* [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation
@ 2024-04-25 14:43 Alexandre Derumier via pve-devel
2024-06-17 7:17 ` DERUMIER, Alexandre via pve-devel
2024-06-27 16:14 ` Stefan Hanreich
0 siblings, 2 replies; 6+ messages in thread
From: Alexandre Derumier via pve-devel @ 2024-04-25 14:43 UTC (permalink / raw)
To: pve-devel; +Cc: Alexandre Derumier
[-- Attachment #1: Type: message/rfc822, Size: 3148 bytes --]
From: Alexandre Derumier <alexandre.derumier@groupe-cyllene.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation
Date: Thu, 25 Apr 2024 16:43:49 +0200
Message-ID: <20240425144352.3454063-1-alexandre.derumier@groupe-cyllene.com>
This patches series add support for sdn vnet bridge ports isolation
pve-network:
Alexandre Derumier (1):
vnets : add ports isolation
src/PVE/Network/SDN/VnetPlugin.pm | 5 +++++
src/PVE/Network/SDN/Zones/Plugin.pm | 1 +
2 files changed, 6 insertions(+)
pve-common:
Alexandre Derumier (1):
tap_plug: add support for bridge port isolation
src/PVE/Network.pm | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
pve-manager:
Alexandre Derumier (1):
sdn: vnet: add ports-isolation option.
www/manager6/sdn/VnetEdit.js | 12 ++++++++++++
1 file changed, 12 insertions(+)
--
2.39.2
[-- Attachment #2: Type: text/plain, Size: 160 bytes --]
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation
2024-04-25 14:43 [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation Alexandre Derumier via pve-devel
@ 2024-06-17 7:17 ` DERUMIER, Alexandre via pve-devel
2024-06-27 16:14 ` Stefan Hanreich
1 sibling, 0 replies; 6+ messages in thread
From: DERUMIER, Alexandre via pve-devel @ 2024-06-17 7:17 UTC (permalink / raw)
To: pve-devel; +Cc: DERUMIER, Alexandre
[-- Attachment #1: Type: message/rfc822, Size: 14316 bytes --]
From: "DERUMIER, Alexandre" <alexandre.derumier@groupe-cyllene.com>
To: "pve-devel@lists.proxmox.com" <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation
Date: Mon, 17 Jun 2024 07:17:22 +0000
Message-ID: <9839f17baf668312750e05fe5d98ef6e33091258.camel@groupe-cyllene.com>
Hi,
Could it be possible to apply this patch series ? (or a review if it
need cleanup)
(I see a lot of users requesting for it)
Thanks !
Alexandre
BTW: I'm a little bit off currently, I'm working on vm luks encryption,
I'll send a patch series soon.
-------- Message initial --------
De: Alexandre Derumier via pve-devel <pve-devel@lists.proxmox.com>
Répondre à: Proxmox VE development discussion <pve-
devel@lists.proxmox.com>
À: pve-devel@lists.proxmox.com
Cc: Alexandre Derumier <alexandre.derumier@groupe-cyllene.com>
Objet: [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300
: sdn: add bridge ports isolation
Date: 25/04/2024 16:43:49
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://antiphishing.vadesecure.com/v4?f=VmNQMmJDQ0hHaTA5alRDNCL_-
44OVmltABzQ0e1bsd_7nWEkVLittYcyfccG6u8cOJvYIK6lE_k8ITzm9r5Y0w&i=b3diUTZ
GTG5ZeGdnYUVUQe4vRf_vVqdECnbwLkyrFZw&k=Znx7&r=bk1HS29PWk1VdElEOTBqVJN5E
Bt4nYRlpeAVR4dNFSi2ANtRVfOliSTesgTyCcqX&s=fe3a09b7f9bf32322c85f6afdc8c0
1b6abb91b27481a5fba19d2edfa8041cfc0&u=https%3A%2F%2Flists.proxmox.com%2
Fcgi-bin%2Fmailman%2Flistinfo%2Fpve-devel
[-- Attachment #2: Type: text/plain, Size: 160 bytes --]
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation
2024-04-25 14:43 [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation Alexandre Derumier via pve-devel
2024-06-17 7:17 ` DERUMIER, Alexandre via pve-devel
@ 2024-06-27 16:14 ` Stefan Hanreich
2024-06-27 16:23 ` DERUMIER, Alexandre via pve-devel
[not found] ` <50cea70295db16d50460c2d5c73d9f5ce0ce88e4.camel@groupe-cyllene.com>
1 sibling, 2 replies; 6+ messages in thread
From: Stefan Hanreich @ 2024-06-27 16:14 UTC (permalink / raw)
To: Proxmox VE development discussion
Hi! I gave this a quick test on my machine and everything worked well.
Would we maybe want to expose this setting on the NIC level as well?
Also I think 'Isolate Ports' or 'Port Isolation' would be the better
label, 'Ports Isolation' sounds a bit wrong to me.
Otherwise, consider this:
Tested-By: Stefan Hanreich <s.hanreich@proxmox.com>
Reviewed-By: Stefan Hanreich <s.hanreich@proxmox.com>
4/25/24 16:43, Alexandre Derumier via pve-devel wrote:
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation
2024-06-27 16:14 ` Stefan Hanreich
@ 2024-06-27 16:23 ` DERUMIER, Alexandre via pve-devel
[not found] ` <50cea70295db16d50460c2d5c73d9f5ce0ce88e4.camel@groupe-cyllene.com>
1 sibling, 0 replies; 6+ messages in thread
From: DERUMIER, Alexandre via pve-devel @ 2024-06-27 16:23 UTC (permalink / raw)
To: pve-devel, s.hanreich; +Cc: DERUMIER, Alexandre
[-- Attachment #1: Type: message/rfc822, Size: 15214 bytes --]
From: "DERUMIER, Alexandre" <alexandre.derumier@groupe-cyllene.com>
To: "pve-devel@lists.proxmox.com" <pve-devel@lists.proxmox.com>, "s.hanreich@proxmox.com" <s.hanreich@proxmox.com>
Subject: Re: [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation
Date: Thu, 27 Jun 2024 16:23:56 +0000
Message-ID: <50cea70295db16d50460c2d5c73d9f5ce0ce88e4.camel@groupe-cyllene.com>
Hi!
>>Hi! I gave this a quick test on my machine and everything worked
well.
>>Would we maybe want to expose this setting on the NIC level as well?
I don't think it can work, because a port not isolated, have access to
all other ports,including isolated ports.
"
isolated on or isolated off
Controls whether a given port will be isolated, which means it will be
able to communicate with non-isolated ports only. By default this flag
is off."
for example:
vm1: isolated
vm2: isolated
vm3: non isolated
vm1: can't access to vm2
vm2: can't access to vm1
vm3 have access to vm1 && vm2 isolated. (but user is thinking that vm1
&& vm2 are secure).
and vm1/vm2 have access to vm3 too.
That's why I have done it at bridge/vnet level, all or nothing.
The main usage is to have only 1 upstream port non isolated (traffic
coming from outside)
>>Also I think 'Isolate Ports' or 'Port Isolation' would be the better
>>label, 'Ports Isolation' sounds a bit wrong to me.
I'll send a v2 with "Port Isolation"
Otherwise, consider this:
>>Tested-By: Stefan Hanreich <s.hanreich@proxmox.com>
>>Reviewed-By: Stefan Hanreich <s.hanreich@proxmox.com>
Thanks !
4/25/24 16:43, Alexandre Derumier via pve-devel wrote:
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://antiphishing.vadesecure.com/v4?f=OGhLSzUzUW5ZSnhsUnB1Zwk-
> iBGgPyVY4TTNWFYEVcCg2sqZ42p4ld6uKOxcEXt1&i=enliNE9Ec0FwcDdnUXU4UdqsUW
> Q6P4MlGVBmGUhBgqg&k=qWGl&r=TnY3ZTF2Q2plM1daMndLWY2hdyEItuD5-
> BacJIgJqvZ3qD1cLHhtTB2x5DvZF4UIAZISGlCJrAF01C9VxKgOjg&s=926df6762a5f8
> 47592379de9a2d61dc8a3bf0ade01884ae3830a7e63f216d753&u=https%3A%2F%2Fl
> ists.proxmox.com%2Fcgi-bin%2Fmailman%2Flistinfo%2Fpve-devel
[-- Attachment #2: Type: text/plain, Size: 160 bytes --]
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation
[not found] ` <50cea70295db16d50460c2d5c73d9f5ce0ce88e4.camel@groupe-cyllene.com>
@ 2024-06-27 16:31 ` Stefan Hanreich
2024-10-25 5:22 ` DERUMIER, Alexandre via pve-devel
1 sibling, 0 replies; 6+ messages in thread
From: Stefan Hanreich @ 2024-06-27 16:31 UTC (permalink / raw)
To: DERUMIER, Alexandre, pve-devel
On 6/27/24 18:23, DERUMIER, Alexandre wrote:
> isolated on or isolated off
> Controls whether a given port will be isolated, which means it will be
> able to communicate with non-isolated ports only. By default this flag
> is off."
