[pve-devel] [PATCH] openvswitch hybrid network model implementation

Alexandre DERUMIER aderumier at odiso.com
Wed Apr 23 10:39:47 CEST 2014 

> >>2.) iptables chains grows if we have many VM (clumsy) 
> I'm not I'll be different, because you need to parse all tap chains to find the good 
> one. 
> in 1 direction only, but it need to done twice, for each bridge 

>>I don’t really understand above sentence, sorry. But if we use an extra bridge for each tab 
>>we do not have to search for the right device? 

Well, you need to test through each fwbrXXXiY sequentially to find the good one.
(or maybe I miss something ?) could be provide a example of what of have in mind ?


> >>3.) does not work with OVS 
> well, for ovs + tapbridge, it's working fine now ;) 

>>Sure. But I asume it would simplify things if we use exactly the same setup. 

I agreed too !

something like:
---------------
linux bridge vmbr0
------------

vmbr0<-->vethXXXiY (+vlan)<-->fwbrXXXiY<-->tapXXXiY

ovs bridge vmbr0
----------------
vmbr0<-->ovsintXXXiY (+vlan)<-->fwbrXXXiY<-->tapXXXiY


seem good ?


----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Mercredi 23 Avril 2014 10:16:56 
Objet: RE: [pve-devel] [PATCH] openvswitch hybrid network model implementation 

> So maybe performance impact is bigger than have a lot of rules. 

maybe. but we should benchmark that. 

> >>1.) I does not work 100% out of the box (needs veth hack). Difficult to explain 
> to users. 
> yes indeed 
> 
> >>2.) iptables chains grows if we have many VM (clumsy) 
> I'm not I'll be different, because you need to parse all tap chains to find the good 
> one. 
> in 1 direction only, but it need to done twice, for each bridge 

I don’t really understand above sentence, sorry. But if we use an extra bridge for each tab 
we do not have to search for the right device? 

> >>3.) does not work with OVS 
> well, for ovs + tapbridge, it's working fine now ;) 

Sure. But I asume it would simplify things if we use exactly the same setup. 

> >>Also note that we do not need to enable netfilter on vmbr0 with this setup. so 
> we can 
> >>completely exclude VMs from using the firewall (such VM won't notice a 
> performance 
> >>penalty). 
> do you wan to plug vm without firewall directly on vmbr0 ? 

yes. 

> Or is it possible to disable netfilter on a specific fwbrXXXiY ? 

no 

> But, we have also ovs now, so maybe users could choose ovs, if they want more 
> performance. 

I still prefer linux bridge code ;-)

More information about the pve-devel mailing list