[pve-devel] pvefw: masquerade problems and conntrack zones
Dietmar Maurer
dietmar at proxmox.com
Wed Mar 12 06:04:48 CET 2014
> AFAIK, they use 1 bridge by tap (only when they use the hybrid network for
> enable iptables firewalling) see example here :
> http://openstack.redhat.com/Networking_in_too_much_detail#Compute_host:
> _instance_networking_.28A.2CB.2CC.29
>
> >>Although I am not sure what we gain with such setup?
>
> I think because it's more easy for them.
> In all case, they have a central openvswitch, and they manage vlan on
> openvswitchs.
What happens when that node fails?
> So with firewall, they just need to create "1 internalport - 1 tap bridge" couple
> for each vlan, assign vlan on ovs internalport, and plug the internalport to tap
> bridge
Do you think that is faster than our veth setup?
More information about the pve-devel
mailing list