On 11/12/2013 11:10 AM, Nicolas Sebrecht wrote: > The 07/11/13, Daniel P. Berrange wrote: > >> There's no support for nwfilter at all when using openvswitch, due to >> the kernel limitations you mention. The (disgusting) way openstack deals >> with this is to create a traditional bridge per vm so you have >> >> >> phys nic <-> openvswitch >> \---> vm bridge <-> vm tap dev >> \---> vm bridge <-> vm tap dev >> \---> vm bridge <-> vm tap dev > Why is it "disgusting"? > Because it's terribly inefficient. You may, on the other hand, view it as "clever", because it is able to work around deficiencies in the individual components to make something that works at all. It certainly is true, though, that a lot of cycles are being wasted on each packet's trip through all that network linkage, and it would sure be nice if that waste could be avoided. -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list