I wonder if that would help to solve above problems? >>And what performance would be get?
I'm a bit worried about veth performance, all benchmarks I have see show around 4gbit/s. and with vmbr0<-->vethXXXiY<-->fwbrXXXiY<-->tapXXXiY, that's mean that 2 taps in the same brige/vlan, show communicate through 2 veth. So maybe performance impact is bigger than have a lot of rules. >>1.) I does not work 100% out of the box (needs veth hack). Difficult to >>explain to users. yes indeed >>2.) iptables chains grows if we have many VM (clumsy) I'm not I'll be different, because you need to parse all tap chains to find the good one. in 1 direction only, but it need to done twice, for each bridge >>3.) does not work with OVS well, for ovs + tapbridge, it's working fine now ;) >>Also note that we do not need to enable netfilter on vmbr0 with this setup. >>so we can >>completely exclude VMs from using the firewall (such VM won't notice a >>performance >>penalty). do you wan to plug vm without firewall directly on vmbr0 ? Or is it possible to disable netfilter on a specific fwbrXXXiY ? But, we have also ovs now, so maybe users could choose ovs, if they want more performance. ----- Mail original ----- De: "Dietmar Maurer" <[email protected]> À: "Alexandre Derumier" <[email protected]>, [email protected] Envoyé: Mercredi 23 Avril 2014 08:57:51 Objet: RE: [pve-devel] [PATCH] openvswitch hybrid network model implementation Hi Alexandre, to be honest, I am also not particularly happy with the current linux bridge based implementation, because 1.) I does not work 100% out of the box (needs veth hack). Difficult to explain to users. 2.) iptables chains grows if we have many VM (clumsy) 3.) does not work with OVS So I wonder if we could use a similar approach for linux bridge instead? We currently have: veth0<-->vmbr0<-->tapXXXiY vmbr0<-->vethXXXiY<-->fwbrXXXiY<-->tapXXXiY I wonder if that would help to solve above problems? And what performance would be get? _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
