* [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation
@ 2024-04-25 14:43 Alexandre Derumier via pve-devel
2024-06-17 7:17 ` DERUMIER, Alexandre via pve-devel
2024-06-27 16:14 ` Stefan Hanreich
0 siblings, 2 replies; 6+ messages in thread
From: Alexandre Derumier via pve-devel @ 2024-04-25 14:43 UTC (permalink / raw)
To: pve-devel; +Cc: Alexandre Derumier
[-- Attachment #1: Type: message/rfc822, Size: 3148 bytes --]
From: Alexandre Derumier <alexandre.derumier@groupe-cyllene.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation
Date: Thu, 25 Apr 2024 16:43:49 +0200
Message-ID: <20240425144352.3454063-1-alexandre.derumier@groupe-cyllene.com>
This patches series add support for sdn vnet bridge ports isolation
pve-network:
Alexandre Derumier (1):
vnets : add ports isolation
src/PVE/Network/SDN/VnetPlugin.pm | 5 +++++
src/PVE/Network/SDN/Zones/Plugin.pm | 1 +
2 files changed, 6 insertions(+)
pve-common:
Alexandre Derumier (1):
tap_plug: add support for bridge port isolation
src/PVE/Network.pm | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
pve-manager:
Alexandre Derumier (1):
sdn: vnet: add ports-isolation option.
www/manager6/sdn/VnetEdit.js | 12 ++++++++++++
1 file changed, 12 insertions(+)
--
2.39.2
[-- Attachment #2: Type: text/plain, Size: 160 bytes --]
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation
2024-04-25 14:43 [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation Alexandre Derumier via pve-devel
@ 2024-06-17 7:17 ` DERUMIER, Alexandre via pve-devel
2024-06-27 16:14 ` Stefan Hanreich
1 sibling, 0 replies; 6+ messages in thread
From: DERUMIER, Alexandre via pve-devel @ 2024-06-17 7:17 UTC (permalink / raw)
To: pve-devel; +Cc: DERUMIER, Alexandre
[-- Attachment #1: Type: message/rfc822, Size: 14316 bytes --]
From: "DERUMIER, Alexandre" <alexandre.derumier@groupe-cyllene.com>
To: "pve-devel@lists.proxmox.com" <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation
Date: Mon, 17 Jun 2024 07:17:22 +0000
Message-ID: <9839f17baf668312750e05fe5d98ef6e33091258.camel@groupe-cyllene.com>
Hi,
Could it be possible to apply this patch series ? (or a review if it
need cleanup)
(I see a lot of users requesting for it)
Thanks !
Alexandre
BTW: I'm a little bit off currently, I'm working on vm luks encryption,
I'll send a patch series soon.
-------- Message initial --------
De: Alexandre Derumier via pve-devel <pve-devel@lists.proxmox.com>
Répondre à: Proxmox VE development discussion <pve-
devel@lists.proxmox.com>
À: pve-devel@lists.proxmox.com
Cc: Alexandre Derumier <alexandre.derumier@groupe-cyllene.com>
Objet: [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300
: sdn: add bridge ports isolation
Date: 25/04/2024 16:43:49
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://antiphishing.vadesecure.com/v4?f=VmNQMmJDQ0hHaTA5alRDNCL_-
44OVmltABzQ0e1bsd_7nWEkVLittYcyfccG6u8cOJvYIK6lE_k8ITzm9r5Y0w&i=b3diUTZ
GTG5ZeGdnYUVUQe4vRf_vVqdECnbwLkyrFZw&k=Znx7&r=bk1HS29PWk1VdElEOTBqVJN5E
Bt4nYRlpeAVR4dNFSi2ANtRVfOliSTesgTyCcqX&s=fe3a09b7f9bf32322c85f6afdc8c0
1b6abb91b27481a5fba19d2edfa8041cfc0&u=https%3A%2F%2Flists.proxmox.com%2
Fcgi-bin%2Fmailman%2Flistinfo%2Fpve-devel
[-- Attachment #2: Type: text/plain, Size: 160 bytes --]
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation
2024-04-25 14:43 [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation Alexandre Derumier via pve-devel
2024-06-17 7:17 ` DERUMIER, Alexandre via pve-devel
@ 2024-06-27 16:14 ` Stefan Hanreich
2024-06-27 16:23 ` DERUMIER, Alexandre via pve-devel
[not found] ` <50cea70295db16d50460c2d5c73d9f5ce0ce88e4.camel@groupe-cyllene.com>
1 sibling, 2 replies; 6+ messages in thread
From: Stefan Hanreich @ 2024-06-27 16:14 UTC (permalink / raw)
To: Proxmox VE development discussion
Hi! I gave this a quick test on my machine and everything worked well.
