On Sat, Feb 05, 2011 at 12:57:16PM +0100, Pascal Hambourg wrote: > Oleg a ?crit : > > On Fri, Feb 04, 2011 at 03:54:20PM +0100, Pascal Hambourg wrote: > >> > >>> Any ideas? > >> Yes, one : just another case of undesirable interaction between bridge > >> and netfilter (aka bridge-netfilter). > [...] > >> Setting sysctl net.bridge.bridge-nf-call-iptables=0 to disable passing > >> bridged packets to netfilter shouldf fix the problem. > > > > Thanks a lot! Good explanation. I completely forgot about bridge-nf-* > > vars. > > Another option may be to use a virtual network between virtual machines > instead of a bridge, so the host does not see the traffic between them. > I don't know whether KVM provides such option, otherwise VDE (vde2) > could be used instead.
kvm support vde. I've tested it. It works well. But what about perfomance and stability? Which of two (vde vs bridge&tap) is better? > > Yet another option may be to use a separate network namespace (netns), > thus separate conntracks, for the bridge and its virtual interfaces. > Don't ask me how to use this. Hm. May be i will try it later. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/20110205184437.GA17817@debian
