[pve-devel] pve-firewall : masquerade results (+veth vlan tag bug)
Dietmar Maurer
dietmar at proxmox.com
Fri May 2 12:57:13 CEST 2014
> So, I think that vlan tagging on veth is broken somewhere for now.
>
> I think it's better to keep the current vmbrXvY model for 3.10 kernel too
>
> eth0------->vmbr0
> eth0.94---->vmbr0v94<-----tapXiY (non firewalled tap)
> <--linkXiY----->linkXiYp--->fwbrXiY---->tapXiY (firewalled tap)
I would also prefer that.
> Now, about masquerade, we don't need pm0 interface anymore
>
> a simple:
> iptables -t raw -A PREROUTING -i fwbr110i0 -j CT --zone 1 (kernel 3.10 only of
> course)
>
> is enough, to enable nat on a firewalled tap
>
> (user just need to define like before "iptables -t nat -A POSTROUTING -s
> X.X.X.X/24 -o vmbr0 -j MASQUERADE", like before)
>
>
> I think it seem to be the best setup, don't break current model for non firewall
> vms, and just add a new fwbr bridge for firewalled taps
>
> What do you think about it ?
Sounds good. I just wonder what happens on a VM crash -I guess in that case
we end up with some stale bridges? Is there a way to remove them automatically?
More information about the pve-devel
mailing list