proxmox-mirrors/pve-docs
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-docs synced 2025-04-28 17:24:05 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

sdn: add documentation for firewall integration

Browse Source 
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
This commit is contained in:
Stefan Hanreich 2024-11-19 13:17:22 +01:00 committed by Thomas Lamprecht
parent 39dff49d81
commit 4f7c386b6a
1 changed files with 92 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

92
pvesdn.adoc
View File

@ -702,6 +702,98 @@ For more information please consult the documentation of
xref:pvesdn_ipam_plugin_pveipam[the PVE IPAM plugin]. Changing DHCP leases is
currently not supported for the other IPAM plugins.
Firewall Integration
--------------------
SDN integrates with the Proxmox VE firewall by automatically generating IPSets
which can then be referenced in the source / destination fields of firewall
rules. This happens automatically for VNets and IPAM entries.
VNets and Subnets
~~~~~~~~~~~~~~~~~
The firewall automatically generates the following IPSets in the SDN scope for
every VNet:
`vnet-all`::
Contains the CIDRs of all subnets in a VNet
`vnet-gateway`::
Contains the IPs of the gateways of all subnets in a VNet
`vnet-no-gateway`::
Contains the CIDRs of all subnets in a VNet, but excludes the gateways
`vnet-dhcp`::
Contains all DHCP ranges configured in the subnets in a VNet
When making changes to your configuration, the IPSets update automatically, so
you do not have to update your firewall rules when changing the configuration of
your Subnets.
Simple Zone Example
^^^^^^^^^^^^^^^^^^^
Assuming the configuration below for a VNet and its contained subnets:
----
# /etc/pve/sdn/vnets.cfg
vnet: vnet0
zone simple
# /etc/pve/sdn/subnets.cfg
subnet: simple-192.0.2.0-24
vnet vnet0
dhcp-range start-address=192.0.2.100,end-address=192.0.2.199
gateway 192.0.2.1
subnet: simple-2001:db8::-64
vnet vnet0
dhcp-range start-address=2001:db8::1000,end-address=2001:db8::1999
gateway 2001:db8::1
----
In this example we configured an IPv4 subnet in the VNet `vnet0`, with
'192.0.2.0/24' as its IP Range, '192.0.2.1' as the gateway and the DHCP range is
'192.0.2.100' - '192.0.2.199'.
Additionally we configured an IPv6 subnet with '2001:db8::/64' as the IP range,
'2001:db8::1' as the gateway and a DHCP range of '2001:db8::1000' -
'2001:db8::1999'.
The respective auto-generated IPsets for vnet0 would then contain the following
elements:
`vnet0-all`::
* '192.0.2.0/24'
* '2001:db8::/64'
`vnet0-gateway`::
* '192.0.2.1'
* '2001:db8::1'
`vnet0-no-gateway`::
* '192.0.2.0/24'
* '2001:db8::/64'
* '!192.0.2.1'
* '!2001:db8::1'
`vnet0-dhcp`::
* '192.0.2.100 - 192.0.2.199'
* '2001:db8::1000 - 2001:db8::1999'
IPAM
~~~~
If you are using the built-in PVE IPAM, then the firewall automatically
generates an IPset for every guest that has entries in the IPAM. The respective
IPset for a guest with ID 100 would be `guest-ipam-100`. It contains all IP
addresses from all IPAM entries. So if guest 100 is member of multiple VNets,
then the IPset would contain the IPs from *all* VNets.
When entries get added / updated / deleted, then the respective IPSets will be
updated accordingly.
WARNING: When removing all entries for a guest and there are firewall rules
still referencing the auto-generated IPSet then the firewall will fail to update
the ruleset, since it references a non-existing IPSet.
[[pvesdn_setup_examples]]
Examples
--------