tip for inter-KVM VMs traffic filtering with PF running on separate box
I'm curious how to filter inter-VMs (running on Linux KVM host) traffic
on a remote bare-metal host running OpenBSD and PF. Any tip?
So, there would be a Linux KVM host running various VMs and separate
OpenBSD box and I'd like to achieve that all traffic betweens those VMs
running on that Linux box is sent to OpenBSD box which does PF and "switching".
libvirt docs says (about vepa-type bridging on Linux):
All VMs' packets are sent to the external bridge. Packets
whose destination is a VM on the same host as where the packet
originates from are sent back to the host by the VEPA capable bridge
(today's bridges are typically not VEPA capable).
Problem is, as they say, many bridges/network switches are not VEPA capable.
So what could I do?
Could I use vxlan/openvswitch and connect it to OpenBSD...
I'm little bit lost about all pieces in this area.