[pve-devel] pve-firewall : masquerade results (+veth vlan tag bug)
Alexandre DERUMIER
aderumier at odiso.com
Fri May 2 15:08:35 CEST 2014
>>Sounds good. I just wonder what happens on a VM crash -I guess in that case
>>we end up with some stale bridges? Is there a way to remove them automatically?
Indeed we have stale bridge.
I cleanup this at vm start (on tap_plug more precisily).I have a sub for this PVE::Network::bridge_cleanup($iface)
This can happen on vm_crash
I don't known what is the best way in this case ?
but also on vm shutdown (can be a shutdown from inside the guest for example)
I think for the second case, we should add a shutdown script "-netdev ....downscript=ifdown.sh).
for openvz veth, I don't known if it's possible to use a script at shutdown ?
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>, "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Vendredi 2 Mai 2014 12:57:13
Objet: RE: [pve-devel] pve-firewall : masquerade results (+veth vlan tag bug)
> So, I think that vlan tagging on veth is broken somewhere for now.
>
> I think it's better to keep the current vmbrXvY model for 3.10 kernel too
>
> eth0------->vmbr0
> eth0.94---->vmbr0v94<-----tapXiY (non firewalled tap)
> <--linkXiY----->linkXiYp--->fwbrXiY---->tapXiY (firewalled tap)
I would also prefer that.
> Now, about masquerade, we don't need pm0 interface anymore
>
> a simple:
> iptables -t raw -A PREROUTING -i fwbr110i0 -j CT --zone 1 (kernel 3.10 only of
> course)
>
> is enough, to enable nat on a firewalled tap
>
> (user just need to define like before "iptables -t nat -A POSTROUTING -s
> X.X.X.X/24 -o vmbr0 -j MASQUERADE", like before)
>
>
> I think it seem to be the best setup, don't break current model for non firewall
> vms, and just add a new fwbr bridge for firewalled taps
>
> What do you think about it ?
Sounds good. I just wonder what happens on a VM crash -I guess in that case
we end up with some stale bridges? Is there a way to remove them automatically?
More information about the pve-devel
mailing list