Linux – Direct Veth Pair vs Linux Bridge


I'm trying different network configurations between LXC containers to learn something and have fun.

I've just found out that two containers can communicate with just a veth pair, so I'd like to know from experts why all the tutorials show procedures that include a bridge in the host conected to the veth ends.

I though a simple veth pair could easily replace a MACvlan bridge mode where the host can't communicate with the containers.

Are there some security implications?

Whare are the real advantages of Linux Bridges and Open vSwitches with this configuration (only two namespaces)?

Best Answer

This isn't normally done because connecting only two instances directly together with a veth pair isn't very useful. We use bridging as a virtual switch so that we can reasonably connect many instances to the same external and host-only networks. Even in cases where you're only running two containers, it's typical to have to expand real-world implementations at some point.

There aren't many security implications with what you describe, at least no more than when connecting your veth pair to a bridge.

Related Topic