[pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation

DERUMIER, Alexandre alexandre.derumier at groupe-cyllene.com
Fri Oct 25 07:22:42 CEST 2024 

Hi,

any news about this patch series ?

I think it's still not applied ?   (I see a lot of request about it on
the forum and on the bugzilla)

Regards,

Alexandre


-------- Message initial --------
De: "DERUMIER, Alexandre" <alexandre.derumier at groupe-cyllene.com>
À: pve-devel at lists.proxmox.com <pve-devel at lists.proxmox.com>,
s.hanreich at proxmox.com <s.hanreich at proxmox.com>
Objet: Re: [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix
#4300 : sdn: add bridge ports isolation
Date: 27/06/2024 18:23:56

Hi!


> > Hi! I gave this a quick test on my machine and everything worked
well.
> > Would we maybe want to expose this setting on the NIC level as
> > well?

I don't think it can work, because a port not isolated, have access to
all other ports,including isolated ports.


"
isolated on or isolated off
Controls whether a given port will be isolated, which means it will be
able to communicate with non-isolated ports only. By default this flag
is off."


for example:
vm1: isolated
vm2: isolated
vm3: non isolated


vm1: can't access to vm2
vm2: can't access to vm1

vm3 have access to vm1 && vm2 isolated.  (but user is thinking that vm1
&& vm2 are secure).
and vm1/vm2 have access to vm3 too.


That's why I have done it at bridge/vnet level,  all or nothing.

The main usage is to have only 1 upstream port non isolated (traffic
coming from outside) 


> > Also I think 'Isolate Ports' or 'Port Isolation' would be the
> > better
> > label, 'Ports Isolation' sounds a bit wrong to me.

I'll send a v2 with "Port Isolation"



Otherwise, consider this:

> > Tested-By: Stefan Hanreich <s.hanreich at proxmox.com>
> > Reviewed-By: Stefan Hanreich <s.hanreich at proxmox.com>

Thanks !

 4/25/24 16:43, Alexandre Derumier via pve-devel wrote:
> _______________________________________________
> pve-devel mailing list
> pve-devel at lists.proxmox.com
> https://antiphishing.vadesecure.com/v4?f=OGhLSzUzUW5ZSnhsUnB1Zwk-
> iBGgPyVY4TTNWFYEVcCg2sqZ42p4ld6uKOxcEXt1&i=enliNE9Ec0FwcDdnUXU4UdqsUW
> Q6P4MlGVBmGUhBgqg&k=qWGl&r=TnY3ZTF2Q2plM1daMndLWY2hdyEItuD5-
> BacJIgJqvZ3qD1cLHhtTB2x5DvZF4UIAZISGlCJrAF01C9VxKgOjg&s=926df6762a5f8
> 47592379de9a2d61dc8a3bf0ade01884ae3830a7e63f216d753&u=https%3A%2F%2Fl
> ists.proxmox.com%2Fcgi-bin%2Fmailman%2Flistinfo%2Fpve-devel

More information about the pve-devel mailing list