[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Direct network traffic to Mini-OS domU

Thank you Simon, you've been very clear. But actually, i wanted all traffic been forwarded from dom0 to domu. In my Mini-OS there's just one application which counts packets with a particular signature, nothing else.

You mentioned PCI-passthrough which would be usefull, i think. My goal now is not forwarding all packets from dom0 to domu anymore, but using mini-os as a sort of sniffer. It should count all packets with a determined signature (for example: tcp packets port 80) leading to dom0 passing through phyisical interface eth0.

I was trying to find out if Linux bridge implement a sort of port mirroring. But even if it does, all vif attached to it have the same mac address (fe:ff:ff:ff:ff:ff), so i wouldn't know hot to set it.

Is PCI-passthrough usefull for my intent? How can i realize it?

Thank you again.

2013/10/3 Simon Hobson <linux@xxxxxxxxxxxxxxxx>
Luca Giacomoni wrote:
> I created a domU in which Mini-OS (with lwip) is run. I need to direct all the outbond network traffic to Mini-OS.

Are you trying to use this Mini-OS guest as a firewall ?
The easy way to do it is to create two bridges - lets call them brint and brext.

brext will have two attached devices - eth0 of the host, and eth0 of the Mini-OS guest. The host does not need an IP address in this bridge if you don't need to it directly access the outside world.

brint will have an IP address for the host, and eth1 of the Mini-OS guest. You configure the Mini-OS as a two-port firewall and do all the routing, NAT, filtering there.
For all your other guests, attach them only to brint, and set their default gateway to be the internal address of the Mini-OS guest. All their traffic now goes through the firewall.

As an alternative, instead of setting up brext, you could use PCI-passthrough to make eth0 of the host directly accessible to the guest. That way, external traffic doesn't go through the host at all - apart from the low level PCIback virtualisation code. This is the setup I ran at home for some time - it's now slightly different as I use PPPoE on the firewall virtual machine.

Xen-users mailing list

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.