[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Re: Network isolation - PCI passthrough question

Le 20/12/2010 17:10, Mike Fröhner a écrit :
> Am 20.12.2010 15:55, schrieb Jean Baptiste FAVRE:
>> Le 20/12/2010 15:47, Mike Fröhner a écrit :
>>> Am 20.12.2010 15:08, schrieb Jean Baptiste FAVRE:
>>>> Hello,
>>>> I thinking about using PCI passthrough to dedicated a domU as firewall.
>>>>
>>>> I understand PCI passthrough concept. When done, my domU will see
>>>> network card and the dom0 won't any more. So I'll be able to filter all
>>>> trafic from outside, since it will go through network domU.
>>>>
>>>> Then, how will I be able to connect other domU (and maybe dom0) to the
>>>> network domU ?
>>>>
>>>> In a normal way, creating domU makes dom0 creating vif interfaces and
>>>> bridge (in my configuration) it. But once netowkr will be isolated in a
>>>> specific domU, dom0 won't be able to interact with it, will it ?
>>>
>>> How many network cards do you have in this computer? I think you'll need
>>> minimal 2 nics. One for dom0 and domU (vif) to communicate and one for
>>> PCI passthrough. As you understood right, dom0 won't see the PCI
>>> passthrought nic.
>>>>
>>>> Any link/help/explanation appreciated.
>>>>
>>>> Regards,
>>>> JB
>>
>> Hello,
>>
>> For now, I have 2 nics within a bond interface.
>> What I would like to achieve is to have a dedicated domU acting as
>> firewall for all other domU like in Qubes-os project
>> (http://qubes-os.org/Home.html).
>> That means, I want to passthrough both nics to one domU called "netDomU"
>> and connect all "regular" domU networks to "netDomU".
>>
>> But since dom0 won't see any network card, how can I create vif
>> interfaces ?
> 
> If I understood right u want to simulate an office with different appVMs?
> 
> I think I got a solution for you:
> 
> The vif doesn't need a bridge from a real nic. You could also use a
> bridge on the lo-device for domU vifs.
> 
> There would be just one Problem. The dom0 wont be directly accessible
> because it does not have an ip address. Perhaps it is possible to create
> another bridge for communication to the firewall (if it is a router).
> 
> This is really crazy stuff :)

Hello,
I like crazy stuff :)
But still don't see how to achieve it.

I don't care about dom0 network as it's just near me (test machine) :)
But I do care about domU network and I'm not sure I understand your "vif
bridged on lo-device".
Could you give more details ?

Regards,
JB

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.