--- Begin Message ---
Add support for bridge ports isolation
https://github.com/torvalds/linux/commit/7d850abd5f4edb1b1ca4b4141a4453305736f564
This allow to drop traffic between all ports having isolation enabled
on the local bridge, but allow traffic with non isolated ports.
Here,we isolate traffic between vms but allow traffic coming from outside.
Main usage is for layer3 routed or natted setup, but some users have requested
it
for layer2/bridge network with proxy arp.
So we can enable it at vnet level.
Signed-off-by: Alexandre Derumier <alexandre.derum...@groupe-cyllene.com>
---
src/PVE/Network/SDN/VnetPlugin.pm | 5 +++++
src/PVE/Network/SDN/Zones/Plugin.pm | 1 +
2 files changed, 6 insertions(+)
diff --git a/src/PVE/Network/SDN/VnetPlugin.pm
b/src/PVE/Network/SDN/VnetPlugin.pm
index 062904c..58e177b 100644
--- a/src/PVE/Network/SDN/VnetPlugin.pm
+++ b/src/PVE/Network/SDN/VnetPlugin.pm
@@ -72,6 +72,10 @@ sub properties {
maxLength => 256,
optional => 1,
},
+ 'ports-isolation' => {
+ type => 'boolean',
+ description => "Enable bridge ports isolation.",
+ }
};
}
@@ -81,6 +85,7 @@ sub options {
tag => { optional => 1},
alias => { optional => 1 },
vlanaware => { optional => 1 },
+ 'ports-isolation' => { optional => 1 },
};
}
diff --git a/src/PVE/Network/SDN/Zones/Plugin.pm
b/src/PVE/Network/SDN/Zones/Plugin.pm
index 26cc0da..dce7e57 100644
--- a/src/PVE/Network/SDN/Zones/Plugin.pm
+++ b/src/PVE/Network/SDN/Zones/Plugin.pm
@@ -236,6 +236,7 @@ sub tap_plug {
my $opts = {};
$opts->{learning} = 0 if $plugin_config->{'bridge-disable-mac-learning'};
+ $opts->{isolation} = 1 if $vnet->{'ports-isolation'};
PVE::Network::tap_plug($iface, $vnetid, $tag, $firewall, $trunks, $rate,
$opts);
}
--
2.39.2
--- End Message ---
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
