Xen users - Apr 2006 - Firewalls

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello list,

I'm having trouble getting my firewall working on dom0. I do not have
any domUs setup yet, it is just the primary dom0 running. 

I had a firewall script that worked great and did what I needed it to
before I installed Xen. However, after installing Xen, it seems to
block all incoming traffic (including pings). Previously it allowed
incoming ssh, smtp, http, etc. The script uses iptables. 

I have not changed anything in the firewall script. Since it still uses
the same ip address and the ip is still assigned to the same eth0 NIC,
it seems like I shouldn't need to change anything in the firewall
script. But it doesn't seem to be working that way. 

Do I need to tell the firewall about any of the xenbrX or vifX.X
interfaces or anything to get it to work? Ip_tables is obviously
compiled into the kernel, and I can see it is loaded when I check with
an lsmod. I can post the iptables rules here if needed, but didn't want
to make the e-mail extra long if it's not needed.

TIA,
Jacob
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFENnFakpJ43hY3cTURAujyAJ0XkswA2nj5DgQbY9+xt0bZdbiSSQCfXe0U
uUgpm3TAyz4UQOrbpwjoGQk=gIiT
-----END PGP SIGNATURE-----

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 7 Apr 2006 09:04:06 -0500
Jacob S <stormspotter@6Texans.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello list,
> 
> I'm having trouble getting my firewall working on dom0. I do not have
> any domUs setup yet, it is just the primary dom0 running. 
> 
> I had a firewall script that worked great and did what I needed it to
> before I installed Xen. However, after installing Xen, it seems to
> block all incoming traffic (including pings). Previously it allowed
> incoming ssh, smtp, http, etc. The script uses iptables. 
> 
> I have not changed anything in the firewall script. Since it still
> uses the same ip address and the ip is still assigned to the same
> eth0 NIC, it seems like I shouldn't need to change anything in the
> firewall script. But it doesn't seem to be working that way. 
> 
> Do I need to tell the firewall about any of the xenbrX or vifX.X
> interfaces or anything to get it to work? Ip_tables is obviously
> compiled into the kernel, and I can see it is loaded when I check with
> an lsmod. I can post the iptables rules here if needed, but didn't
> want to make the e-mail extra long if it's not needed.
Thanks to someone that e-mailed me off-list, I was able to get the
firewall working by switching to network-route instead of the default
network-bride in xend-config.sxp.

So, now my question is, is it expected for network-bridge to be
incompatible with iptables, or is this a bug? 

Thanks,
Jacob
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFENqUakpJ43hY3cTURAhRcAKDEhUaMfj+7Ltr18+GXKBHSodnhKgCgopZg
ulUKfeEmlhS/EN07INixODA=tTNU
-----END PGP SIGNATURE-----

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

I am trying to configure a DOMU (sles10) to use a physical NIC.  This is
what I have done, and am getting an error.  Am I missing a step?

Added the pciback.hide to the xen boot.
 
title XEN
    root (hd0,1)
    kernel /boot/xen.gz 
    module /boot/vmlinuz-xen root=/dev/sda2 vga=0x314 selinux=0   
resume=/dev/sda1  splash=silent showopts pciback.hide=(02:06.0)
(02:06.1)
    module /boot/initrd-xen
 
NEXT ....

Rebooted to Xen then tried to load a sles10 b9 with the PCI device, and
I get a pci failed error (see below).
 
 
gdHost-b9:/data1 # xm create -c b9-yast3.conf pci=02:06.0
Using config file "b9-yast3.conf".
Copy kernel /boot/vmlinuz-xen from hda2 to
/var/lib/xen/tmp/vmlinuz.HbFXK3 for booting
Error: <Fault 2: "pci: failed to locate device and parse it''s
resources
- %s[Errno 2] No such file or directory:
''/sys/bus/pci/devices/0000:02:06.0/driver''">
 


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Friday 07 April 2006 10:44, Jacob S wrote:
>
> So, now my question is, is it expected for network-bridge to be
> incompatible with iptables, or is this a bug?
>
Neither -- it is rather your lack of understanding of how bridges (like the 
one created by xend) and iptables/Netfilter interact.

When your kernel is compiled with CONFIG_BRIDGE_NETFILTER=y, traffic passing 
through bridges is processed by Netfilter. When xend starts, it creates a 
bridge (xenbr0) through which all traffic into and out of eth0 flows.
See the first part of http://www.shorewall.net/Xen.html for details.

