vnets : add ports isolation

Add support for bridge ports isolation
https://github.com/torvalds/linux/commit/7d850abd5f4edb1b1ca4b4141a4453305736f564

This allow to drop traffic between all ports having isolation enabled
on the local bridge, but allow traffic with non isolated ports.

Here,we isolate traffic between vms but allow traffic coming from outside.

Main usage is for layer3 routed or natted setup, but some users have requested it
for layer2/bridge network with proxy arp.
So we can enable it at vnet level.

Signed-off-by: Alexandre Derumier <alexandre.derumier@groupe-cyllene.com>
 [ SH: improve option naming and description slightly ]
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>

diff --git a/src/PVE/Network/SDN/VnetPlugin.pm b/src/PVE/Network/SDN/VnetPlugin.pm
index 062904c98d884b606c571c3f7082a6a19e9952c9..f44380a202638ed6884a33e4f53e53159adc7974 100644 (file)
--- a/src/PVE/Network/SDN/VnetPlugin.pm
+++ b/src/PVE/Network/SDN/VnetPlugin.pm
@@ -72,6 +72,10 @@ sub properties {
             maxLength => 256,
            optional => 1,
         },
+       'isolate-ports' => {
+           type => 'boolean',
+           description => "If true, sets the isolated property for all members of this VNet",
+       }
     };
 }
 
@@ -81,6 +85,7 @@ sub options {
         tag => { optional => 1},
         alias => { optional => 1 },
         vlanaware => { optional => 1 },
+       'isolate-ports' => { optional => 1 },
     };
 }
 

diff --git a/src/PVE/Network/SDN/Zones/Plugin.pm b/src/PVE/Network/SDN/Zones/Plugin.pm
index 26cc0dabc097043bcfe6c7e48ad7464c8a8288c1..a8601685e0ab365c00fd858655ad977138d3ca30 100644 (file)
--- a/src/PVE/Network/SDN/Zones/Plugin.pm
+++ b/src/PVE/Network/SDN/Zones/Plugin.pm
@@ -236,6 +236,7 @@ sub tap_plug {
 
     my $opts = {};
     $opts->{learning} = 0 if $plugin_config->{'bridge-disable-mac-learning'};
+    $opts->{isolation} = 1 if $vnet->{'isolate-ports'};
     PVE::Network::tap_plug($iface, $vnetid, $tag, $firewall, $trunks, $rate, $opts);
 }