[pve-devel] pvefw: masquerade problems and conntrack zones

Alexandre DERUMIER aderumier at odiso.com
Tue Mar 11 17:10:51 CET 2014


>>I guess arp is not very reliable, and we currently do not even have IPs on network interfaces. 
>>
>>IMHO it is better to spent time to write an OVS controller instead of adding such hacks. 

Ok,sure, no problem. I'll try with veth, now that I understand correctly what you want.


----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Mardi 11 Mars 2014 16:34:49 
Objet: RE: [pve-devel] pvefw: masquerade problems and conntrack zones 

> >>yes, I want it ;-) And it seems we can do it with the veth setup. 
> Ah ok ! seem more clear now. 
> 
> isn't veth too much overhead ? (I'm a bit worried about veth performance, 
> see http://www.opencloudblog.com/?p=96) 

I want a fully functional implementation first. We can optimize later. 

Everything is better than requiring an external firewall. 

Also, I thought you want to write an ultra-fast OVS controller to do that job ;-) 

> couldn't we scan bridges arp tables, and make rules with ips ? (at least for 
> routed guests) (or manage guests ips in vm configs) 

I guess arp is not very reliable, and we currently do not even have IPs on network interfaces. 

IMHO it is better to spent time to write an OVS controller instead of adding such hacks. 



More information about the pve-devel mailing list