So to make your existing script work in dom0, at the very least you need to 
add:

	$IPTABLES -A FORWARD -i xenbr0 -o xenbr0 -j ACCEPT

Configuring a secure firewall in dom0 that also controls traffic to/from the 
domUs is a rather complex task -- I find it easier to run my firewall in a 
domU (see http://www.shorewall.net/XenMyWay.html).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Hi Tom,

	My current setup looks like yours. But my DomU firewall get the real 
NICs by hiding them from Dom0 and passing it to the DomU via 
pcipassthrought. I think if you did something like that you would be 
able to plug your wireless network on Firewall DomU, without the need 
for the wireless gateway.

	My file server runs on a DomU too, and it has the control of the SATA 
HD, but this is another  history...
>  Configuring a secure firewall in dom0 that also controls traffic
> to/from the domUs is a rather complex task -- I find it easier to run
> my firewall in a domU (see http://www.shorewall.net/XenMyWay.html).
>
>  -Tom
-- 
Christian Lyra
POP-PR - RNP

http://lyra.soueu.com.br

  Thus spake the master programmer: 
  ``It is time for you to leave.'''' 
						The Tao Of Programing

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Friday 07 April 2006 14:15, Christian Lyra wrote:
> Hi Tom,
>
> 	My current setup looks like yours. But my DomU firewall get the real
> NICs by hiding them from Dom0 and passing it to the DomU via
> pcipassthrought. I think if you did something like that you would be
> able to plug your wireless network on Firewall DomU, without the need
> for the wireless gateway.
>
Hi Christian,

I currently run SuSE 10.0 which includes Xen 3.0 -- pcipassthrough
isn''t
available in that Xen version which is why I use the multi-bridge setup. All 
of that is explained in the text of the article.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Are you on xen-unstable?  The parameters look correct, are you trying this
coming out of a resume or from a cold boot?

-- 
Jason
The place where you made your stand never mattered,
only that you were there... and still on your feet

On Fri, 7 Apr 2006, Glen Davis wrote:
> I am trying to configure a DOMU (sles10) to use a physical NIC.  This is
> what I have done, and am getting an error.  Am I missing a step?
>
> Added the pciback.hide to the xen boot.
>
> title XEN
>    root (hd0,1)
>    kernel /boot/xen.gz
>    module /boot/vmlinuz-xen root=/dev/sda2 vga=0x314 selinux=0
> resume=/dev/sda1  splash=silent showopts pciback.hide=(02:06.0)
> (02:06.1)
>    module /boot/initrd-xen
>
> NEXT ....
>
> Rebooted to Xen then tried to load a sles10 b9 with the PCI device, and
> I get a pci failed error (see below).
>
>
> gdHost-b9:/data1 # xm create -c b9-yast3.conf pci=02:06.0
> Using config file "b9-yast3.conf".
> Copy kernel /boot/vmlinuz-xen from hda2 to
> /var/lib/xen/tmp/vmlinuz.HbFXK3 for booting
> Error: <Fault 2: "pci: failed to locate device and parse
it''s resources
> - %s[Errno 2] No such file or directory:
> ''/sys/bus/pci/devices/0000:02:06.0/driver''">
>
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
>
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Fri, 2006-04-07 at 13:23 -0600, Glen Davis wrote:
> I am trying to configure a DOMU (sles10) to use a physical NIC.  This is
> what I have done, and am getting an error.  Am I missing a step?
> 
> Added the pciback.hide to the xen boot.
>  
> title XEN
>     root (hd0,1)
>     kernel /boot/xen.gz 
>     module /boot/vmlinuz-xen root=/dev/sda2 vga=0x314 selinux=0   
> resume=/dev/sda1  splash=silent showopts pciback.hide=(02:06.0)
> (02:06.1)
>     module /boot/initrd-xen
>  
> NEXT ....
> 
> Rebooted to Xen then tried to load a sles10 b9 with the PCI device, and
> I get a pci failed error (see below).
>  
> 
> gdHost-b9:/data1 # xm create -c b9-yast3.conf pci=02:06.0
> Using config file "b9-yast3.conf".
> Copy kernel /boot/vmlinuz-xen from hda2 to
> /var/lib/xen/tmp/vmlinuz.HbFXK3 for booting
> Error: <Fault 2: "pci: failed to locate device and parse
it''s resources
> - %s[Errno 2] No such file or directory:
> ''/sys/bus/pci/devices/0000:02:06.0/driver''">
>  
Glen,

It appears that your PCI device didn''t bind to the pci backend driver
(actually, based on that error message, it appears your device didn''t
bind to any driver). If you list the contents of the
''/sys/bus/pci/drivers/pciback'' directory, you should see some
(symlink-ed) entries to the devices that the PCI backend "owns". If
you
don''t see your device (02:06.0) among them, then you''ll need
to manually
bind it. Try:

echo -n 0000:02:06.0 > /sys/bus/pci/drivers/pciback/bind

and then list the directory''s contents. If that fails, check your
kernel
logs (dmesg) for any indication of the PCI backend trying to bind to the
device (debug/error lines should start with "pciback").

Ryan


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Mon, 2006-04-10 at 09:48 -0600, Glen Davis wrote:
> Thanks, the  ''echo - n 0000:02:06.0 >
/sys/bus/pci/drivers/pciback/bind''
> was what I was missing.  After doing that it all worked. 
> 
> One more question, when do devices normally get bound to a backend driver? 
Is this something that I should always manually do or should this have already
been taken care of during the install of the server?
> 
Glad that fixed your problem! (I hope you don''t mind but I''m
posting
this back to xen-users so the solution to your problem is archived)

Normally, devices get bound when the kernel boots. You specify them on
the kernel command-line with "pciback.hide". Then, the pciback driver
loads itself first on the kernel''s list of PCI drivers so that it gets
to be the first driver to "seize" a particular PCI device (this way,
it
gets the devices before the device driver for that device can seize it).

There could be a couple reasons why this didn''t work for you. One could
be that the pciback module isn''t correctly parsing your command-line
parameter and seizing it. Try looking through the logs from when your
kernel booted (dmesg) and see if you see any statements about the
pciback driver. If not, you could try and re-compile your kernel with
PCI Backend Debugging turned on (it''s under the Xen menu) and see
what''s
happening. Another problem could be that pciback is compiled as a module
instead of being built-in to the kernel. This means that pciback can''t
load itself as first in the list of PCI drivers and it may not be able
to seize all devices (other device drivers might get the device first
because they''re ahead of the pciback driver on the kernel''s
pci driver
linked list). If the pciback module shows up in "lsmod", then this is
most likely your problem and you''ll have to do the manual bind every
time (after first unbinding the device from any device driver it might
have bound to first).

If you find out what''s wrong, please let me know as I''m
curious to know
what the real issue is.

Ryan


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Glen,
> linked list). If the pciback module shows up in "lsmod", then
this is
> most likely your problem and you''ll have to do the manual bind
every
> time (after first unbinding the device from any device driver it might
> have bound to first).
FYI, there''s a patch I posted a week or two ago allowing Xen to
automatically
do the binding / unbinding.  You might want to take a look at it as it may at 
least save some effort on your part.

If the problem is that pciback is a module, then then compiling pciback 
statically into the kernel will fix your problem anyhow.

Cheers,
Mark
> If you find out what''s wrong, please let me know as I''m
curious to know
> what the real issue is.
>
> Ryan
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
-- 
Dave: Just a question. What use is a unicyle with no seat?  And no pedals!
Mark: To answer a question with a question: What use is a skateboard?
Dave: Skateboards have wheels.
Mark: My wheel has a wheel!

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 7 Apr 2006 13:15:27 -0700
Tom Eastep <teastep@shorewall.net> wrote:
> On Friday 07 April 2006 10:44, Jacob S wrote:
> 
> >
> > So, now my question is, is it expected for network-bridge to be
> > incompatible with iptables, or is this a bug?
> >
> 
> Neither -- it is rather your lack of understanding of how bridges
> (like the one created by xend) and iptables/Netfilter interact.
> 
> When your kernel is compiled with CONFIG_BRIDGE_NETFILTER=y, traffic
> passing through bridges is processed by Netfilter. When xend starts,
> it creates a bridge (xenbr0) through which all traffic into and out
> of eth0 flows. See the first part of
> http://www.shorewall.net/Xen.html for details.
> 
> So to make your existing script work in dom0, at the very least you
> need to add:
> 
> 	$IPTABLES -A FORWARD -i xenbr0 -o xenbr0 -j ACCEPT
> 
> Configuring a secure firewall in dom0 that also controls traffic
> to/from the domUs is a rather complex task -- I find it easier to run
> my firewall in a domU (see http://www.shorewall.net/XenMyWay.html).
Thanks, Tom. That looks like exactly what I was looking for. Great
tutorials.

