From: Stefan Hanreich <s.hanreich@proxmox.com>
To: Maurice Klein <klein@aetherus.de>, pve-devel@lists.proxmox.com
Subject: Re: [pve-devel] [PATCH container 1/1] Signed-off-by: Maurice Klein <klein@aetherus.de>
Date: Tue, 27 Jan 2026 11:02:00 +0100 [thread overview]
Message-ID: <77ad7294-e8b6-4862-8ce5-b81181d1188f@proxmox.com> (raw)
In-Reply-To: <d18928a0-6ab0-4e90-ad3a-0674bbdedb72@aetherus.de>
On 1/21/26 8:04 PM, Maurice Klein wrote:
Some thoughts below from my side, but I'm still unsure on what would be
the best approach for this.
> I agree it would work nicely as a SDN plugin and I was also considering
> that approach.
> The problem I saw with that is that SDN relies on there being a bridge
> for every zone and making it work without one seems to be a huge refactor.
> Do you think the bridge should not be removed at all, even for a pure l3
> routed setup?
That would be one reason, but there are others. The gateway IP only
needs to be configured once on the bridge / vnet itself then, whereas it
needs to be specified explicitly for every guest with your approach.
You'd most likely also need to generate a MAC address that is the same
for the GW on all PVE hosts, so VM mobility works properly. With tap
interfaces that is even more complicated as you'd need to handle setting
the MAC for each tap interface. It's cleaner and simpler that way imo,
since you can just set up the gateway once and be done.
A simple zone with port isolation is already quite similar to what
you're trying to achieve imo. It denies L2 connectivity between guests
via the isolated flag [1] on bridge members and the PVE node acts as a
router for the zone. I think that could be used as a starting point and
then build upon it. Simple zones have IPAM support, so we could utilize
that for managing the guest IPs. It would probably also make sense to
manage neighbor / fdb table entries statically for this kind of setup.
[1] https://man7.org/linux/man-pages/man8/bridge.8.html
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2026-01-27 10:02 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20260109121049.70740-1-klein@aetherus.de>
2026-01-09 12:10 ` Maurice Klein via pve-devel
[not found] ` <20260109121049.70740-2-klein@aetherus.de>
2026-01-19 8:37 ` Maurice Klein via pve-devel
2026-01-19 14:35 ` Stefan Hanreich
2026-01-21 19:04 ` Maurice Klein via pve-devel
[not found] ` <d18928a0-6ab0-4e90-ad3a-0674bbdedb72@aetherus.de>
2026-01-27 10:02 ` Stefan Hanreich [this message]
2026-01-27 10:37 ` Maurice Klein via pve-devel
[not found] <20260109124514.72991-1-klein@aetherus.de>
2026-01-09 12:45 ` Maurice Klein via pve-devel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=77ad7294-e8b6-4862-8ce5-b81181d1188f@proxmox.com \
--to=s.hanreich@proxmox.com \
--cc=klein@aetherus.de \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.