Yeah, makes sense this way. I thought since one can set this on a
per-port basis it might make sense to expose it as such but there's
probably not a lot of use cases for that.
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation
[not found] ` <50cea70295db16d50460c2d5c73d9f5ce0ce88e4.camel@groupe-cyllene.com>
2024-06-27 16:31 ` Stefan Hanreich
@ 2024-10-25 5:22 ` DERUMIER, Alexandre via pve-devel
1 sibling, 0 replies; 6+ messages in thread
From: DERUMIER, Alexandre via pve-devel @ 2024-10-25 5:22 UTC (permalink / raw)
To: pve-devel, s.hanreich; +Cc: DERUMIER, Alexandre
[-- Attachment #1: Type: message/rfc822, Size: 15024 bytes --]
From: "DERUMIER, Alexandre" <alexandre.derumier@groupe-cyllene.com>
To: "pve-devel@lists.proxmox.com" <pve-devel@lists.proxmox.com>, "s.hanreich@proxmox.com" <s.hanreich@proxmox.com>
Subject: Re: [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation
Date: Fri, 25 Oct 2024 05:22:42 +0000
Message-ID: <09c3b514ea9904f26c970847f2c1b3a0f78b6ebc.camel@groupe-cyllene.com>
Hi,
any news about this patch series ?
I think it's still not applied ? (I see a lot of request about it on
the forum and on the bugzilla)
Regards,
Alexandre
-------- Message initial --------
De: "DERUMIER, Alexandre" <alexandre.derumier@groupe-cyllene.com>
À: pve-devel@lists.proxmox.com <pve-devel@lists.proxmox.com>,
s.hanreich@proxmox.com <s.hanreich@proxmox.com>
Objet: Re: [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix
#4300 : sdn: add bridge ports isolation
Date: 27/06/2024 18:23:56
Hi!
> > Hi! I gave this a quick test on my machine and everything worked
well.
> > Would we maybe want to expose this setting on the NIC level as
> > well?
I don't think it can work, because a port not isolated, have access to
all other ports,including isolated ports.
"
isolated on or isolated off
Controls whether a given port will be isolated, which means it will be
able to communicate with non-isolated ports only. By default this flag
is off."
for example:
vm1: isolated
vm2: isolated
vm3: non isolated
vm1: can't access to vm2
vm2: can't access to vm1
vm3 have access to vm1 && vm2 isolated. (but user is thinking that vm1
&& vm2 are secure).
and vm1/vm2 have access to vm3 too.
That's why I have done it at bridge/vnet level, all or nothing.
The main usage is to have only 1 upstream port non isolated (traffic
coming from outside)
> > Also I think 'Isolate Ports' or 'Port Isolation' would be the
> > better
> > label, 'Ports Isolation' sounds a bit wrong to me.
I'll send a v2 with "Port Isolation"
Otherwise, consider this:
> > Tested-By: Stefan Hanreich <s.hanreich@proxmox.com>
> > Reviewed-By: Stefan Hanreich <s.hanreich@proxmox.com>
Thanks !
4/25/24 16:43, Alexandre Derumier via pve-devel wrote:
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://antiphishing.vadesecure.com/v4?f=OGhLSzUzUW5ZSnhsUnB1Zwk-
> iBGgPyVY4TTNWFYEVcCg2sqZ42p4ld6uKOxcEXt1&i=enliNE9Ec0FwcDdnUXU4UdqsUW
> Q6P4MlGVBmGUhBgqg&k=qWGl&r=TnY3ZTF2Q2plM1daMndLWY2hdyEItuD5-
> BacJIgJqvZ3qD1cLHhtTB2x5DvZF4UIAZISGlCJrAF01C9VxKgOjg&s=926df6762a5f8
> 47592379de9a2d61dc8a3bf0ade01884ae3830a7e63f216d753&u=https%3A%2F%2Fl
> ists.proxmox.com%2Fcgi-bin%2Fmailman%2Flistinfo%2Fpve-devel
[-- Attachment #2: Type: text/plain, Size: 160 bytes --]
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-10-25 5:23 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-25 14:43 [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation Alexandre Derumier via pve-devel
2024-06-17 7:17 ` DERUMIER, Alexandre via pve-devel
2024-06-27 16:14 ` Stefan Hanreich
2024-06-27 16:23 ` DERUMIER, Alexandre via pve-devel
[not found] ` <50cea70295db16d50460c2d5c73d9f5ce0ce88e4.camel@groupe-cyllene.com>
2024-06-27 16:31 ` Stefan Hanreich
2024-10-25 5:22 ` DERUMIER, Alexandre via pve-devel
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal