matthieu/pve-network
1
0
Fork 0
forked from Mirror/pve-network
Code Pull requests Activity

vnets : add ports isolation

Browse source 
Add support for bridge ports isolation
7d850abd5f

This allow to drop traffic between all ports having isolation enabled
on the local bridge, but allow traffic with non isolated ports.

Here,we isolate traffic between vms but allow traffic coming from outside.

Main usage is for layer3 routed or natted setup, but some users have requested it
for layer2/bridge network with proxy arp.
So we can enable it at vnet level.

Signed-off-by: Alexandre Derumier <alexandre.derumier@groupe-cyllene.com>
 [ SH: improve option naming and description slightly ]
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
This commit is contained in:
Alexandre Derumier via pve-devel 2024-11-12 16:54:24 +01:00 committed by Thomas Lamprecht
parent 026dab2090
commit 078c0ef035
2 changed files with 6 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
src/PVE/Network/SDN/VnetPlugin.pm
View file

@ -72,6 +72,10 @@ sub properties {
maxLength => 256,
optional => 1,
},
'isolate-ports' => {
type => 'boolean',
description => "If true, sets the isolated property for all members of this VNet",
}
};
}
@ -81,6 +85,7 @@ sub options {
tag => { optional => 1},
alias => { optional => 1 },
vlanaware => { optional => 1 },
'isolate-ports' => { optional => 1 },
};
}

1
src/PVE/Network/SDN/Zones/Plugin.pm
View file

@ -236,6 +236,7 @@ sub tap_plug {
my $opts = {};
$opts->{learning} = 0 if $plugin_config->{'bridge-disable-mac-learning'};
$opts->{isolation} = 1 if $vnet->{'isolate-ports'};
PVE::Network::tap_plug($iface, $vnetid, $tag, $firewall, $trunks, $rate, $opts);
}