From: Stoiko Ivanov <s.ivanov@proxmox.com>
To: Stefan Hanreich <s.hanreich@proxmox.com>
Cc: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH pve-common v2 1/4] tap_plug: add support for bridge port isolation
Date: Mon, 18 Nov 2024 19:45:02 +0100 [thread overview]
Message-ID: <20241118194502.3019e0c7@rosa.proxmox.com> (raw)
In-Reply-To: <20241112155425.196432-1-s.hanreich@proxmox.com>
saw this when looking through our git repos and thought I'll give it a
spin (as afaict only the manager and docs-patches are not applied yet)
It works, and does what it says it does.
small suggestions for the docs-patch will be sent as reply to the
docs-patch directly.
w/ or w/o the doc-suggestions:
Reviewed-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Tested-by: Stoiko Ivanov <s.ivanov@proxmox.com>
On Tue, 12 Nov 2024 16:54:22 +0100
Stefan Hanreich <s.hanreich@proxmox.com> wrote:
> From: Alexandre Derumier via pve-devel <pve-devel@lists.proxmox.com>
>
> This is allow to block traffic/isolation traffic between all ports
> on the bridge with isolation (so between the vms), ans still allow
> incoming traffic from uplink.
>
> Signed-off-by: Alexandre Derumier <alexandre.derumier@groupe-cyllene.com>
> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
> ---
> Changes from v1 to v2:
> * rebased
> * Improved naming of parameters slightly
> * Improve description of parameters
> * Add short section to documentation
>
> src/PVE/Network.pm | 14 ++++++++++++--
> 1 file changed, 12 insertions(+), 2 deletions(-)
>
> diff --git a/src/PVE/Network.pm b/src/PVE/Network.pm
> index cde7949..269b9cf 100644
> --- a/src/PVE/Network.pm
> +++ b/src/PVE/Network.pm
> @@ -238,6 +238,13 @@ sub disable_ipv6 {
> return;
> }
>
> +my $bridge_enable_port_isolation = sub {
> + my ($iface) = @_;
> +
> + eval { run_command(['/sbin/bridge', 'link', 'set', 'dev', $iface, 'isolated', 'on']) };
> + die "unable to enable port isolation on interface $iface - $@\n" if $@;
> +};
> +
> my $bridge_disable_interface_learning = sub {
> my ($iface) = @_;
>
> @@ -418,7 +425,7 @@ sub veth_delete {
> }
>
> my $create_firewall_bridge_linux = sub {
> - my ($iface, $bridge, $tag, $trunks, $no_learning) = @_;
> + my ($iface, $bridge, $tag, $trunks, $no_learning, $isolation) = @_;
>
> my ($vmid, $devid) = &$parse_tap_device_name($iface);
> my ($fwbr, $vethfw, $vethfwpeer) = &$compute_fwbr_names($vmid, $devid);
> @@ -433,6 +440,7 @@ my $create_firewall_bridge_linux = sub {
>
> &$bridge_add_interface($bridge, $vethfwpeer, $tag, $trunks);
> &$bridge_disable_interface_learning($vethfwpeer) if $no_learning;
> + $bridge_enable_port_isolation->($vethfwpeer) if $isolation;
> &$bridge_add_interface($fwbr, $vethfw);
>
> &$bridge_add_interface($fwbr, $iface);
> @@ -492,6 +500,7 @@ sub tap_plug {
> $opts->{learning} = !($bridge && $bridge->{'bridge-disable-mac-learning'}); # default learning to on
> }
> my $no_learning = !$opts->{learning};
> + my $isolation = $opts->{isolation};
>
> # cleanup old port config from any openvswitch bridge
> eval {
> @@ -512,7 +521,7 @@ sub tap_plug {
> }
>
> if ($firewall) {
> - &$create_firewall_bridge_linux($iface, $bridge, $tag, $trunks, $no_learning);
> + &$create_firewall_bridge_linux($iface, $bridge, $tag, $trunks, $no_learning, $isolation);
> } else {
> &$bridge_add_interface($bridge, $iface, $tag, $trunks);
> }
> @@ -520,6 +529,7 @@ sub tap_plug {
> $bridge_disable_interface_learning->($iface);
> add_bridge_fdb($iface, $opts->{mac}) if defined($opts->{mac});
> }
> + $bridge_enable_port_isolation->($iface) if $isolation;
>
> } else {
> &$cleanup_firewall_bridge($iface); # remove stale devices
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
prev parent reply other threads:[~2024-11-18 18:45 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-12 15:54 Stefan Hanreich
2024-11-12 15:54 ` [pve-devel] [PATCH pve-manager v2 2/4] sdn: vnet: add isolate-ports option Stefan Hanreich
2024-11-19 16:02 ` [pve-devel] applied: " Thomas Lamprecht
2024-11-12 15:54 ` [pve-devel] [PATCH pve-network v2 3/4] vnets : add ports isolation Stefan Hanreich
2024-11-18 18:46 ` [pve-devel] applied: " Thomas Lamprecht
2024-11-12 15:54 ` [pve-devel] [PATCH pve-docs v2 4/4] sdn: add documentation for isolated ports option Stefan Hanreich
2024-11-18 18:52 ` Stoiko Ivanov
2024-11-19 10:06 ` Hannes Dürr
2024-11-19 10:19 ` Stoiko Ivanov
2024-11-19 10:34 ` Hannes Dürr
2024-11-12 16:20 ` [pve-devel] applied: [PATCH pve-common v2 1/4] tap_plug: add support for bridge port isolation Thomas Lamprecht
2024-11-18 18:45 ` Stoiko Ivanov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241118194502.3019e0c7@rosa.proxmox.com \
--to=s.ivanov@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=s.hanreich@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox