> I'm interested in working on a patch to use OpenVSwitch for networking instead > of the generic bridge. I'm starting a hosting company and would like to use > Proxmox to serve KVM instances, but need more security than bridge > networking can provide. While the basic underly premise is the same, using OVS > would allow the ability to add rules to the connected ports to prevent > spoofing > of IPs and MAC addresses, as well as more advanced metering of traffic via > sFlow. Is this something that the community would be interested in? Would it > be > better to setup similar protection rules using ebtables? I'm curious on your > thoughts.
First, AFAIK OpenVSwitch is not compatible with iptables, and openflow does not offer the full iptables functionality. Some time ago we started a iptables based prototype here: https://git.proxmox.com/?p=pve-firewall.git;a=summary It is based on shorewall and look quite promising. But it needs some love to make it production ready. _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