Would we maybe want to expose this setting on the NIC level as well?
Also I think 'Isolate Ports' or 'Port Isolation' would be the better
label, 'Ports Isolation' sounds a bit wrong to me.
Otherwise, consider this:
Tested-By: Stefan Hanreich <s.hanreich@proxmox.com>
Reviewed-By: Stefan Hanreich <s.hanreich@proxmox.com>
4/25/24 16:43, Alexandre Derumier via pve-devel wrote:
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation
2024-06-27 16:14 ` Stefan Hanreich
@ 2024-06-27 16:23 ` DERUMIER, Alexandre via pve-devel
[not found] ` <50cea70295db16d50460c2d5c73d9f5ce0ce88e4.camel@groupe-cyllene.com>
1 sibling, 0 replies; 6+ messages in thread
From: DERUMIER, Alexandre via pve-devel @ 2024-06-27 16:23 UTC (permalink / raw)
To: pve-devel, s.hanreich; +Cc: DERUMIER, Alexandre
[-- Attachment #1: Type: message/rfc822, Size: 15214 bytes --]
From: "DERUMIER, Alexandre" <alexandre.derumier@groupe-cyllene.com>
To: "pve-devel@lists.proxmox.com" <pve-devel@lists.proxmox.com>, "s.hanreich@proxmox.com" <s.hanreich@proxmox.com>
Subject: Re: [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation
Date: Thu, 27 Jun 2024 16:23:56 +0000
Message-ID: <50cea70295db16d50460c2d5c73d9f5ce0ce88e4.camel@groupe-cyllene.com>
Hi!
>>Hi! I gave this a quick test on my machine and everything worked
well.
>>Would we maybe want to expose this setting on the NIC level as well?
I don't think it can work, because a port not isolated, have access to
all other ports,including isolated ports.
"
isolated on or isolated off
Controls whether a given port will be isolated, which means it will be
able to communicate with non-isolated ports only. By default this flag
is off."
for example:
vm1: isolated
vm2: isolated
vm3: non isolated
vm1: can't access to vm2
vm2: can't access to vm1
vm3 have access to vm1 && vm2 isolated. (but user is thinking that vm1
&& vm2 are secure).
and vm1/vm2 have access to vm3 too.
That's why I have done it at bridge/vnet level, all or nothing.
The main usage is to have only 1 upstream port non isolated (traffic
coming from outside)
>>Also I think 'Isolate Ports' or 'Port Isolation' would be the better
>>label, 'Ports Isolation' sounds a bit wrong to me.
I'll send a v2 with "Port Isolation"
Otherwise, consider this:
>>Tested-By: Stefan Hanreich <s.hanreich@proxmox.com>
>>Reviewed-By: Stefan Hanreich <s.hanreich@proxmox.com>
Thanks !
4/25/24 16:43, Alexandre Derumier via pve-devel wrote:
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://antiphishing.vadesecure.com/v4?f=OGhLSzUzUW5ZSnhsUnB1Zwk-
> iBGgPyVY4TTNWFYEVcCg2sqZ42p4ld6uKOxcEXt1&i=enliNE9Ec0FwcDdnUXU4UdqsUW
> Q6P4MlGVBmGUhBgqg&k=qWGl&r=TnY3ZTF2Q2plM1daMndLWY2hdyEItuD5-
> BacJIgJqvZ3qD1cLHhtTB2x5DvZF4UIAZISGlCJrAF01C9VxKgOjg&s=926df6762a5f8
> 47592379de9a2d61dc8a3bf0ade01884ae3830a7e63f216d753&u=https%3A%2F%2Fl
> ists.proxmox.com%2Fcgi-bin%2Fmailman%2Flistinfo%2Fpve-devel
[-- Attachment #2: Type: text/plain, Size: 160 bytes --]
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation
[not found] ` <50cea70295db16d50460c2d5c73d9f5ce0ce88e4.camel@groupe-cyllene.com>
@ 2024-06-27 16:31 ` Stefan Hanreich
2024-10-25 5:22 ` DERUMIER, Alexandre via pve-devel
1 sibling, 0 replies; 6+ messages in thread
From: Stefan Hanreich @ 2024-06-27 16:31 UTC (permalink / raw)
To: DERUMIER, Alexandre, pve-devel
On 6/27/24 18:23, DERUMIER, Alexandre wrote:
> isolated on or isolated off
> Controls whether a given port will be isolated, which means it will be
> able to communicate with non-isolated ports only. By default this flag
> is off."