Jacob
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEOtCQkpJ43hY3cTURAuwjAKC2C19WPmjuLSK5zVmT1xDpqJkyIACgvgcl
WVSbJFWGc6rkM5ijNsrsa7c=te3A
-----END PGP SIGNATURE-----

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

> Tom Eastep <teastep@shorewall.net> wrote:
> > When xend starts,
> > it creates a bridge (xenbr0) through which all traffic into and out
> > of eth0 flows. See the first part of
> > http://www.shorewall.net/Xen.html for details.
Thanks for the link Tom.

Is this why I can''t reuse my existing iptables rules in dom0?
I assumed the stock xen3.0.1 dom0 kernel was missing some modules.

--
Rasputin :: Jack of All Trades - Master of Nuns
http://number9.hellooperator.net/

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Saturday 15 April 2006 04:53, Dick Davies wrote:
> > Tom Eastep <teastep@shorewall.net> wrote:
> > > When xend starts,
> > > it creates a bridge (xenbr0) through which all traffic into and
out
> > > of eth0 flows. See the first part of
> > > http://www.shorewall.net/Xen.html for details.
>
> Thanks for the link Tom.
>
> Is this why I can''t reuse my existing iptables rules in dom0?
> I assumed the stock xen3.0.1 dom0 kernel was missing some modules.
The reason that you can''t use your existing iptables rules in a Xen
dom0 is
that the networking configuration after xend starts is different from the 
environment before xend starts (there is a bridge added and traffic passing 
through that bridge is visible to netfilter; there are also additional 
interfaces added but those interfaces have no IP configuration so they
don''t
present a compatibility problem).

In short, you cannot expect an existing set of iptables rules to work after 
you make a significant change to the network configuration of the host.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Just FYI, you could reuse your existing iptables rules if you used
routed (vif-route) rather than default bridged network setup.

Dick Davies wrote:
>> Tom Eastep <teastep@shorewall.net> wrote:
>>     
>>> When xend starts,
>>> it creates a bridge (xenbr0) through which all traffic into and out
>>> of eth0 flows. See the first part of
>>> http://www.shorewall.net/Xen.html for details.
>>>       
>
> Thanks for the link Tom.
>
> Is this why I can''t reuse my existing iptables rules in dom0?
> I assumed the stock xen3.0.1 dom0 kernel was missing some modules.
>
> --
> Rasputin :: Jack of All Trades - Master of Nuns
> http://number9.hellooperator.net/
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
>   

-- 
Yuri Pismerov, System Administrator
Armor Technologies (Canada) Inc.

P: 905 305 1946 (x.3519)
http://www.armorware.net

Privacy Protection Guaranteed!





_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On 15/04/06, Tom Eastep <teastep@shorewall.net> wrote:
> The reason that you can''t use your existing iptables rules in a
Xen dom0 is
> that the networking configuration after xend starts is different from the
> environment before xend starts (there is a bridge added and traffic passing
> through that bridge is visible to netfilter; there are also additional
> interfaces added but those interfaces have no IP configuration so they
don''t
> present a compatibility problem).
Thanks, just found the

 http://wiki.xensource.com/xenwiki/XenNetworking

on the wiki. Makes a lot more sense than the mental model is was
working from :)

--
Rasputin :: Jack of All Trades - Master of Nuns
http://number9.hellooperator.net/

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Hi Ryan,
  I am having similar troubles with pci passthrough and would be  
grateful if you could possibly point me in the right direction.
  I am trying to pass a FXS/FXO card to a DomU for Asterisk. It''s PCI  
address is 02:02.0


title=Xen 3.0.2 Gentoo Linux (2.6.16-xen-r1)
root(hd0,0)
kernel /xen.gz dom0_mem=256144 pciback.hide=(02:02.0) ro nloopbacks=1  
console=vga
module /vmlinuz-2.6.16.1-xen udev dolvm2 root=/dev/sda2 ro  
lockd.nlm_udpport=4001 lockd.nlm_tcpport=4001 vga=0x314
module /System.map-2.6.16.1-xen

