This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] Network isolation - PCI passthrough question

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Network isolation - PCI passthrough question
From: "J. Roeleveld" <joost@xxxxxxxxxxxx>
Date: Tue, 21 Dec 2010 08:37:05 +0100
Delivery-date: Mon, 20 Dec 2010 23:38:26 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4D0F6353.9020305@xxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <4D0F6353.9020305@xxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: KMail/1.13.5 (Linux/2.6.30-gentoo-r5; KDE/4.4.5; x86_64; ; )
On Monday 20 December 2010 15:08:19 Jean Baptiste FAVRE wrote:
> Hello,
> I thinking about using PCI passthrough to dedicated a domU as firewall.
> I understand PCI passthrough concept. When done, my domU will see
> network card and the dom0 won't any more. So I'll be able to filter all
> trafic from outside, since it will go through network domU.
> Then, how will I be able to connect other domU (and maybe dom0) to the
> network domU ?
> In a normal way, creating domU makes dom0 creating vif interfaces and
> bridge (in my configuration) it. But once netowkr will be isolated in a
> specific domU, dom0 won't be able to interact with it, will it ?
> Any link/help/explanation appreciated.
> Regards,
> JB

I actually do it this way. All the network devices are exported to my firewall-
domain and I can still access the dom0 (where the Firewall allows it)

Have a look at the "dummy" network interface. It works "just" like a normal 
NIC, eg. you can assign it an IP and you can add it to a bridge.


Xen-users mailing list