hi,
You're aware that PCI passthrough is insecure? Someone who gets root access to a guest can reprogram the NICs (trivially) to read or write any area of memory in any guest or the dom0. This might be pertinent information if you were expecting your firewall to provide isolation.
nope. 1st i'm hearing of it ... not that i haven't looked :-/ sigh.
hrm.
so, although this is "just" a RH/Fedora forum, but xen focussed, let me then ask ...
i *want* a distro with
-- X86_64/SMP (AMD multicore) support -- Xen 3.2.x builds & runs both in Dom0 & DomU -- capable of deploying a FW in DomU that does not suffer NIC-performance degradation -- or (apparently) security holes -- stable core that'll keep us 'supported' (e.g., *not* the Fedaora scenario i'm now facing; feature-incomplete until, perhaps, F10+, @ which point F8 -- which we're "stuck" on is unsupported) -- app repos (rpm, srpm, other ...) that are safe/available/reliable for full releases (one example, Bind 9.4.2, which seems to be tough to find for RHEL/Centos 5.1)
*can* i (yet) "have it all"? iiuc, "no" ....