Re: nat issue
On Sat, Feb 05, 2011 at 12:57:16PM +0100, Pascal Hambourg wrote:
> Oleg a ?crit :
> > On Fri, Feb 04, 2011 at 03:54:20PM +0100, Pascal Hambourg wrote:
> >>
> >>> Any ideas?
> >> Yes, one : just another case of undesirable interaction between bridge
> >> and netfilter (aka bridge-netfilter).
> [...]
> >> Setting sysctl net.bridge.bridge-nf-call-iptables=0 to disable passing
> >> bridged packets to netfilter shouldf fix the problem.
> >
> > Thanks a lot! Good explanation. I completely forgot about bridge-nf-* vars.
>
> Another option may be to use a virtual network between virtual machines
> instead of a bridge, so the host does not see the traffic between them.
> I don't know whether KVM provides such option, otherwise VDE (vde2)
> could be used instead.
kvm support vde. I've tested it. It works well. But what about perfomance
and stability? Which of two (vde vs bridge&tap) is better?
>
> Yet another option may be to use a separate network namespace (netns),
> thus separate conntracks, for the bridge and its virtual interfaces.
> Don't ask me how to use this.
Hm. May be i will try it later.
Reply to:
- Follow-Ups:
- Re: nat issue
- From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>