From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id EFEED1FF168 for ; Tue, 12 Nov 2024 16:55:00 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 188042E917; Tue, 12 Nov 2024 16:55:01 +0100 (CET) From: Stefan Hanreich To: pve-devel@lists.proxmox.com Date: Tue, 12 Nov 2024 16:54:22 +0100 Message-Id: <20241112155425.196432-1-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.39.5 MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.239 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Subject: [pve-devel] [PATCH pve-common v2 1/4] tap_plug: add support for bridge port isolation X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" From: Alexandre Derumier via pve-devel This is allow to block traffic/isolation traffic between all ports on the bridge with isolation (so between the vms), ans still allow incoming traffic from uplink. Signed-off-by: Alexandre Derumier Signed-off-by: Stefan Hanreich --- Changes from v1 to v2: * rebased * Improved naming of parameters slightly * Improve description of parameters * Add short section to documentation src/PVE/Network.pm | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/src/PVE/Network.pm b/src/PVE/Network.pm index cde7949..269b9cf 100644 --- a/src/PVE/Network.pm +++ b/src/PVE/Network.pm @@ -238,6 +238,13 @@ sub disable_ipv6 { return; } +my $bridge_enable_port_isolation = sub { + my ($iface) = @_; + + eval { run_command(['/sbin/bridge', 'link', 'set', 'dev', $iface, 'isolated', 'on']) }; + die "unable to enable port isolation on interface $iface - $@\n" if $@; +}; + my $bridge_disable_interface_learning = sub { my ($iface) = @_; @@ -418,7 +425,7 @@ sub veth_delete { } my $create_firewall_bridge_linux = sub { - my ($iface, $bridge, $tag, $trunks, $no_learning) = @_; + my ($iface, $bridge, $tag, $trunks, $no_learning, $isolation) = @_; my ($vmid, $devid) = &$parse_tap_device_name($iface); my ($fwbr, $vethfw, $vethfwpeer) = &$compute_fwbr_names($vmid, $devid); @@ -433,6 +440,7 @@ my $create_firewall_bridge_linux = sub { &$bridge_add_interface($bridge, $vethfwpeer, $tag, $trunks); &$bridge_disable_interface_learning($vethfwpeer) if $no_learning; + $bridge_enable_port_isolation->($vethfwpeer) if $isolation; &$bridge_add_interface($fwbr, $vethfw); &$bridge_add_interface($fwbr, $iface); @@ -492,6 +500,7 @@ sub tap_plug { $opts->{learning} = !($bridge && $bridge->{'bridge-disable-mac-learning'}); # default learning to on } my $no_learning = !$opts->{learning}; + my $isolation = $opts->{isolation}; # cleanup old port config from any openvswitch bridge eval { @@ -512,7 +521,7 @@ sub tap_plug { } if ($firewall) { - &$create_firewall_bridge_linux($iface, $bridge, $tag, $trunks, $no_learning); + &$create_firewall_bridge_linux($iface, $bridge, $tag, $trunks, $no_learning, $isolation); } else { &$bridge_add_interface($bridge, $iface, $tag, $trunks); } @@ -520,6 +529,7 @@ sub tap_plug { $bridge_disable_interface_learning->($iface); add_bridge_fdb($iface, $opts->{mac}) if defined($opts->{mac}); } + $bridge_enable_port_isolation->($iface) if $isolation; } else { &$cleanup_firewall_bridge($iface); # remove stale devices -- 2.39.5 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel