[pve-devel] pvefw: masquerade problems and conntrack zones
Alexandre DERUMIER
aderumier at odiso.com
Wed Mar 12 01:41:34 CET 2014
>>It should be quite simply to implement such setup. Do they use a single linux bridge, or a separate
>>bridge for each VM tap?
AFAIK, they use 1 bridge by tap (only when they use the hybrid network for enable iptables firewalling)
see example here : http://openstack.redhat.com/Networking_in_too_much_detail#Compute_host:_instance_networking_.28A.2CB.2CC.29
>>Although I am not sure what we gain with such setup?
I think because it's more easy for them.
In all case, they have a central openvswitch, and they manage vlan on openvswitchs.
So with firewall, they just need to create "1 internalport - 1 tap bridge" couple for each vlan, assign vlan on ovs internalport, and plug the internalport to tap bridge
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mardi 11 Mars 2014 18:18:21
Objet: RE: [pve-devel] pvefw: masquerade problems and conntrack zones
> >>2.) They use an OVS bridge and plug in the linux bridge (using veth
> >>pair?)
> not anymore, because of performance problems. now, they plug ovsint port
> to bridge
It should be quite simply to implement such setup. Do they use a single linux bridge, or a separate
bridge for each VM tap? Although I am not sure what we gain with such setup?
More information about the pve-devel
mailing list