public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [pve-devel] [PATCH pve-manager 1/1] sdn: vnet: add ports-isolation option.
       [not found] <20240425144352.3454063-1-alexandre.derumier@groupe-cyllene.com>
@ 2024-04-25 14:43 ` Alexandre Derumier via pve-devel
  2024-04-25 14:43 ` [pve-devel] [PATCH pve-common 1/1] tap_plug: add support for bridge port isolation Alexandre Derumier via pve-devel
  2024-04-25 14:43 ` [pve-devel] [PATCH pve-network 1/1] vnets : add ports isolation Alexandre Derumier via pve-devel
  2 siblings, 0 replies; 3+ messages in thread
From: Alexandre Derumier via pve-devel @ 2024-04-25 14:43 UTC (permalink / raw)
  To: pve-devel; +Cc: Alexandre Derumier

[-- Attachment #1: Type: message/rfc822, Size: 3455 bytes --]

From: Alexandre Derumier <alexandre.derumier@groupe-cyllene.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH pve-manager 1/1] sdn: vnet: add ports-isolation option.
Date: Thu, 25 Apr 2024 16:43:50 +0200
Message-ID: <20240425144352.3454063-2-alexandre.derumier@groupe-cyllene.com>

also move vlan-aware in advanced section

Signed-off-by: Alexandre Derumier <alexandre.derumier@groupe-cyllene.com>
---
 www/manager6/sdn/VnetEdit.js | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/www/manager6/sdn/VnetEdit.js b/www/manager6/sdn/VnetEdit.js
index cdd83ed4..a00f83e6 100644
--- a/www/manager6/sdn/VnetEdit.js
+++ b/www/manager6/sdn/VnetEdit.js
@@ -52,6 +52,18 @@ Ext.define('PVE.sdn.VnetInputPanel', {
 		deleteEmpty: "{!isCreate}",
 	    },
 	},
+    ],
+    advancedItems: [
+	{
+	    xtype: 'proxmoxcheckbox',
+	    name: 'ports-isolation',
+	    uncheckedValue: null,
+	    checked: false,
+	    fieldLabel: gettext('Ports Isolation'),
+	    cbind: {
+		deleteEmpty: "{!isCreate}",
+	    },
+	},
 	{
 	    xtype: 'proxmoxcheckbox',
 	    name: 'vlanaware',
-- 
2.39.2



[-- Attachment #2: Type: text/plain, Size: 160 bytes --]

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [pve-devel] [PATCH pve-common 1/1] tap_plug: add support for bridge port isolation
       [not found] <20240425144352.3454063-1-alexandre.derumier@groupe-cyllene.com>
  2024-04-25 14:43 ` [pve-devel] [PATCH pve-manager 1/1] sdn: vnet: add ports-isolation option Alexandre Derumier via pve-devel
@ 2024-04-25 14:43 ` Alexandre Derumier via pve-devel
  2024-04-25 14:43 ` [pve-devel] [PATCH pve-network 1/1] vnets : add ports isolation Alexandre Derumier via pve-devel
  2 siblings, 0 replies; 3+ messages in thread
From: Alexandre Derumier via pve-devel @ 2024-04-25 14:43 UTC (permalink / raw)
  To: pve-devel; +Cc: Alexandre Derumier

[-- Attachment #1: Type: message/rfc822, Size: 5130 bytes --]

From: Alexandre Derumier <alexandre.derumier@groupe-cyllene.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH pve-common 1/1] tap_plug: add support for bridge port isolation
Date: Thu, 25 Apr 2024 16:43:51 +0200
Message-ID: <20240425144352.3454063-3-alexandre.derumier@groupe-cyllene.com>

This is allow to block traffic/isolation traffic between all ports
on the bridge with isolation (so between the vms), ans still allow
incoming traffic from uplink.

Signed-off-by: Alexandre Derumier <alexandre.derumier@groupe-cyllene.com>
---
 src/PVE/Network.pm | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/PVE/Network.pm b/src/PVE/Network.pm
index a4f5ba9..6654ea1 100644
--- a/src/PVE/Network.pm
+++ b/src/PVE/Network.pm
@@ -218,6 +218,13 @@ sub disable_ipv6 {
     return;
 }
 
+my $bridge_enable_port_isolation = sub {
+   my ($iface) = @_;
+
+   eval { run_command(['/sbin/bridge', 'link', 'set', 'dev', $iface, 'isolated', 'on']) };
+   die "unable to enable port isolation on interface $iface - $@\n" if $@;
+};
+
 my $bridge_disable_interface_learning = sub {
     my ($iface) = @_;
 
@@ -394,7 +401,7 @@ sub veth_delete {
 }
 
 my $create_firewall_bridge_linux = sub {
-    my ($iface, $bridge, $tag, $trunks, $no_learning) = @_;
+    my ($iface, $bridge, $tag, $trunks, $no_learning, $isolation) = @_;
 
     my ($vmid, $devid) = &$parse_tap_device_name($iface);
     my ($fwbr, $vethfw, $vethfwpeer) = &$compute_fwbr_names($vmid, $devid);
@@ -409,6 +416,7 @@ my $create_firewall_bridge_linux = sub {
 
     &$bridge_add_interface($bridge, $vethfwpeer, $tag, $trunks);
     &$bridge_disable_interface_learning($vethfwpeer) if $no_learning;
+    $bridge_enable_port_isolation->($vethfwpeer) if $isolation;
     &$bridge_add_interface($fwbr, $vethfw);
 
