Re: [pve-devel] More than 10 interfaces in lxc containers

From: Stephan Leemburg <sleemburg@it-functions.nl>
To: Dietmar Maurer <dietmar@proxmox.com>,
	Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] More than 10 interfaces in lxc containers
Date: Sun, 23 Aug 2020 12:58:02 +0200	[thread overview]
Message-ID: <15c9ed01-6e88-b3c6-6efd-cb5c881904fb@it-functions.nl> (raw)
In-Reply-To: <292235591.128.1598159408132@webmail.proxmox.com>

Good afternoon Dietmar,

The reason is separation of client's resources on the machine(s).

In firewalling, it is not uncommon to use a lot of VLAN's.

For example at one of my clients that I do consultancy for, they have 
more than 60 VLAN's defined on their firewall.

For my the setup is like this:

Zone     Nr    Purpose
WAN       1    Internet connectivity
MGMT      2    Management Network
DMZ       3    DMZ Network (proxyies, etc) accessible from the Internet
SHARED    4    Shared Hosting. Shared resources only Internet accessable 
by some sources
SERVICES  5    Services for other networks, like shared database. No 
Internet access
CLIENT1   6    Client1's network
CLIENT2   7    Client2's network
CLIENT3   8    Client3's network
CLIENT4   9    Client4's network
CLIENT5  10    Client5's network
CLIENTX  10++  ClientX's network

Yesterday, I was configuring the CLIENTX's network and ran into the issue.

This node still has 'traditional' vmbr interfaces, but using openvswitch 
would not help here.

If it would be possible to provide a 'trunk' openvswitch interface to 
the CT, then from within the CT vlan devices could be setup from the 
trunk, but in the end that will still create 10+ interfaces in the 
container itself.

This firewall is running on one of my OVH machines as a lxc container 
with a fwbuilder (iptables) created firewall.

On my other OVH machine, I have a kvm with pfSense running. That pfSense 
firewall has 11 interfaces.

But, I want to move from the KVM to a CT based setup and in the end also 
replace the pfSense qm with a debian based ct.

I've read about more people asking for this. And in fact, I patched my 
test proxmox system yesterday and it works perfectly.

It only requires 3 adjustments. So before I went to bed yesterday, I 
have started cloning the proxmox repo's with:

   for i in `curl -s https://git.proxmox.com/|grep .git|sed 
's/.*p=\([^;]*\).*/\1/'|grep '.git$' |sort -u`; do git clone 
"https://git.proxmox.com/git/$i"; done

Which provided me with an impressing 41GB of repo data ;-)

If you would accept the patch, then I will be happy to provide one based 
upon the git repo's. I will read through te way you want to receive the 
patch and send it formatted the way you require.

To be honest, I cannot see why raising it from 10 to 32 would be a 
problem. And it would take away blocking my setup from being continued.

Also, as an IT person, I think the number 32 looks much better than the 
number 10 ;-)

Kind regards,

Stephan

On 23-08-2020 07:10, Dietmar Maurer wrote:
>>> For me, I have that need too for a firewall container.
>> Why does your firewall need more the 10 interface?
> Sigh. too early in the morning... I wanted to ask:
>
> Why does your firewall need more than 10 interfaces?
>
> Normally, a firewall uses one interface per zone, and more
> than 10 zones are quite uncommon?
>
>>> Would you please consider raising the limit?
>> No, unless someone can explain why that is required ;-)
>>
>>
>> _______________________________________________
>> pve-devel mailing list
>> pve-devel@lists.proxmox.com
>> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel