From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 941DF20EC88 for ; Thu, 25 Apr 2024 16:44:30 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 3672A1D3A1; Thu, 25 Apr 2024 16:44:37 +0200 (CEST) To: pve-devel@lists.proxmox.com Date: Thu, 25 Apr 2024 16:43:52 +0200 In-Reply-To: <20240425144352.3454063-1-alexandre.derumier@groupe-cyllene.com> References: <20240425144352.3454063-1-alexandre.derumier@groupe-cyllene.com> MIME-Version: 1.0 Message-ID: List-Id: Proxmox VE development discussion List-Post: From: Alexandre Derumier via pve-devel Precedence: list Cc: Alexandre Derumier X-Mailman-Version: 2.1.29 X-BeenThere: pve-devel@lists.proxmox.com List-Subscribe: , List-Unsubscribe: , List-Archive: Reply-To: Proxmox VE development discussion List-Help: Subject: [pve-devel] [PATCH pve-network 1/1] vnets : add ports isolation Content-Type: multipart/mixed; boundary="===============6847137456116509601==" Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" --===============6847137456116509601== Content-Type: message/rfc822 Content-Disposition: inline Return-Path: X-Original-To: pve-devel@lists.proxmox.com Delivered-To: pve-devel@lists.proxmox.com Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 6213F9DCE3 for ; Thu, 25 Apr 2024 16:44:33 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 450B11D1FC for ; Thu, 25 Apr 2024 16:44:03 +0200 (CEST) Received: from bastiontest.odiso.net (unknown [IPv6:2a0a:1580:2000:6700::14]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Thu, 25 Apr 2024 16:44:01 +0200 (CEST) Received: from formationkvm1.odiso.net (unknown [10.11.201.57]) by bastiontest.odiso.net (Postfix) with ESMTP id 6620B855739; Thu, 25 Apr 2024 16:43:54 +0200 (CEST) Received: by formationkvm1.odiso.net (Postfix, from userid 0) id 7BB6511284FD; Thu, 25 Apr 2024 16:43:53 +0200 (CEST) From: Alexandre Derumier To: pve-devel@lists.proxmox.com Subject: [PATCH pve-network 1/1] vnets : add ports isolation Date: Thu, 25 Apr 2024 16:43:52 +0200 Message-Id: <20240425144352.3454063-4-alexandre.derumier@groupe-cyllene.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240425144352.3454063-1-alexandre.derumier@groupe-cyllene.com> References: <20240425144352.3454063-1-alexandre.derumier@groupe-cyllene.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_NONE 0.1 DMARC none policy HEADER_FROM_DIFFERENT_DOMAINS 0.249 From and EnvelopeFrom 2nd level mail domains are different KAM_DMARC_NONE 0.25 DKIM has Failed or SPF has failed on the message and the domain has no DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Add support for bridge ports isolation https://github.com/torvalds/linux/commit/7d850abd5f4edb1b1ca4b4141a4453305736f564 This allow to drop traffic between all ports having isolation enabled on the local bridge, but allow traffic with non isolated ports. Here,we isolate traffic between vms but allow traffic coming from outside. Main usage is for layer3 routed or natted setup, but some users have requested it for layer2/bridge network with proxy arp. So we can enable it at vnet level. Signed-off-by: Alexandre Derumier --- src/PVE/Network/SDN/VnetPlugin.pm | 5 +++++ src/PVE/Network/SDN/Zones/Plugin.pm | 1 + 2 files changed, 6 insertions(+) diff --git a/src/PVE/Network/SDN/VnetPlugin.pm b/src/PVE/Network/SDN/VnetPlugin.pm index 062904c..58e177b 100644 --- a/src/PVE/Network/SDN/VnetPlugin.pm +++ b/src/PVE/Network/SDN/VnetPlugin.pm @@ -72,6 +72,10 @@ sub properties { maxLength => 256, optional => 1, }, + 'ports-isolation' => { + type => 'boolean', + description => "Enable bridge ports isolation.", + } }; } @@ -81,6 +85,7 @@ sub options { tag => { optional => 1}, alias => { optional => 1 }, vlanaware => { optional => 1 }, + 'ports-isolation' => { optional => 1 }, }; } diff --git a/src/PVE/Network/SDN/Zones/Plugin.pm b/src/PVE/Network/SDN/Zones/Plugin.pm index 26cc0da..dce7e57 100644 --- a/src/PVE/Network/SDN/Zones/Plugin.pm +++ b/src/PVE/Network/SDN/Zones/Plugin.pm @@ -236,6 +236,7 @@ sub tap_plug { my $opts = {}; $opts->{learning} = 0 if $plugin_config->{'bridge-disable-mac-learning'}; + $opts->{isolation} = 1 if $vnet->{'ports-isolation'}; PVE::Network::tap_plug($iface, $vnetid, $tag, $firewall, $trunks, $rate, $opts); } -- 2.39.2 --===============6847137456116509601== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel --===============6847137456116509601==--