[pve-devel] pvefw: masquerade problems and conntrack zones

Dietmar Maurer dietmar at proxmox.com
Wed Mar 12 06:04:48 CET 2014


> AFAIK, they use 1 bridge by tap (only when they use the hybrid network for
> enable iptables firewalling) see example here :
> http://openstack.redhat.com/Networking_in_too_much_detail#Compute_host:
> _instance_networking_.28A.2CB.2CC.29
> 
> >>Although I am not sure what we gain with such setup?
> 
> I think because it's more easy for them.
> In all case, they have a central openvswitch, and they manage vlan on
> openvswitchs.

What happens when that node fails?

> So with firewall, they just need to create "1 internalport - 1 tap bridge" couple
> for each vlan, assign vlan on ovs internalport, and plug the internalport to tap
> bridge

Do you think that is faster than our veth setup?



More information about the pve-devel mailing list