Hi, I'm curious how to filter inter-VMs (running on Linux KVM host) traffic on a remote bare-metal host running OpenBSD and PF. Any tip?
So, there would be a Linux KVM host running various VMs and separate OpenBSD box and I'd like to achieve that all traffic betweens those VMs running on that Linux box is sent to OpenBSD box which does PF and "switching". libvirt docs says (about vepa-type bridging on Linux): ~~~ vepa All VMs' packets are sent to the external bridge. Packets whose destination is a VM on the same host as where the packet originates from are sent back to the host by the VEPA capable bridge (today's bridges are typically not VEPA capable). ~~~ Problem is, as they say, many bridges/network switches are not VEPA capable. So what could I do? Could I use vxlan/openvswitch and connect it to OpenBSD... I'm little bit lost about all pieces in this area. Thanks for you tips and comments. j.
