[pve-devel] [PATCH pve-common v2 1/4] tap_plug: add support for bridge port isolation

Mon Nov 18 19:45:02 CET 2024

saw this when looking through our git repos and thought I'll give it a
spin (as afaict only the manager and docs-patches are not applied yet)

It works, and does what it says it does.

small suggestions for the docs-patch will be sent as reply to the
docs-patch directly.
w/ or w/o the doc-suggestions:
Reviewed-by: Stoiko Ivanov <s.ivanov at proxmox.com>
Tested-by: Stoiko Ivanov <s.ivanov at proxmox.com>

On Tue, 12 Nov 2024 16:54:22 +0100
Stefan Hanreich <s.hanreich at proxmox.com> wrote:

> From: Alexandre Derumier via pve-devel <pve-devel at lists.proxmox.com>
> 
> This is allow to block traffic/isolation traffic between all ports
> on the bridge with isolation (so between the vms), ans still allow
> incoming traffic from uplink.
> 
> Signed-off-by: Alexandre Derumier <alexandre.derumier at groupe-cyllene.com>
> Signed-off-by: Stefan Hanreich <s.hanreich at proxmox.com>
> ---
> Changes from v1 to v2:
> * rebased
> * Improved naming of parameters slightly
> * Improve description of parameters
> * Add short section to documentation
> 
>  src/PVE/Network.pm | 14 ++++++++++++--
>  1 file changed, 12 insertions(+), 2 deletions(-)
> 
> diff --git a/src/PVE/Network.pm b/src/PVE/Network.pm
> index cde7949..269b9cf 100644
> --- a/src/PVE/Network.pm
> +++ b/src/PVE/Network.pm
> @@ -238,6 +238,13 @@ sub disable_ipv6 {
>      return;
>  }
>  
> +my $bridge_enable_port_isolation = sub {
> +   my ($iface) = @_;
> +
> +   eval { run_command(['/sbin/bridge', 'link', 'set', 'dev', $iface, 'isolated', 'on']) };
> +   die "unable to enable port isolation on interface $iface - $@\n" if $@;
> +};
> +
>  my $bridge_disable_interface_learning = sub {
>      my ($iface) = @_;
>  
> @@ -418,7 +425,7 @@ sub veth_delete {
>  }
>  
>  my $create_firewall_bridge_linux = sub {
> -    my ($iface, $bridge, $tag, $trunks, $no_learning) = @_;
> +    my ($iface, $bridge, $tag, $trunks, $no_learning, $isolation) = @_;
>  
>      my ($vmid, $devid) = &$parse_tap_device_name($iface);
>      my ($fwbr, $vethfw, $vethfwpeer) = &$compute_fwbr_names($vmid, $devid);
> @@ -433,6 +440,7 @@ my $create_firewall_bridge_linux = sub {
>  
>      &$bridge_add_interface($bridge, $vethfwpeer, $tag, $trunks);
>      &$bridge_disable_interface_learning($vethfwpeer) if $no_learning;
> +    $bridge_enable_port_isolation->($vethfwpeer) if $isolation;
>      &$bridge_add_interface($fwbr, $vethfw);
>  
>      &$bridge_add_interface($fwbr, $iface);
> @@ -492,6 +500,7 @@ sub tap_plug {
>  	$opts->{learning} = !($bridge && $bridge->{'bridge-disable-mac-learning'}); # default learning to on
>      }
>      my $no_learning = !$opts->{learning};
> +    my $isolation = $opts->{isolation};
>  
>      # cleanup old port config from any openvswitch bridge
>      eval {
> @@ -512,7 +521,7 @@ sub tap_plug {
>  	}
>  
>  	if ($firewall) {
> -	    &$create_firewall_bridge_linux($iface, $bridge, $tag, $trunks, $no_learning);
> +	    &$create_firewall_bridge_linux($iface, $bridge, $tag, $trunks, $no_learning, $isolation);
>  	} else {
>  	    &$bridge_add_interface($bridge, $iface, $tag, $trunks);
>  	}
> @@ -520,6 +529,7 @@ sub tap_plug {
>  	    $bridge_disable_interface_learning->($iface);
>  	    add_bridge_fdb($iface, $opts->{mac}) if defined($opts->{mac});
>  	}
> +	$bridge_enable_port_isolation->($iface) if $isolation;
>  
>      } else {
>  	&$cleanup_firewall_bridge($iface); # remove stale devices