>>1.) They use a linux bridge to apply netfilter firewall. yes. (1 bridge by tap)
>>2.) They use an OVS bridge and plug in the linux bridge (using veth pair?) not anymore, because of performance problems. now, they plug ovsint port to bridge >>3.) They use an (GRE) tunnel to a dedicated network host? I'm not sure, but they use gre or vxlan, to have a internals vm networks across hosts. (can be done too with kernel 3.10 and vxlan) ----- Mail original ----- De: "Dietmar Maurer" <diet...@proxmox.com> À: "Alexandre DERUMIER" <aderum...@odiso.com> Cc: pve-devel@pve.proxmox.com Envoyé: Mardi 11 Mars 2014 17:00:03 Objet: RE: [pve-devel] pvefw: masquerade problems and conntrack zones > > isn't veth too much overhead ? (I'm a bit worried about veth > > performance, see http://www.opencloudblog.com/?p=96) > > People always compare performance of OVSIntPort with full-featured linux > netfilter code. BTW, do I understand the OpenStack network correctly? 1.) They use a linux bridge to apply netfilter firewall. 2.) They use an OVS bridge and plug in the linux bridge (using veth pair?) 3.) They use an (GRE) tunnel to a dedicated network host? Not sure if that is correct, but I do not believe that is faster. _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
