> So maybe performance impact is bigger than have a lot of rules. maybe. but we should benchmark that. > >>1.) I does not work 100% out of the box (needs veth hack). Difficult to > >>explain > to users. > yes indeed > > >>2.) iptables chains grows if we have many VM (clumsy) > I'm not I'll be different, because you need to parse all tap chains to find > the good > one. > in 1 direction only, but it need to done twice, for each bridge
I don’t really understand above sentence, sorry. But if we use an extra bridge for each tab we do not have to search for the right device? > >>3.) does not work with OVS > well, for ovs + tapbridge, it's working fine now ;) Sure. But I asume it would simplify things if we use exactly the same setup. > >>Also note that we do not need to enable netfilter on vmbr0 with this setup. > >>so > we can > >>completely exclude VMs from using the firewall (such VM won't notice a > performance > >>penalty). > do you wan to plug vm without firewall directly on vmbr0 ? yes. > Or is it possible to disable netfilter on a specific fwbrXXXiY ? no > But, we have also ovs now, so maybe users could choose ovs, if they want more > performance. I still prefer linux bridge code ;-) _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
