[pve-devel] [PATCH] use linko+ name for ovs fwbrint interfaces

[Dietmar Maurer]

> -----Original Message-----
> From: Alexandre DERUMIER [mailto:aderumier at odiso.com]
> Sent: Dienstag, 13. Mai 2014 15:43
> To: Dietmar Maurer
> Cc: pve-devel at pve.proxmox.com
> Subject: Re: [pve-devel] [PATCH] use linko+ name for ovs fwbrint interfaces
> 
> >>link ==> fwln
> 
> for ovs and bridge ?
> 
> because in Network.pm
> cleanup_firewall_bridge{
>     my ($fwbr, $vethfw, $vethfwpeer, $ovsintport) =
> &$compute_fwbr_names($vmid, $devid);
> 
>     # cleanup old port config from any openvswitch bridge
>     if (-d "/sys/class/net/$ovsintport") {
>         run_command("/usr/bin/ovs-vsctl del-port $ovsintport", outfunc => sub
> {}, errfunc => sub {});
>     }
> }
> 
> So, if the name is same for ovsintport and vethlink, I don't known what
> happen.
> (maybe add an eval to be sure)

I ant only same prefix:

fwln${vmid}i${devid}
fwln${vmid}o${devid}

> >>peer ==> fwpr

fwpr${vmid}i${devid}

> >>fwbr <==> fwbr (keep that name)
> >>
> >>what do you think?
> 
> 
> so
> 
> linux bridge
> -------------
> vmbr<--fwpr------>fwln----->fwbr
> 
> ovs bridge
> ----------
> vmbr<------------>fwln----->fwbr
> 
> and
> 
> -A PVEFW-FORWARD -i fwbr+ -m physdev --physdev-in fwln+ --physdev-is-
> bridged -j PVEFW-FWBR-IN -A PVEFW-FORWARD -i fwbr+ -m physdev --
> physdev-out link+ --physdev-is-bridged -j PVEFW-FWBR-OUT

I don't understand above rules (why '-i fwbr+', and why '--physdev-out link+')? I though we can use:

-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN 
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
 
> vmbr->fwpr can be exclude somewhere at begin of pve-forward with
> vmbr->something like
> 
> -A PVEFW-FORWARD -m physdev --physdev-in fwpr+ -j ACCEPT (or RETURN)
> -A PVEFW-FORWARD -m physdev --physdev-out fwpr+ -j ACCEPT (or  RETURN)

This is just an optimization?