public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation
@ 2024-04-25 14:43 Alexandre Derumier via pve-devel
  2024-06-17  7:17 ` DERUMIER, Alexandre via pve-devel
  2024-06-27 16:14 ` Stefan Hanreich
  0 siblings, 2 replies; 6+ messages in thread
From: Alexandre Derumier via pve-devel @ 2024-04-25 14:43 UTC (permalink / raw)
  To: pve-devel; +Cc: Alexandre Derumier

[-- Attachment #1: Type: message/rfc822, Size: 3148 bytes --]

From: Alexandre Derumier <alexandre.derumier@groupe-cyllene.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation
Date: Thu, 25 Apr 2024 16:43:49 +0200
Message-ID: <20240425144352.3454063-1-alexandre.derumier@groupe-cyllene.com>

This patches series add support for sdn vnet bridge ports isolation


pve-network:

Alexandre Derumier (1):
  vnets : add ports isolation

 src/PVE/Network/SDN/VnetPlugin.pm   | 5 +++++
 src/PVE/Network/SDN/Zones/Plugin.pm | 1 +
 2 files changed, 6 insertions(+)

pve-common:

Alexandre Derumier (1):
  tap_plug: add support for bridge port isolation

 src/PVE/Network.pm | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

pve-manager:

Alexandre Derumier (1):
  sdn: vnet: add ports-isolation option.

 www/manager6/sdn/VnetEdit.js | 12 ++++++++++++
 1 file changed, 12 insertions(+)

-- 
2.39.2



[-- Attachment #2: Type: text/plain, Size: 160 bytes --]

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation
  2024-04-25 14:43 [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation Alexandre Derumier via pve-devel
@ 2024-06-17  7:17 ` DERUMIER, Alexandre via pve-devel
  2024-06-27 16:14 ` Stefan Hanreich
  1 sibling, 0 replies; 6+ messages in thread
From: DERUMIER, Alexandre via pve-devel @ 2024-06-17  7:17 UTC (permalink / raw)
  To: pve-devel; +Cc: DERUMIER, Alexandre

[-- Attachment #1: Type: message/rfc822, Size: 14316 bytes --]

From: "DERUMIER, Alexandre" <alexandre.derumier@groupe-cyllene.com>
To: "pve-devel@lists.proxmox.com" <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation
Date: Mon, 17 Jun 2024 07:17:22 +0000
Message-ID: <9839f17baf668312750e05fe5d98ef6e33091258.camel@groupe-cyllene.com>

Hi,

Could it be possible to apply this patch series ? (or a review if it
need cleanup)

(I see a lot of users requesting for it)

Thanks !

Alexandre



BTW: I'm a little bit off currently, I'm working on vm luks encryption,
I'll send a patch series soon.



-------- Message initial --------
De: Alexandre Derumier via pve-devel <pve-devel@lists.proxmox.com>
Répondre à: Proxmox VE development discussion <pve-
devel@lists.proxmox.com>
À: pve-devel@lists.proxmox.com
Cc: Alexandre Derumier <alexandre.derumier@groupe-cyllene.com>
Objet: [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300
: sdn: add bridge ports isolation
Date: 25/04/2024 16:43:49

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://antiphishing.vadesecure.com/v4?f=VmNQMmJDQ0hHaTA5alRDNCL_-
44OVmltABzQ0e1bsd_7nWEkVLittYcyfccG6u8cOJvYIK6lE_k8ITzm9r5Y0w&i=b3diUTZ
GTG5ZeGdnYUVUQe4vRf_vVqdECnbwLkyrFZw&k=Znx7&r=bk1HS29PWk1VdElEOTBqVJN5E
Bt4nYRlpeAVR4dNFSi2ANtRVfOliSTesgTyCcqX&s=fe3a09b7f9bf32322c85f6afdc8c0
1b6abb91b27481a5fba19d2edfa8041cfc0&u=https%3A%2F%2Flists.proxmox.com%2
Fcgi-bin%2Fmailman%2Flistinfo%2Fpve-devel


[-- Attachment #2: Type: text/plain, Size: 160 bytes --]

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation
  2024-04-25 14:43 [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation Alexandre Derumier via pve-devel
  2024-06-17  7:17 ` DERUMIER, Alexandre via pve-devel
@ 2024-06-27 16:14 ` Stefan Hanreich
  2024-06-27 16:23   ` DERUMIER, Alexandre via pve-devel
       [not found]   ` <50cea70295db16d50460c2d5c73d9f5ce0ce88e4.camel@groupe-cyllene.com>
  1 sibling, 2 replies; 6+ messages in thread
From: Stefan Hanreich @ 2024-06-27 16:14 UTC (permalink / raw)
  To: Proxmox VE development discussion

Hi! I gave this a quick test on my machine and everything worked well.
Would we maybe want to expose this setting on the NIC level as well?

