> So, I think that vlan tagging on veth is broken somewhere for now. > > I think it's better to keep the current vmbrXvY model for 3.10 kernel too > > eth0------->vmbr0 > eth0.94---->vmbr0v94<-----tapXiY (non firewalled tap) > <--linkXiY----->linkXiYp--->fwbrXiY---->tapXiY > (firewalled tap)
I would also prefer that. > Now, about masquerade, we don't need pm0 interface anymore > > a simple: > iptables -t raw -A PREROUTING -i fwbr110i0 -j CT --zone 1 (kernel 3.10 only of > course) > > is enough, to enable nat on a firewalled tap > > (user just need to define like before "iptables -t nat -A POSTROUTING -s > X.X.X.X/24 -o vmbr0 -j MASQUERADE", like before) > > > I think it seem to be the best setup, don't break current model for non > firewall > vms, and just add a new fwbr bridge for firewalled taps > > What do you think about it ? Sounds good. I just wonder what happens on a VM crash -I guess in that case we end up with some stale bridges? Is there a way to remove them automatically? _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
