From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 0E53762BFF for ; Sun, 23 Aug 2020 12:58:38 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id EB4251605F for ; Sun, 23 Aug 2020 12:58:07 +0200 (CEST) Received: from mx0.it-functions.nl (mx0.it-functions.nl [178.32.167.210]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 24B8116052 for ; Sun, 23 Aug 2020 12:58:06 +0200 (CEST) Received: from [217.100.26.194] (helo=daruma-old.hachimitsu.nl) by mx0.it-functions.nl with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1k9nhN-000161-Gh for pve-devel@lists.proxmox.com; Sun, 23 Aug 2020 12:58:05 +0200 Received: from [192.168.254.32] by daruma-old.hachimitsu.nl with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from ) id 1k9nhL-0002B0-03; Sun, 23 Aug 2020 12:58:03 +0200 To: Dietmar Maurer , Proxmox VE development discussion References: <1877466395.127.1598159022900@webmail.proxmox.com> <292235591.128.1598159408132@webmail.proxmox.com> From: Stephan Leemburg Organization: IT Functions Message-ID: <15c9ed01-6e88-b3c6-6efd-cb5c881904fb@it-functions.nl> Date: Sun, 23 Aug 2020 12:58:02 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <292235591.128.1598159408132@webmail.proxmox.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: nl X-Scan-Signature: 640719aeb32253f00a7e221794a8e128 X-GeoIP: NL X-Virus-Scanned: by clamav-new X-Scan-Signature: b5bd5a85bc42eab6d459275bd621eca9 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.219 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment NICE_REPLY_A -0.948 Looks like a legit reply (A) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record T_SPF_PERMERROR 0.01 SPF: test of record failed (permerror) Subject: Re: [pve-devel] More than 10 interfaces in lxc containers X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Aug 2020 10:58:38 -0000 Good afternoon Dietmar, The reason is separation of client's resources on the machine(s). In firewalling, it is not uncommon to use a lot of VLAN's. For example at one of my clients that I do consultancy for, they have more than 60 VLAN's defined on their firewall. For my the setup is like this: Zone     Nr    Purpose WAN       1    Internet connectivity MGMT      2    Management Network DMZ       3    DMZ Network (proxyies, etc) accessible from the Internet SHARED    4    Shared Hosting. Shared resources only Internet accessable by some sources SERVICES  5    Services for other networks, like shared database. No Internet access CLIENT1   6    Client1's network CLIENT2   7    Client2's network CLIENT3   8    Client3's network CLIENT4   9    Client4's network CLIENT5  10    Client5's network CLIENTX  10++  ClientX's network Yesterday, I was configuring the CLIENTX's network and ran into the issue. This node still has 'traditional' vmbr interfaces, but using openvswitch would not help here. If it would be possible to provide a 'trunk' openvswitch interface to the CT, then from within the CT vlan devices could be setup from the trunk, but in the end that will still create 10+ interfaces in the container itself. This firewall is running on one of my OVH machines as a lxc container with a fwbuilder (iptables) created firewall. On my other OVH machine, I have a kvm with pfSense running. That pfSense firewall has 11 interfaces. But, I want to move from the KVM to a CT based setup and in the end also replace the pfSense qm with a debian based ct. I've read about more people asking for this. And in fact, I patched my test proxmox system yesterday and it works perfectly. It only requires 3 adjustments. So before I went to bed yesterday, I have started cloning the proxmox repo's with:   for i in `curl -s https://git.proxmox.com/|grep .git|sed 's/.*p=\([^;]*\).*/\1/'|grep '.git$' |sort -u`; do git clone "https://git.proxmox.com/git/$i"; done Which provided me with an impressing 41GB of repo data ;-) If you would accept the patch, then I will be happy to provide one based upon the git repo's. I will read through te way you want to receive the patch and send it formatted the way you require. To be honest, I cannot see why raising it from 10 to 32 would be a problem. And it would take away blocking my setup from being continued. Also, as an IT person, I think the number 32 looks much better than the number 10 ;-) Kind regards, Stephan On 23-08-2020 07:10, Dietmar Maurer wrote: >>> For me, I have that need too for a firewall container. >> Why does your firewall need more the 10 interface? > Sigh. too early in the morning... I wanted to ask: > > Why does your firewall need more than 10 interfaces? > > Normally, a firewall uses one interface per zone, and more > than 10 zones are quite uncommon? > >>> Would you please consider raising the limit? >> No, unless someone can explain why that is required ;-) >> >> >> _______________________________________________ >> pve-devel mailing list >> pve-devel@lists.proxmox.com >> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel