On 1/21/26 8:04 PM, Maurice Klein wrote: Some thoughts below from my side, but I'm still unsure on what would be the best approach for this.
> I agree it would work nicely as a SDN plugin and I was also considering > that approach. > The problem I saw with that is that SDN relies on there being a bridge > for every zone and making it work without one seems to be a huge refactor. > Do you think the bridge should not be removed at all, even for a pure l3 > routed setup? That would be one reason, but there are others. The gateway IP only needs to be configured once on the bridge / vnet itself then, whereas it needs to be specified explicitly for every guest with your approach. You'd most likely also need to generate a MAC address that is the same for the GW on all PVE hosts, so VM mobility works properly. With tap interfaces that is even more complicated as you'd need to handle setting the MAC for each tap interface. It's cleaner and simpler that way imo, since you can just set up the gateway once and be done. A simple zone with port isolation is already quite similar to what you're trying to achieve imo. It denies L2 connectivity between guests via the isolated flag [1] on bridge members and the PVE node acts as a router for the zone. I think that could be used as a starting point and then build upon it. Simple zones have IPAM support, so we could utilize that for managing the guest IPs. It would probably also make sense to manage neighbor / fdb table entries statically for this kind of setup. [1] https://man7.org/linux/man-pages/man8/bridge.8.html _______________________________________________ pve-devel mailing list [email protected] https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
