[pve-devel] pvefw: masquerade problems and conntrack zones
Alexandre DERUMIER
aderumier at odiso.com
Tue Mar 11 17:06:24 CET 2014
>>1.) They use a linux bridge to apply netfilter firewall.
yes. (1 bridge by tap)
>>2.) They use an OVS bridge and plug in the linux bridge (using veth pair?)
not anymore, because of performance problems. now, they plug ovsint port to bridge
>>3.) They use an (GRE) tunnel to a dedicated network host?
I'm not sure,
but they use gre or vxlan, to have a internals vm networks across hosts.
(can be done too with kernel 3.10 and vxlan)
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mardi 11 Mars 2014 17:00:03
Objet: RE: [pve-devel] pvefw: masquerade problems and conntrack zones
> > isn't veth too much overhead ? (I'm a bit worried about veth
> > performance, see http://www.opencloudblog.com/?p=96)
>
> People always compare performance of OVSIntPort with full-featured linux
> netfilter code.
BTW, do I understand the OpenStack network correctly?
1.) They use a linux bridge to apply netfilter firewall.
2.) They use an OVS bridge and plug in the linux bridge (using veth pair?)
3.) They use an (GRE) tunnel to a dedicated network host?
Not sure if that is correct, but I do not believe that is faster.
More information about the pve-devel
mailing list