# lspci
00:00.0 Host bridge: Broadcom GCNB-LE Host Bridge (rev 32)
00:00.1 Host bridge: Broadcom GCNB-LE Host Bridge
00:02.0 Ethernet controller: Intel Corporation 82540EM Gigabit  
Ethernet Controller (rev 02)
00:04.0 Multimedia video controller: Brooktree Corporation Bt878  
Video Capture (rev 11)
00:04.1 Multimedia controller: Brooktree Corporation Bt878 Audio  
Capture (rev 11)
00:06.0 Multimedia audio controller: Aureal Semiconductor Vortex 2  
(rev fe)
00:0e.0 VGA compatible controller: ATI Technologies Inc Rage XL (rev 27)
00:0f.0 Host bridge: Broadcom CSB5 South Bridge (rev 93)
00:0f.1 IDE interface: Broadcom CSB5 IDE Controller (rev 93)
00:0f.2 USB Controller: Broadcom OSB4/CSB5 OHCI USB Controller (rev 05)
00:0f.3 ISA bridge: Broadcom CSB5 LPC bridge
00:10.0 Host bridge: Broadcom CIOB-X2 PCI-X I/O Bridge (rev 03)
00:10.2 Host bridge: Broadcom CIOB-X2 PCI-X I/O Bridge (rev 03)
01:06.0 Ethernet controller: Intel Corporation 82557/8/9 [Ethernet  
Pro 100] (rev 08)
02:02.0 Network controller: Tiger Jet Network Inc. Tiger3XX Modem/ 
ISDN interface
02:04.0 I2O: Adaptec (formerly DPT) SmartRAID V Controller (rev 02)
02:04.1 PCI bridge: Adaptec (formerly DPT) PCI Bridge (rev 02)

# xm create /etc/xen/02io
Using config file "/etc/xen/02io".
Error: Error creating domain: pci: failed to locate device and parse  
it''s resources - %s[Errno 2] No such file or directory:
''/sys/bus/pci/
devices/0000:02:02.0/driver''

# ls /sys/bus/pci/devices/0000\:02\:02.0/
bus    config  irq         modalias  resource   resource1          
subsystem_vendor  vendor
class  device  local_cpus  power     resource0  subsystem_device  uevent

# echo -n 0000\:02\:02.0 > /sys/bus/pci/drivers/pciback/bind
bash: echo: write error: No such device

# echo -n ''0000:02:02.0'' >
/sys/bus/pci/drivers/pciback/bind
bash: echo: write error: No such device

# dmesg | grep pci
ACPI: bus type pci registered
PCI: If a device doesn''t work, try "pci=routeirq".  If it
helps, post
a report
pciback 0000:00:00.0: probing...
pciback 0000:00:00.1: probing...
pciback 0000:00:02.0: probing...
pciback 0000:00:04.0: probing...
pciback 0000:00:04.1: probing...
pciback 0000:00:06.0: probing...
pciback 0000:00:0e.0: probing...
pciback 0000:00:0f.0: probing...
pciback 0000:00:0f.1: probing...
pciback 0000:00:0f.2: probing...
pciback 0000:00:0f.3: probing...
pciback 0000:00:10.0: probing...
pciback 0000:00:10.2: probing...
pciback 0000:01:06.0: probing...
pciback 0000:02:02.0: probing...
pciback 0000:02:04.0: probing...
pciback 0000:02:04.1: probing...
PCI: MSI quirk detected. pci_msi_quirk set.
PCI: MSI quirk detected. pci_msi_quirk set.
pciback: pcistub_init_devices_late
pciback 0000:02:02.0: probing...
pciback 0000:02:02.0: probing...

Attached zipped kernel config 
Many thanks in advance,

Piers Dawson-Damer
http://web.mac.com/piersdd/iWeb/Five9s/ethereality/ethereality.html
piersdd@imap-mail.com



_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Thu, 2006-04-20 at 14:18 +1000, Piers Dawson-Damer
wrote:
> Hi Ryan,
>  I am having similar troubles with pci passthrough and would be
> grateful if you could possibly point me in the right direction.
>  I am trying to pass a FXS/FXO card to a DomU for Asterisk. It''s
PCI
> address is 02:02.0
> 

Hi Piers,

I believe your problem is that you are including the "pciback.hide"
line
on the wrong line in your grub.conf file. It needs to be on the module
line with your linux kernel, not the xen line.

Because the pciback.hide kernel parameter is not being parsed correctly
by Linux, the pci backend doesn''t know to seize that device. You can
manually add it using the late binding sysfs attributes that are now
documented in the Xen 3.0.x user manual on the Xen website. When the
pci backend correctly parses the kernel parameter, you should see lines
in your dmesg output that says something like "pciback: wants to seize
0000:02:02.0" (that will only show if you have the pci backend debugging
compiled in, but it appears that you do).

Hope this helps!

Ryan


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users