "netDomU".

But since dom0 won't see any network card, how can I create vif
interfaces ?

If I understood right u want to simulate an office with different appVMs?

I think I got a solution for you:

The vif doesn't need a bridge from a real nic. You could also use a
bridge on the lo-device for domU vifs.

There would be just one Problem. The dom0 wont be directly accessible
because it does not have an ip address. Perhaps it is possible to create
another bridge for communication to the firewall (if it is a router).

This is really crazy stuff :)

I like crazy stuff :)
But still don't see how to achieve it.

I don't care about dom0 network as it's just near me (test machine) :)
But I do care about domU network and I'm not sure I understand your "vif
bridged on lo-device".
Could you give more details ?

Yes this crazy stuff sounds good :)

Normally I put the bridge for xen's vif (for domUs) on a real network interface because they need community with the dom0.

But u dont need that ip communication between domU and dom0. I am not sure (because I never did) if it is possible to put a bridge on the loopback device (aka "lo"). That bridge on lo would be the bridge for domU vif's. For example: vif = [ 'bridge=lobr' ]. If I am right this bridge would work like a simple switch and xen would create the vif ("put the cable into switch") if you start an appVM. The networkVM would work like a router with firewall.


Xen-users mailing list