Aiming at the problem of low performance caused by frequent switching between user mode and kernel mode, multiple copies of data between the virtual domains through virtual network data transmission, this paper proposes a high performance virtual machine firewall, and it adopts the network packet filtering and high performance of SR-IOV to make virtual domain directly interact with the real network card. Aiming at the problem of vulnerable attack for a lower privilege level virtual domain firewall, it takes higher privilege level of Xen to real-time monitor the virtual machine firewall module and protect it from illegally accessing. Experimental results show that the deployment of SR-IOV network card in the virtual machine firewall makes the network I/O performance increase by 1 time compared with the Xen network I/O assess mode. The deployment of the monitor module in Xen can successfully prevent the firewall from unauthorized access and malicious tampering, and ensure the safety of the firewall.%由于虚拟网络数据传输时,用户态与核心态之间频繁切换,导致虚拟域间多次数据拷贝严重影响网络 I/O 性能。为此,提出一种高性能的虚拟机防火墙设计方案。利用 SR-IOV 规范的高性能数据传输特性和对接收数据包的过滤功能,使虚拟域直接与真实网卡交互。针对低特权级的虚拟域中防火墙容易受到攻击的问题,通过在高特权级的Xen中部署监控模块,对虚拟域中的防火墙进行实时监控。实验结果表明,应用SR-IOV网卡可使虚拟机的网络I/O性能相对于Xen传统网络访问模式平均提高1倍以上,并且具有监控模块的Xen能防止防火墙被非法访问和恶意篡改,保证防火墙的安全。
展开▼
