[pve-devel] pve-firewall: container problem
Alexandre DERUMIER
aderumier at odiso.com
Tue Mar 4 20:23:50 CET 2014
>> What do you think about that?
Good Idea, but I think that it should be tested (mainly with multicast, igmp quierier, ...)
mainly also test that we could provide dhcp from this ip on veth (if we implement a dhcp later this year)
It could be great too, if on day we use new vlan bridge filtering feature, so it could be possible to assign 1vlan by veth-bridgeport
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mardi 4 Mars 2014 18:52:07
Objet: RE: pve-firewall: container problem
I really wonder if we can simply forbid to assign an IP to a bridge.
Instead we force the user to add an additional veth device to the
bridge, so he can configure the IP on that interface.
That idea is from http://shorewall.net/bridge-Shorewall-perl.html
What do you think about that?
> >>Any idea how to handle that?
>
> Don't have checked openvz for the moment.
> I'll try to do tests this week
>
> ----- Mail original -----
>
> De: "Dietmar Maurer" <dietmar at proxmox.com>
> À: "Alexandre DERUMIER (aderumier at odiso.com)"
> <aderumier at odiso.com>, pve-devel at pve.proxmox.com
> Envoyé: Mardi 4 Mars 2014 16:13:15
> Objet: pve-firewall: container problem
>
> Seems we cannot filter traffic from containers to KVM VM correctly:
>
> venet => vmbrX/tapXiY
>
> because of the known physdev match restrictions.
>
> Any idea how to handle that?
More information about the pve-devel
mailing list