[CentOS-virt] Xen List

Thu Apr 17 19:32:06 UTC 2008
Ross S. W. Walker <rwalker at medallion.com>

Joseph L. Casale wrote:
> >What's your pciback/bridging issue(s) maybe I can help.
> >
> >-Ross
> I would be more grateful then you can imagine:) As far as the 
> pci stuff goes I have to get home and dig my notes out (based 
> on your help from before), likely you'll spot my blunder once 
> I iterate all I have done.
> As far as the bonding issue goes, I am stuck on the following 
> scenario:
> I have two physical nics. I want the first setup like it 
> would by default when using Xen3.2, it creates a bridge 
> "eth0" and gets renamed to peth0 (That's good). I connect all 
> my guests "Lan" nic to the vifs associated to this bridge.

Ok, so we'll leave that NIC as-is.

> I want the other nic to be in a bridge, but not have any ip 
> or connectivity outside the bridge especially to the host. It 
> will plug into a DSL modem and a vif associated to this 
> bridge will be the red interface on a Linux firewall (Lab 
> only environment). My custom bridge script is as follows:
> #!/bin/sh
> dir=$(dirname "$0")
> "$dir/network-bridge" "$@" vifnum=0 netdev=eth0 bridge=eth0
> "$dir/network-bridge" "$@" vifnum=1 netdev=eth1 bridge=eth1
> "$dir/network-bridge" "$@" vifnum=2 netdev=dummy0 bridge=eth3 
>   #Test lan
> This is working, but how do I make sure the isolation is as I 
> expect? Give the nic (eth1) an IP of Is that very 
> secure? I had an ip for testing although the nic wasn't 
> plugged into a switch, when I did an ifconfig I didn't see 
> the eth1/peth1 untill I did an ifconfig -a? Was that because 
> of the media sense? Also, dummy0 is just a test lan for 
> isolation so hosts can only see themselves. How could I also 
> make sure packets never see the host?

What happens if you just remove the ifcfg file for this
interface? What does Xen do with it? What if you have an
ifcfg file, but setup no IP address on it?

Of course you can pass the NIC through to the PVM which
I suspect is what you are thinking of doing.

> (Now to find another Linux firewall appliance as I was using 
> pfSense and it doesnt play nice with Xen)

There is shorewall which is in the repo. Or maybe smoothwall
can run inside a PVM?


This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.