> >>2.) iptables chains grows if we have many VM (clumsy) > I'm not I'll be different, because you need to parse all tap chains to find > the good > one. > in 1 direction only, but it need to done twice, for each bridge
>>I don’t really understand above sentence, sorry. But if we use an extra >>bridge for each tab >>we do not have to search for the right device? Well, you need to test through each fwbrXXXiY sequentially to find the good one. (or maybe I miss something ?) could be provide a example of what of have in mind ? > >>3.) does not work with OVS > well, for ovs + tapbridge, it's working fine now ;) >>Sure. But I asume it would simplify things if we use exactly the same setup. I agreed too ! something like: --------------- linux bridge vmbr0 ------------ vmbr0<-->vethXXXiY (+vlan)<-->fwbrXXXiY<-->tapXXXiY ovs bridge vmbr0 ---------------- vmbr0<-->ovsintXXXiY (+vlan)<-->fwbrXXXiY<-->tapXXXiY seem good ? ----- Mail original ----- De: "Dietmar Maurer" <[email protected]> À: "Alexandre DERUMIER" <[email protected]> Cc: [email protected] Envoyé: Mercredi 23 Avril 2014 10:16:56 Objet: RE: [pve-devel] [PATCH] openvswitch hybrid network model implementation > So maybe performance impact is bigger than have a lot of rules. maybe. but we should benchmark that. > >>1.) I does not work 100% out of the box (needs veth hack). Difficult to > >>explain > to users. > yes indeed > > >>2.) iptables chains grows if we have many VM (clumsy) > I'm not I'll be different, because you need to parse all tap chains to find > the good > one. > in 1 direction only, but it need to done twice, for each bridge I don’t really understand above sentence, sorry. But if we use an extra bridge for each tab we do not have to search for the right device? > >>3.) does not work with OVS > well, for ovs + tapbridge, it's working fine now ;) Sure. But I asume it would simplify things if we use exactly the same setup. > >>Also note that we do not need to enable netfilter on vmbr0 with this setup. > >>so > we can > >>completely exclude VMs from using the firewall (such VM won't notice a > performance > >>penalty). > do you wan to plug vm without firewall directly on vmbr0 ? yes. > Or is it possible to disable netfilter on a specific fwbrXXXiY ? no > But, we have also ovs now, so maybe users could choose ovs, if they want more > performance. I still prefer linux bridge code ;-) _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
