From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id CDB8720EC88
	for <inbox@lore.proxmox.com>; Thu, 25 Apr 2024 16:43:59 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id D92321D250;
	Thu, 25 Apr 2024 16:44:03 +0200 (CEST)
To: pve-devel@lists.proxmox.com
Date: Thu, 25 Apr 2024 16:43:51 +0200
In-Reply-To: <20240425144352.3454063-1-alexandre.derumier@groupe-cyllene.com>
References: <20240425144352.3454063-1-alexandre.derumier@groupe-cyllene.com>
MIME-Version: 1.0
Message-ID: <mailman.995.1714056243.450.pve-devel@lists.proxmox.com>
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Post: <mailto:pve-devel@lists.proxmox.com>
From: Alexandre Derumier via pve-devel <pve-devel@lists.proxmox.com>
Precedence: list
Cc: Alexandre Derumier <alexandre.derumier@groupe-cyllene.com>
X-Mailman-Version: 2.1.29
X-BeenThere: pve-devel@lists.proxmox.com
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
Subject: [pve-devel] [PATCH pve-common 1/1] tap_plug: add support for bridge
 port isolation
Content-Type: multipart/mixed; boundary="===============0736092878124680394=="
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>

--===============0736092878124680394==
Content-Type: message/rfc822
Content-Disposition: inline

Return-Path: <root@formationkvm1.odiso.net>
X-Original-To: pve-devel@lists.proxmox.com
Delivered-To: pve-devel@lists.proxmox.com
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by lists.proxmox.com (Postfix) with ESMTPS id 790F99DD04
	for <pve-devel@lists.proxmox.com>; Thu, 25 Apr 2024 16:44:02 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 4F9921D1F9
	for <pve-devel@lists.proxmox.com>; Thu, 25 Apr 2024 16:44:02 +0200 (CEST)
Received: from bastiontest.odiso.net (unknown [185.151.190.228])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by firstgate.proxmox.com (Proxmox) with ESMTPS
	for <pve-devel@lists.proxmox.com>; Thu, 25 Apr 2024 16:44:01 +0200 (CEST)
Received: from formationkvm1.odiso.net (unknown [10.11.201.57])
	by bastiontest.odiso.net (Postfix) with ESMTP id 63CD2855738;
	Thu, 25 Apr 2024 16:43:54 +0200 (CEST)
Received: by formationkvm1.odiso.net (Postfix, from userid 0)
	id 76F3711284FB; Thu, 25 Apr 2024 16:43:53 +0200 (CEST)
From: Alexandre Derumier <alexandre.derumier@groupe-cyllene.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH pve-common 1/1] tap_plug: add support for bridge port isolation
Date: Thu, 25 Apr 2024 16:43:51 +0200
Message-Id: <20240425144352.3454063-3-alexandre.derumier@groupe-cyllene.com>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <20240425144352.3454063-1-alexandre.derumier@groupe-cyllene.com>
References: <20240425144352.3454063-1-alexandre.derumier@groupe-cyllene.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  0
	BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
	DMARC_NONE                0.1 DMARC none policy
	HEADER_FROM_DIFFERENT_DOMAINS  0.249 From and EnvelopeFrom 2nd level mail domains are different
	KAM_DMARC_NONE           0.25 DKIM has Failed or SPF has failed on the message and the domain has no DMARC policy
	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
	KAM_LAZY_DOMAIN_SECURITY      1 Sending domain does not have any anti-forgery methods
	RDNS_NONE               0.793 Delivered to internal network by a host with no rDNS
	SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
	SPF_NONE                0.001 SPF: sender does not publish an SPF Record

This is allow to block traffic/isolation traffic between all ports
on the bridge with isolation (so between the vms), ans still allow
incoming traffic from uplink.

Signed-off-by: Alexandre Derumier <alexandre.derumier@groupe-cyllene.com>
---
 src/PVE/Network.pm | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/PVE/Network.pm b/src/PVE/Network.pm
index a4f5ba9..6654ea1 100644
--- a/src/PVE/Network.pm
+++ b/src/PVE/Network.pm
@@ -218,6 +218,13 @@ sub disable_ipv6 {
     return;
 }
 
+my $bridge_enable_port_isolation = sub {
+   my ($iface) = @_;
+
+   eval { run_command(['/sbin/bridge', 'link', 'set', 'dev', $iface, 'isolated', 'on']) };
+   die "unable to enable port isolation on interface $iface - $@\n" if $@;
+};
+
 my $bridge_disable_interface_learning = sub {
     my ($iface) = @_;
 
@@ -394,7 +401,7 @@ sub veth_delete {
 }
 
 my $create_firewall_bridge_linux = sub {
-    my ($iface, $bridge, $tag, $trunks, $no_learning) = @_;
+    my ($iface, $bridge, $tag, $trunks, $no_learning, $isolation) = @_;
 
     my ($vmid, $devid) = &$parse_tap_device_name($iface);
     my ($fwbr, $vethfw, $vethfwpeer) = &$compute_fwbr_names($vmid, $devid);
@@ -409,6 +416,7 @@ my $create_firewall_bridge_linux = sub {
 
     &$bridge_add_interface($bridge, $vethfwpeer, $tag, $trunks);
     &$bridge_disable_interface_learning($vethfwpeer) if $no_learning;
+    $bridge_enable_port_isolation->($vethfwpeer) if $isolation;
     &$bridge_add_interface($fwbr, $vethfw);
 
     &$bridge_add_interface($fwbr, $iface);
@@ -468,6 +476,7 @@ sub tap_plug {
 	$opts->{learning} = !($bridge && $bridge->{'bridge-disable-mac-learning'}); # default learning to on
     }
     my $no_learning = !$opts->{learning};
+    my $isolation = $opts->{isolation};
 
     # cleanup old port config from any openvswitch bridge
     eval {
@@ -488,7 +497,7 @@ sub tap_plug {
 	}
 
 	if ($firewall) {
-	    &$create_firewall_bridge_linux($iface, $bridge, $tag, $trunks, $no_learning);
+	    &$create_firewall_bridge_linux($iface, $bridge, $tag, $trunks, $no_learning, $isolation);
 	} else {
 	    &$bridge_add_interface($bridge, $iface, $tag, $trunks);
 	}
@@ -496,6 +505,7 @@ sub tap_plug {
 	    $bridge_disable_interface_learning->($iface);
 	    add_bridge_fdb($iface, $opts->{mac}) if defined($opts->{mac});
 	}
+	$bridge_enable_port_isolation->($iface) if $isolation;
 
     } else {
 	&$cleanup_firewall_bridge($iface); # remove stale devices
-- 
2.39.2



--===============0736092878124680394==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

--===============0736092878124680394==--