vnets : add ports isolation

Add support for bridge ports isolation
https://github.com/torvalds/linux/commit/7d850abd5f4edb1b1ca4b4141a4453305736f564

This allow to drop traffic between all ports having isolation enabled
on the local bridge, but allow traffic with non isolated ports.

Here,we isolate traffic between vms but allow traffic coming from outside.

Main usage is for layer3 routed or natted setup, but some users have requested it
for layer2/bridge network with proxy arp.
So we can enable it at vnet level.

Signed-off-by: Alexandre Derumier <alexandre.derumier@groupe-cyllene.com>
 [ SH: improve option naming and description slightly ]
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>

2 files changed, 6 insertions, 0 deletions

diff --git a/src/PVE/Network/SDN/VnetPlugin.pm b/src/PVE/Network/SDN/VnetPlugin.pm
index 062904c..f44380a 100644
--- a/src/PVE/Network/SDN/VnetPlugin.pm
+++ b/src/PVE/Network/SDN/VnetPlugin.pm
@@ -72,6 +72,10 @@ sub properties {
             maxLength => 256,
 	    optional => 1,
         },
+	'isolate-ports' => {
+	    type => 'boolean',
+	    description => "If true, sets the isolated property for all members of this VNet",
+	}
     };
 }
 
@@ -81,6 +85,7 @@ sub options {
         tag => { optional => 1},
         alias => { optional => 1 },
         vlanaware => { optional => 1 },
+	'isolate-ports' => { optional => 1 },
     };
 }
 
diff --git a/src/PVE/Network/SDN/Zones/Plugin.pm b/src/PVE/Network/SDN/Zones/Plugin.pm
index 26cc0da..a860168 100644
--- a/src/PVE/Network/SDN/Zones/Plugin.pm
+++ b/src/PVE/Network/SDN/Zones/Plugin.pm
@@ -236,6 +236,7 @@ sub tap_plug {
 
     my $opts = {};
     $opts->{learning} = 0 if $plugin_config->{'bridge-disable-mac-learning'};
+    $opts->{isolation} = 1 if $vnet->{'isolate-ports'};
     PVE::Network::tap_plug($iface, $vnetid, $tag, $firewall, $trunks, $rate, $opts);
 }