Also I think 'Isolate Ports' or 'Port Isolation' would be the better
label, 'Ports Isolation' sounds a bit wrong to me.

Otherwise, consider this:

Tested-By: Stefan Hanreich <s.hanreich@proxmox.com>
Reviewed-By: Stefan Hanreich <s.hanreich@proxmox.com>

 4/25/24 16:43, Alexandre Derumier via pve-devel wrote:
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation
  2024-06-27 16:14 ` Stefan Hanreich
@ 2024-06-27 16:23   ` DERUMIER, Alexandre via pve-devel
       [not found]   ` <50cea70295db16d50460c2d5c73d9f5ce0ce88e4.camel@groupe-cyllene.com>
  1 sibling, 0 replies; 6+ messages in thread
From: DERUMIER, Alexandre via pve-devel @ 2024-06-27 16:23 UTC (permalink / raw)
  To: pve-devel, s.hanreich; +Cc: DERUMIER, Alexandre

[-- Attachment #1: Type: message/rfc822, Size: 15214 bytes --]

From: "DERUMIER, Alexandre" <alexandre.derumier@groupe-cyllene.com>
To: "pve-devel@lists.proxmox.com" <pve-devel@lists.proxmox.com>, "s.hanreich@proxmox.com" <s.hanreich@proxmox.com>
Subject: Re: [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation
Date: Thu, 27 Jun 2024 16:23:56 +0000
Message-ID: <50cea70295db16d50460c2d5c73d9f5ce0ce88e4.camel@groupe-cyllene.com>

Hi!


>>Hi! I gave this a quick test on my machine and everything worked
well.
>>Would we maybe want to expose this setting on the NIC level as well?

I don't think it can work, because a port not isolated, have access to
all other ports,including isolated ports.


"
isolated on or isolated off
Controls whether a given port will be isolated, which means it will be
able to communicate with non-isolated ports only. By default this flag
is off."


for example:
vm1: isolated
vm2: isolated
vm3: non isolated


vm1: can't access to vm2
vm2: can't access to vm1

vm3 have access to vm1 && vm2 isolated.  (but user is thinking that vm1
&& vm2 are secure).
and vm1/vm2 have access to vm3 too.


That's why I have done it at bridge/vnet level,  all or nothing.

The main usage is to have only 1 upstream port non isolated (traffic
coming from outside) 


>>Also I think 'Isolate Ports' or 'Port Isolation' would be the better
>>label, 'Ports Isolation' sounds a bit wrong to me.

I'll send a v2 with "Port Isolation"



Otherwise, consider this:

>>Tested-By: Stefan Hanreich <s.hanreich@proxmox.com>
>>Reviewed-By: Stefan Hanreich <s.hanreich@proxmox.com>

Thanks !

 4/25/24 16:43, Alexandre Derumier via pve-devel wrote:
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://antiphishing.vadesecure.com/v4?f=OGhLSzUzUW5ZSnhsUnB1Zwk-
> iBGgPyVY4TTNWFYEVcCg2sqZ42p4ld6uKOxcEXt1&i=enliNE9Ec0FwcDdnUXU4UdqsUW
> Q6P4MlGVBmGUhBgqg&k=qWGl&r=TnY3ZTF2Q2plM1daMndLWY2hdyEItuD5-
> BacJIgJqvZ3qD1cLHhtTB2x5DvZF4UIAZISGlCJrAF01C9VxKgOjg&s=926df6762a5f8
> 47592379de9a2d61dc8a3bf0ade01884ae3830a7e63f216d753&u=https%3A%2F%2Fl
> ists.proxmox.com%2Fcgi-bin%2Fmailman%2Flistinfo%2Fpve-devel



[-- Attachment #2: Type: text/plain, Size: 160 bytes --]

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation
       [not found]   ` <50cea70295db16d50460c2d5c73d9f5ce0ce88e4.camel@groupe-cyllene.com>
@ 2024-06-27 16:31     ` Stefan Hanreich
  2024-10-25  5:22     ` DERUMIER, Alexandre via pve-devel
  1 sibling, 0 replies; 6+ messages in thread
From: Stefan Hanreich @ 2024-06-27 16:31 UTC (permalink / raw)
  To: DERUMIER, Alexandre, pve-devel



On 6/27/24 18:23, DERUMIER, Alexandre wrote:
> isolated on or isolated off
> Controls whether a given port will be isolated, which means it will be
> able to communicate with non-isolated ports only. By default this flag
> is off."

