Re: [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation - DERUMIER, Alexandre via pve-devel

From: "DERUMIER, Alexandre via pve-devel" <pve-devel@lists.proxmox.com>
To: "pve-devel@lists.proxmox.com" <pve-devel@lists.proxmox.com>,
	"s.hanreich@proxmox.com" <s.hanreich@proxmox.com>
Cc: "DERUMIER, Alexandre" <alexandre.derumier@groupe-cyllene.com>
Subject: Re: [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation
Date: Thu, 27 Jun 2024 16:23:56 +0000	[thread overview]
Message-ID: <mailman.157.1719505480.331.pve-devel@lists.proxmox.com> (raw)
In-Reply-To: <836e10df-a2d1-471a-8b03-1e5e77704103@proxmox.com>

[-- Attachment #1: Type: message/rfc822, Size: 15214 bytes --]

From: "DERUMIER, Alexandre" <alexandre.derumier@groupe-cyllene.com>
To: "pve-devel@lists.proxmox.com" <pve-devel@lists.proxmox.com>, "s.hanreich@proxmox.com" <s.hanreich@proxmox.com>
Subject: Re: [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation
Date: Thu, 27 Jun 2024 16:23:56 +0000
Message-ID: <50cea70295db16d50460c2d5c73d9f5ce0ce88e4.camel@groupe-cyllene.com>

Hi!

>>Hi! I gave this a quick test on my machine and everything worked
well.
>>Would we maybe want to expose this setting on the NIC level as well?

I don't think it can work, because a port not isolated, have access to
all other ports,including isolated ports.

"
isolated on or isolated off
Controls whether a given port will be isolated, which means it will be
able to communicate with non-isolated ports only. By default this flag
is off."

for example:
vm1: isolated
vm2: isolated
vm3: non isolated

vm1: can't access to vm2
vm2: can't access to vm1

vm3 have access to vm1 && vm2 isolated.  (but user is thinking that vm1
&& vm2 are secure).
and vm1/vm2 have access to vm3 too.

That's why I have done it at bridge/vnet level,  all or nothing.

The main usage is to have only 1 upstream port non isolated (traffic
coming from outside) 

>>Also I think 'Isolate Ports' or 'Port Isolation' would be the better
>>label, 'Ports Isolation' sounds a bit wrong to me.

I'll send a v2 with "Port Isolation"

Otherwise, consider this:

>>Tested-By: Stefan Hanreich <s.hanreich@proxmox.com>
>>Reviewed-By: Stefan Hanreich <s.hanreich@proxmox.com>

Thanks !

 4/25/24 16:43, Alexandre Derumier via pve-devel wrote:
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://antiphishing.vadesecure.com/v4?f=OGhLSzUzUW5ZSnhsUnB1Zwk-
> iBGgPyVY4TTNWFYEVcCg2sqZ42p4ld6uKOxcEXt1&i=enliNE9Ec0FwcDdnUXU4UdqsUW
> Q6P4MlGVBmGUhBgqg&k=qWGl&r=TnY3ZTF2Q2plM1daMndLWY2hdyEItuD5-
> BacJIgJqvZ3qD1cLHhtTB2x5DvZF4UIAZISGlCJrAF01C9VxKgOjg&s=926df6762a5f8
> 47592379de9a2d61dc8a3bf0ade01884ae3830a7e63f216d753&u=https%3A%2F%2Fl
> ists.proxmox.com%2Fcgi-bin%2Fmailman%2Flistinfo%2Fpve-devel

[-- Attachment #2: Type: text/plain, Size: 160 bytes --]

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel