From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 355731FF15F for ; Mon, 18 Nov 2024 19:45:33 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id DBB791787D; Mon, 18 Nov 2024 19:45:36 +0100 (CET) Date: Mon, 18 Nov 2024 19:45:02 +0100 From: Stoiko Ivanov To: Stefan Hanreich Message-ID: <20241118194502.3019e0c7@rosa.proxmox.com> In-Reply-To: <20241112155425.196432-1-s.hanreich@proxmox.com> References: <20241112155425.196432-1-s.hanreich@proxmox.com> X-Mailer: Claws Mail 4.1.1 (GTK 3.24.38; x86_64-pc-linux-gnu) MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.071 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [PATCH pve-common v2 1/4] tap_plug: add support for bridge port isolation X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Cc: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" saw this when looking through our git repos and thought I'll give it a spin (as afaict only the manager and docs-patches are not applied yet) It works, and does what it says it does. small suggestions for the docs-patch will be sent as reply to the docs-patch directly. w/ or w/o the doc-suggestions: Reviewed-by: Stoiko Ivanov Tested-by: Stoiko Ivanov On Tue, 12 Nov 2024 16:54:22 +0100 Stefan Hanreich wrote: > From: Alexandre Derumier via pve-devel > > This is allow to block traffic/isolation traffic between all ports > on the bridge with isolation (so between the vms), ans still allow > incoming traffic from uplink. > > Signed-off-by: Alexandre Derumier > Signed-off-by: Stefan Hanreich > --- > Changes from v1 to v2: > * rebased > * Improved naming of parameters slightly > * Improve description of parameters > * Add short section to documentation > > src/PVE/Network.pm | 14 ++++++++++++-- > 1 file changed, 12 insertions(+), 2 deletions(-) > > diff --git a/src/PVE/Network.pm b/src/PVE/Network.pm > index cde7949..269b9cf 100644 > --- a/src/PVE/Network.pm > +++ b/src/PVE/Network.pm > @@ -238,6 +238,13 @@ sub disable_ipv6 { > return; > } > > +my $bridge_enable_port_isolation = sub { > + my ($iface) = @_; > + > + eval { run_command(['/sbin/bridge', 'link', 'set', 'dev', $iface, 'isolated', 'on']) }; > + die "unable to enable port isolation on interface $iface - $@\n" if $@; > +}; > + > my $bridge_disable_interface_learning = sub { > my ($iface) = @_; > > @@ -418,7 +425,7 @@ sub veth_delete { > } > > my $create_firewall_bridge_linux = sub { > - my ($iface, $bridge, $tag, $trunks, $no_learning) = @_; > + my ($iface, $bridge, $tag, $trunks, $no_learning, $isolation) = @_; > > my ($vmid, $devid) = &$parse_tap_device_name($iface); > my ($fwbr, $vethfw, $vethfwpeer) = &$compute_fwbr_names($vmid, $devid); > @@ -433,6 +440,7 @@ my $create_firewall_bridge_linux = sub { > > &$bridge_add_interface($bridge, $vethfwpeer, $tag, $trunks); > &$bridge_disable_interface_learning($vethfwpeer) if $no_learning; > + $bridge_enable_port_isolation->($vethfwpeer) if $isolation; > &$bridge_add_interface($fwbr, $vethfw); > > &$bridge_add_interface($fwbr, $iface); > @@ -492,6 +500,7 @@ sub tap_plug { > $opts->{learning} = !($bridge && $bridge->{'bridge-disable-mac-learning'}); # default learning to on > } > my $no_learning = !$opts->{learning}; > + my $isolation = $opts->{isolation}; > > # cleanup old port config from any openvswitch bridge > eval { > @@ -512,7 +521,7 @@ sub tap_plug { > } > > if ($firewall) { > - &$create_firewall_bridge_linux($iface, $bridge, $tag, $trunks, $no_learning); > + &$create_firewall_bridge_linux($iface, $bridge, $tag, $trunks, $no_learning, $isolation); > } else { > &$bridge_add_interface($bridge, $iface, $tag, $trunks); > } > @@ -520,6 +529,7 @@ sub tap_plug { > $bridge_disable_interface_learning->($iface); > add_bridge_fdb($iface, $opts->{mac}) if defined($opts->{mac}); > } > + $bridge_enable_port_isolation->($iface) if $isolation; > > } else { > &$cleanup_firewall_bridge($iface); # remove stale devices _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel