This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] Re: Network isolation - PCI passthrough question

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Re: Network isolation - PCI passthrough question
From: Jean Baptiste FAVRE <xen-users@xxxxxxxxxxx>
Date: Mon, 20 Dec 2010 22:45:04 +0100
Delivery-date: Mon, 20 Dec 2010 13:45:02 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4D0FB526.6080906@xxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <4D0F6353.9020305@xxxxxxxxxxx> <ienqak$hic$1@xxxxxxxxxxxxxxx> <4D0F6E75.9060704@xxxxxxxxxxx> <ienv5g$bdh$1@xxxxxxxxxxxxxxx> <4D0F8314.4020908@xxxxxxxxxxx> <ieo1ei$nnd$1@xxxxxxxxxxxxxxx> <4D0FB526.6080906@xxxxxxxxxxxxxxx>
Reply-to: xen-users@xxxxxxxxxxxxxxxxxxx
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv: Gecko/20101213 Lightning/1.0b2 Icedove/3.1.7
Le 20/12/2010 20:57, dave a écrit :
> let's see if I understand, something like:
> domU (eth0) -> (PCI passthru) -> nic0
> this domU will be like an appliance firewall, eth0 which is directly
> configured to pci-dev nic0 is effectively the WAN interface of the domU
> firewall.
> other domU vms are on the LAN side of firewall, so you need a "virtual LAN"
> bridging to lo interface can be problematic.  instead, from dom0,
> configure several 'tap' interfaces (see tunctl), and those can act as
> LAN interface of the firewall domU and the interfaces of all other domU
> vms.  They can all be bridged together
> tunctl -t tap0
> tunctl -t tap1
> ...
> # then
> brctl addbr tap-br0
> brctl addif tap-br0 tap0
> brctl addif tap-br0 tap1
> ...
> then assign tap0 to firewall domU, tap1 to first domU vm ...
> is this what you're trying to accomplish?

Yes, it's more or less what I'm trying to do. In an ideal world, I would
dom0 to be completly unaware of domU network. But I realize I need it to
be able to attach domU's nics to bridge.

As far as I have seen, there are no way to attach domU nic directly to
my firewall domU. So, dom0 will always have access to network traffic
from domU, right ?


Xen-users mailing list