Yeah, makes sense this way. I thought since one can set this on a
per-port basis it might make sense to expose it as such but there's
probably not a lot of use cases for that.


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation
       [not found]   ` <50cea70295db16d50460c2d5c73d9f5ce0ce88e4.camel@groupe-cyllene.com>
  2024-06-27 16:31     ` Stefan Hanreich
@ 2024-10-25  5:22     ` DERUMIER, Alexandre via pve-devel
  1 sibling, 0 replies; 6+ messages in thread
From: DERUMIER, Alexandre via pve-devel @ 2024-10-25  5:22 UTC (permalink / raw)
  To: pve-devel, s.hanreich; +Cc: DERUMIER, Alexandre

[-- Attachment #1: Type: message/rfc822, Size: 15024 bytes --]

From: "DERUMIER, Alexandre" <alexandre.derumier@groupe-cyllene.com>
To: "pve-devel@lists.proxmox.com" <pve-devel@lists.proxmox.com>, "s.hanreich@proxmox.com" <s.hanreich@proxmox.com>
Subject: Re: [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation
Date: Fri, 25 Oct 2024 05:22:42 +0000
Message-ID: <09c3b514ea9904f26c970847f2c1b3a0f78b6ebc.camel@groupe-cyllene.com>

Hi,

any news about this patch series ?

I think it's still not applied ?   (I see a lot of request about it on
the forum and on the bugzilla)

Regards,

Alexandre


-------- Message initial --------
De: "DERUMIER, Alexandre" <alexandre.derumier@groupe-cyllene.com>
À: pve-devel@lists.proxmox.com <pve-devel@lists.proxmox.com>,
s.hanreich@proxmox.com <s.hanreich@proxmox.com>
Objet: Re: [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix
#4300 : sdn: add bridge ports isolation
Date: 27/06/2024 18:23:56

Hi!


> > Hi! I gave this a quick test on my machine and everything worked
well.
> > Would we maybe want to expose this setting on the NIC level as
> > well?

I don't think it can work, because a port not isolated, have access to
all other ports,including isolated ports.


"
isolated on or isolated off
Controls whether a given port will be isolated, which means it will be
able to communicate with non-isolated ports only. By default this flag
is off."


for example:
vm1: isolated
vm2: isolated
vm3: non isolated


vm1: can't access to vm2
vm2: can't access to vm1

vm3 have access to vm1 && vm2 isolated.  (but user is thinking that vm1
&& vm2 are secure).
and vm1/vm2 have access to vm3 too.


That's why I have done it at bridge/vnet level,  all or nothing.

The main usage is to have only 1 upstream port non isolated (traffic
coming from outside) 


> > Also I think 'Isolate Ports' or 'Port Isolation' would be the
> > better
> > label, 'Ports Isolation' sounds a bit wrong to me.

I'll send a v2 with "Port Isolation"



Otherwise, consider this:

> > Tested-By: Stefan Hanreich <s.hanreich@proxmox.com>
> > Reviewed-By: Stefan Hanreich <s.hanreich@proxmox.com>

Thanks !

 4/25/24 16:43, Alexandre Derumier via pve-devel wrote:
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://antiphishing.vadesecure.com/v4?f=OGhLSzUzUW5ZSnhsUnB1Zwk-
> iBGgPyVY4TTNWFYEVcCg2sqZ42p4ld6uKOxcEXt1&i=enliNE9Ec0FwcDdnUXU4UdqsUW
> Q6P4MlGVBmGUhBgqg&k=qWGl&r=TnY3ZTF2Q2plM1daMndLWY2hdyEItuD5-
> BacJIgJqvZ3qD1cLHhtTB2x5DvZF4UIAZISGlCJrAF01C9VxKgOjg&s=926df6762a5f8
> 47592379de9a2d61dc8a3bf0ade01884ae3830a7e63f216d753&u=https%3A%2F%2Fl
> ists.proxmox.com%2Fcgi-bin%2Fmailman%2Flistinfo%2Fpve-devel




[-- Attachment #2: Type: text/plain, Size: 160 bytes --]

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2024-10-25  5:23 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-25 14:43 [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation Alexandre Derumier via pve-devel
2024-06-17  7:17 ` DERUMIER, Alexandre via pve-devel
2024-06-27 16:14 ` Stefan Hanreich
2024-06-27 16:23   ` DERUMIER, Alexandre via pve-devel
     [not found]   ` <50cea70295db16d50460c2d5c73d9f5ce0ce88e4.camel@groupe-cyllene.com>
2024-06-27 16:31     ` Stefan Hanreich
2024-10-25  5:22     ` DERUMIER, Alexandre via pve-devel

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal