> -----Original Message-----
> From: Alexandre DERUMIER [mailto:aderum...@odiso.com]
> Sent: Dienstag, 13. Mai 2014 15:43
> To: Dietmar Maurer
> Cc: pve-devel@pve.proxmox.com
> Subject: Re: [pve-devel] [PATCH] use linko+ name for ovs fwbrint interfaces
>
> >>link ==> fwln
>
> for ovs and bridge ?
>
> because in Network.pm
> cleanup_firewall_bridge{
> my ($fwbr, $vethfw, $vethfwpeer, $ovsintport) =
> &$compute_fwbr_names($vmid, $devid);
>
> # cleanup old port config from any openvswitch bridge
> if (-d "/sys/class/net/$ovsintport") {
> run_command("/usr/bin/ovs-vsctl del-port $ovsintport", outfunc => sub
> {}, errfunc => sub {});
> }
> }
>
> So, if the name is same for ovsintport and vethlink, I don't known what
> happen.
> (maybe add an eval to be sure)
I ant only same prefix:
fwln${vmid}i${devid}
fwln${vmid}o${devid}
> >>peer ==> fwpr
fwpr${vmid}i${devid}
> >>fwbr <==> fwbr (keep that name)
> >>
> >>what do you think?
>
>
> so
>
> linux bridge
> -------------
> vmbr<--fwpr------>fwln----->fwbr
>
> ovs bridge
> ----------
> vmbr<------------>fwln----->fwbr
>
> and
>
> -A PVEFW-FORWARD -i fwbr+ -m physdev --physdev-in fwln+ --physdev-is-
> bridged -j PVEFW-FWBR-IN -A PVEFW-FORWARD -i fwbr+ -m physdev --
> physdev-out link+ --physdev-is-bridged -j PVEFW-FWBR-OUT
I don't understand above rules (why '-i fwbr+', and why '--physdev-out link+')?
I though we can use:
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j
PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j
PVEFW-FWBR-OUT
> vmbr->fwpr can be exclude somewhere at begin of pve-forward with
> vmbr->something like
>
> -A PVEFW-FORWARD -m physdev --physdev-in fwpr+ -j ACCEPT (or RETURN)
> -A PVEFW-FORWARD -m physdev --physdev-out fwpr+ -j ACCEPT (or RETURN)
This is just an optimization?
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