Yeah, makes sense this way. I thought since one can set this on a
per-port basis it might make sense to expose it as such but there's
probably not a lot of use cases for that.
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation
[not found] ` <50cea70295db16d50460c2d5c73d9f5ce0ce88e4.camel@groupe-cyllene.com>
2024-06-27 16:31 ` Stefan Hanreich
@ 2024-10-25 5:22 ` DERUMIER, Alexandre via pve-devel
1 sibling, 0 replies; 6+ messages in thread
From: DERUMIER, Alexandre via pve-devel @ 2024-10-25 5:22 UTC (permalink / raw)
To: pve-devel, s.hanreich; +Cc: DERUMIER, Alexandre
[-- Attachment #1: Type: message/rfc822, Size: 15024 bytes --]
From: "DERUMIER, Alexandre" <alexandre.derumier@groupe-cyllene.com>
To: "pve-devel@lists.proxmox.com" <pve-devel@lists.proxmox.com>, "s.hanreich@proxmox.com" <s.hanreich@proxmox.com>
Subject: Re: [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation
Date: Fri, 25 Oct 2024 05:22:42 +0000
Message-ID: <09c3b514ea9904f26c970847f2c1b3a0f78b6ebc.camel@groupe-cyllene.com>
Hi,
any news about this patch series ?
I think it's still not applied ? (I see a lot of request about it on
the forum and on the bugzilla)
Regards,
Alexandre
-------- Message initial --------
De: "DERUMIER, Alexandre" <alexandre.derumier@groupe-cyllene.com>
À: pve-devel@lists.proxmox.com <pve-devel@lists.proxmox.com>,
s.hanreich@proxmox.com <s.hanreich@proxmox.com>
Objet: Re: [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix
#4300 : sdn: add bridge ports isolation
Date: 27/06/2024 18:23:56
Hi!
> > Hi! I gave this a quick test on my machine and everything worked
well.
> > Would we maybe want to expose this setting on the NIC level as
> > well?
I don't think it can work, because a port not isolated, have access to
all other ports,including isolated ports.
"
isolated on or isolated off
Controls whether a given port will be isolated, which means it will be
able to communicate with non-isolated ports only. By default this flag
is off."
for example:
vm1: isolated
vm2: isolated
vm3: non isolated
vm1: can't access to vm2
vm2: can't access to vm1
vm3 have access to vm1 && vm2 isolated. (but user is thinking that vm1
&& vm2 are secure).
and vm1/vm2 have access to vm3 too.
That's why I have done it at bridge/vnet level, all or nothing.
The main usage is to have only 1 upstream port non isolated (traffic
coming from outside)
> > Also I think 'Isolate Ports' or 'Port Isolation' would be the
> > better
> > label, 'Ports Isolation' sounds a bit wrong to me.
I'll send a v2 with "Port Isolation"
Otherwise, consider this:
> > Tested-By: Stefan Hanreich <s.hanreich@proxmox.com>
> > Reviewed-By: Stefan Hanreich <s.hanreich@proxmox.com>
Thanks !
4/25/24 16:43, Alexandre Derumier via pve-devel wrote:
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://antiphishing.vadesecure.com/v4?f=OGhLSzUzUW5ZSnhsUnB1Zwk-
> iBGgPyVY4TTNWFYEVcCg2sqZ42p4ld6uKOxcEXt1&i=enliNE9Ec0FwcDdnUXU4UdqsUW
> Q6P4MlGVBmGUhBgqg&k=qWGl&r=TnY3ZTF2Q2plM1daMndLWY2hdyEItuD5-
> BacJIgJqvZ3qD1cLHhtTB2x5DvZF4UIAZISGlCJrAF01C9VxKgOjg&s=926df6762a5f8
> 47592379de9a2d61dc8a3bf0ade01884ae3830a7e63f216d753&u=https%3A%2F%2Fl
> ists.proxmox.com%2Fcgi-bin%2Fmailman%2Flistinfo%2Fpve-devel
[-- Attachment #2: Type: text/plain, Size: 160 bytes --]
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-10-25 5:23 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-25 14:43 [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation Alexandre Derumier via pve-devel
2024-06-17 7:17 ` DERUMIER, Alexandre via pve-devel
2024-06-27 16:14 ` Stefan Hanreich
2024-06-27 16:23 ` DERUMIER, Alexandre via pve-devel
[not found] ` <50cea70295db16d50460c2d5c73d9f5ce0ce88e4.camel@groupe-cyllene.com>
2024-06-27 16:31 ` Stefan Hanreich
2024-10-25 5:22 ` DERUMIER, Alexandre via pve-devel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox