[pve-devel] pvefw: masquerade problems and conntrack zones

Dietmar Maurer dietmar at proxmox.com
Tue Mar 11 16:34:49 CET 2014


> >>yes, I want it ;-) And it seems we can do it with the veth setup.
> Ah ok ! seem more clear now.
> 
> isn't veth too much overhead ? (I'm a bit worried about veth performance,
> see http://www.opencloudblog.com/?p=96)

I want a fully functional implementation first. We can optimize later.

Everything is better than requiring an external firewall.

Also, I thought you want to write an ultra-fast OVS controller to do that job ;-)

> couldn't we scan bridges arp tables, and make rules with ips ? (at least for
> routed guests) (or manage guests ips in vm configs)

I guess arp  is not very reliable, and we currently do not even have IPs on network interfaces.

IMHO it is better to spent time to write an OVS controller instead of adding such hacks.



More information about the pve-devel mailing list