OpenvSwitch 2.5 (with connection tracking) as replacement for iptables firewall model in the future

M

mipsH

Renowned Member
Jun 10, 2013
42
9
73
Croatia, Osijek
www.opensource-osijek.org
Hello.

Since OpenvSwitch v.2.5 is out now, and it has support for connection tracking with linux kernel module (nf_conntrack) can we expect in the future that Proxmox VE will replace "old" network model and introduce a new one.

Situation is similar with OpenStack network model --> Video


This integration (openvSwitch 2.5 + nf_conntrack ) usage on linux kernel modules (at least)) is visible on Proxmox VE 4.2, using testing repo (pve-no-subscription) :


lsmod | grep openvswitch

openvswitch 94208 0
nf_defrag_ipv6 36864 1 openvswitch
nf_conntrack 106496 1 openvswitch
libcrc32c 16384 3 xfs,dm_persistent_data,openvswitch



BR,
Hrvoje.
 
Thats interesting, but openflow does not work on a normal bridge, so that would be only the half solution.
Wolfgang is currently testing a nft based implementation, but there are still some problems with that.

But I would accept patches if someone wants to give that a try....
 
dietmar said:
Thats interesting, but openflow does not work on a normal bridge, so that would be only the half solution.
Wolfgang is currently testing a nft based implementation, but there are still some problems with that.

But I would accept patches if someone wants to give that a try....
Click to expand...

As i understand, current network model of Proxmox VE is (as in picture - logical view):
ProxmoxVE-Network-overview-old-1.png


And a new one (with OpenvSwitch 2.5.x, using nf_conntrack ) will be without the need of :
  • using OpenvSwitch flows as possible Firewall solution since it is not build as Firewall (support only stateless matches, so solution will be "messy" for firewall functions - with very slow speed)
  • and iptables as (old) firewall
But utilizing OpenvSwitch and nf_conntrack , as direct firewall (without OVS Flows which is not built to do a Firewall matches) and nf_conntrack does.

As it is described in Video (before):
Firewall-with-OVS-problems.jpg


So thats why OpenvSwitch and nf_conntrack finally .

Note : nf_conntrack is used by iptables also


And as i understand a new design will/could be:
ProxmoxVE-Network-overview-new.png
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back