From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 39CE71FF168 for ; Tue, 12 Nov 2024 16:54:32 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id ABF602E844; Tue, 12 Nov 2024 16:54:30 +0100 (CET) From: Stefan Hanreich To: pve-devel@lists.proxmox.com Date: Tue, 12 Nov 2024 16:54:24 +0100 Message-Id: <20241112155425.196432-3-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241112155425.196432-1-s.hanreich@proxmox.com> References: <20241112155425.196432-1-s.hanreich@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.239 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Subject: [pve-devel] [PATCH pve-network v2 3/4] vnets : add ports isolation X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" From: Alexandre Derumier via pve-devel Add support for bridge ports isolation https://github.com/torvalds/linux/commit/7d850abd5f4edb1b1ca4b4141a4453305736f564 This allow to drop traffic between all ports having isolation enabled on the local bridge, but allow traffic with non isolated ports. Here,we isolate traffic between vms but allow traffic coming from outside. Main usage is for layer3 routed or natted setup, but some users have requested it for layer2/bridge network with proxy arp. So we can enable it at vnet level. Signed-off-by: Alexandre Derumier [ SH: improve option naming and description slightly ] Signed-off-by: Stefan Hanreich --- src/PVE/Network/SDN/VnetPlugin.pm | 5 +++++ src/PVE/Network/SDN/Zones/Plugin.pm | 1 + 2 files changed, 6 insertions(+) diff --git a/src/PVE/Network/SDN/VnetPlugin.pm b/src/PVE/Network/SDN/VnetPlugin.pm index 062904c..f44380a 100644 --- a/src/PVE/Network/SDN/VnetPlugin.pm +++ b/src/PVE/Network/SDN/VnetPlugin.pm @@ -72,6 +72,10 @@ sub properties { maxLength => 256, optional => 1, }, + 'isolate-ports' => { + type => 'boolean', + description => "If true, sets the isolated property for all members of this VNet", + } }; } @@ -81,6 +85,7 @@ sub options { tag => { optional => 1}, alias => { optional => 1 }, vlanaware => { optional => 1 }, + 'isolate-ports' => { optional => 1 }, }; } diff --git a/src/PVE/Network/SDN/Zones/Plugin.pm b/src/PVE/Network/SDN/Zones/Plugin.pm index 26cc0da..a860168 100644 --- a/src/PVE/Network/SDN/Zones/Plugin.pm +++ b/src/PVE/Network/SDN/Zones/Plugin.pm @@ -236,6 +236,7 @@ sub tap_plug { my $opts = {}; $opts->{learning} = 0 if $plugin_config->{'bridge-disable-mac-learning'}; + $opts->{isolation} = 1 if $vnet->{'isolate-ports'}; PVE::Network::tap_plug($iface, $vnetid, $tag, $firewall, $trunks, $rate, $opts); } -- 2.39.5 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel