>>Sounds good. I just wonder what happens on a VM crash -I guess in that case
>>we end up with some stale bridges? Is there a way to remove them
>>automatically?
Indeed we have stale bridge.
I cleanup this at vm start (on tap_plug more precisily).I have a sub for this
PVE::Network::bridge_cleanup($iface)
This can happen on vm_crash
I don't known what is the best way in this case ?
but also on vm shutdown (can be a shutdown from inside the guest for example)
I think for the second case, we should add a shutdown script "-netdev
....downscript=ifdown.sh).
for openvz veth, I don't known if it's possible to use a script at shutdown ?
----- Mail original -----
De: "Dietmar Maurer" <[email protected]>
À: "Alexandre DERUMIER" <[email protected]>, "pve-devel"
<[email protected]>
Envoyé: Vendredi 2 Mai 2014 12:57:13
Objet: RE: [pve-devel] pve-firewall : masquerade results (+veth vlan tag bug)
> So, I think that vlan tagging on veth is broken somewhere for now.
>
> I think it's better to keep the current vmbrXvY model for 3.10 kernel too
>
> eth0------->vmbr0
> eth0.94---->vmbr0v94<-----tapXiY (non firewalled tap)
> <--linkXiY----->linkXiYp--->fwbrXiY---->tapXiY (firewalled tap)
I would also prefer that.
> Now, about masquerade, we don't need pm0 interface anymore
>
> a simple:
> iptables -t raw -A PREROUTING -i fwbr110i0 -j CT --zone 1 (kernel 3.10 only
> of
> course)
>
> is enough, to enable nat on a firewalled tap
>
> (user just need to define like before "iptables -t nat -A POSTROUTING -s
> X.X.X.X/24 -o vmbr0 -j MASQUERADE", like before)
>
>
> I think it seem to be the best setup, don't break current model for non
> firewall
> vms, and just add a new fwbr bridge for firewalled taps
>
> What do you think about it ?
Sounds good. I just wonder what happens on a VM crash -I guess in that case
we end up with some stale bridges? Is there a way to remove them automatically?
_______________________________________________
pve-devel mailing list
[email protected]
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