     &$bridge_add_interface($fwbr, $iface);
@@ -468,6 +476,7 @@ sub tap_plug {
 	$opts->{learning} = !($bridge && $bridge->{'bridge-disable-mac-learning'}); # default learning to on
     }
     my $no_learning = !$opts->{learning};
+    my $isolation = $opts->{isolation};
 
     # cleanup old port config from any openvswitch bridge
     eval {
@@ -488,7 +497,7 @@ sub tap_plug {
 	}
 
 	if ($firewall) {
-	    &$create_firewall_bridge_linux($iface, $bridge, $tag, $trunks, $no_learning);
+	    &$create_firewall_bridge_linux($iface, $bridge, $tag, $trunks, $no_learning, $isolation);
 	} else {
 	    &$bridge_add_interface($bridge, $iface, $tag, $trunks);
 	}
@@ -496,6 +505,7 @@ sub tap_plug {
 	    $bridge_disable_interface_learning->($iface);
 	    add_bridge_fdb($iface, $opts->{mac}) if defined($opts->{mac});
 	}
+	$bridge_enable_port_isolation->($iface) if $isolation;
 
     } else {
 	&$cleanup_firewall_bridge($iface); # remove stale devices
-- 
2.39.2



[-- Attachment #2: Type: text/plain, Size: 160 bytes --]

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [pve-devel] [PATCH pve-network 1/1] vnets : add ports isolation
       [not found] <20240425144352.3454063-1-alexandre.derumier@groupe-cyllene.com>
  2024-04-25 14:43 ` [pve-devel] [PATCH pve-manager 1/1] sdn: vnet: add ports-isolation option Alexandre Derumier via pve-devel
  2024-04-25 14:43 ` [pve-devel] [PATCH pve-common 1/1] tap_plug: add support for bridge port isolation Alexandre Derumier via pve-devel
@ 2024-04-25 14:43 ` Alexandre Derumier via pve-devel
  2 siblings, 0 replies; 3+ messages in thread
From: Alexandre Derumier via pve-devel @ 2024-04-25 14:43 UTC (permalink / raw)
  To: pve-devel; +Cc: Alexandre Derumier

[-- Attachment #1: Type: message/rfc822, Size: 4459 bytes --]

From: Alexandre Derumier <alexandre.derumier@groupe-cyllene.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH pve-network 1/1] vnets : add ports isolation
Date: Thu, 25 Apr 2024 16:43:52 +0200
Message-ID: <20240425144352.3454063-4-alexandre.derumier@groupe-cyllene.com>

Add support for bridge ports isolation
https://github.com/torvalds/linux/commit/7d850abd5f4edb1b1ca4b4141a4453305736f564

This allow to drop traffic between all ports having isolation enabled
on the local bridge, but allow traffic with non isolated ports.

Here,we isolate traffic between vms but allow traffic coming from outside.

Main usage is for layer3 routed or natted setup, but some users have requested it
for layer2/bridge network with proxy arp.
So we can enable it at vnet level.

Signed-off-by: Alexandre Derumier <alexandre.derumier@groupe-cyllene.com>
---
 src/PVE/Network/SDN/VnetPlugin.pm   | 5 +++++
 src/PVE/Network/SDN/Zones/Plugin.pm | 1 +
 2 files changed, 6 insertions(+)

diff --git a/src/PVE/Network/SDN/VnetPlugin.pm b/src/PVE/Network/SDN/VnetPlugin.pm
index 062904c..58e177b 100644
--- a/src/PVE/Network/SDN/VnetPlugin.pm
+++ b/src/PVE/Network/SDN/VnetPlugin.pm
@@ -72,6 +72,10 @@ sub properties {
             maxLength => 256,
 	    optional => 1,
         },
+	'ports-isolation' => {
+	    type => 'boolean',
+	    description => "Enable bridge ports isolation.",
+	}
     };
 }
 
@@ -81,6 +85,7 @@ sub options {
         tag => { optional => 1},
         alias => { optional => 1 },
         vlanaware => { optional => 1 },
+	'ports-isolation' => { optional => 1 },
     };
 }
 
diff --git a/src/PVE/Network/SDN/Zones/Plugin.pm b/src/PVE/Network/SDN/Zones/Plugin.pm
index 26cc0da..dce7e57 100644
--- a/src/PVE/Network/SDN/Zones/Plugin.pm
+++ b/src/PVE/Network/SDN/Zones/Plugin.pm
@@ -236,6 +236,7 @@ sub tap_plug {
 
     my $opts = {};
     $opts->{learning} = 0 if $plugin_config->{'bridge-disable-mac-learning'};
+    $opts->{isolation} = 1 if $vnet->{'ports-isolation'};
     PVE::Network::tap_plug($iface, $vnetid, $tag, $firewall, $trunks, $rate, $opts);
 }
 
-- 
2.39.2



[-- Attachment #2: Type: text/plain, Size: 160 bytes --]

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-04-25 14:44 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <20240425144352.3454063-1-alexandre.derumier@groupe-cyllene.com>
2024-04-25 14:43 ` [pve-devel] [PATCH pve-manager 1/1] sdn: vnet: add ports-isolation option Alexandre Derumier via pve-devel
2024-04-25 14:43 ` [pve-devel] [PATCH pve-common 1/1] tap_plug: add support for bridge port isolation Alexandre Derumier via pve-devel
2024-04-25 14:43 ` [pve-devel] [PATCH pve-network 1/1] vnets : add ports isolation Alexandre Derumier via pve-devel

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal