Differences between venet and veth
From OpenVZ Linux Containers Wiki
- veth allows broadcasts in CT, so you can use even a DHCP server inside a CT, or a samba server with domain broadcasts or other such stuff.
- veth has some security implications. It is normally bridged directly to the host physical ethernet device and so must be treated with the same considerations as a real ethernet device on a standalone host. The CT users can access a veth device as they would a real ethernet interface. However, the CT root user is the only one that has priviledged access to the veth device.
- With venet device, only OpenVZ host node administrator can assign an IP to a CT. With veth device, network settings can be fully done on CT side by the CT administrator. CT should setup correct gateway, IP/netmask etc. and then a node admin can only choose where your traffic goes.
- veth devices can be bridged together and/or with other devices. For example, in host system admin can bridge veth from 2 CTs with some VLAN eth0.X. In this case, these 2 CTs will be connected to this VLAN.
- venet device is a bit faster and more efficient.
- With veth devices, IPv6 auto generates an address from MAC.
The brief summary:
|Broadcasts inside CT||Yes||No|
|Network security||Low ||High|
|Can be used in bridges||Yes||No|
- Independent of host. Each CT must setup its own separate network security.
- Controlled by host.