https://bugzilla.redhat.com/1727263 Since Linux kernel 4.18, the Linux host bridge has had a flag BR_ISOLATED that can be applied to individual ports. When this flag is set for a port, traffic is blocked between that port and any other port that also has the BR_ISOLATED flag set. libvirt domain interface config now supports setting this flag via the <portOptions isolated='yes'/> setting. It can also be set for all connections to a particular libvirt network by setting the same option in the network config - since the port for the host itself does not have BR_ISOLATED set, the guests can communicate with the host and the outside world, but guests on that network can't communicate with each other. This feature works for QEMU and LXC guests with interfaces attached to a Linux host bridge. (I had contemplated (and experimented with) putting this new flag in the <virtualport> element to avoid creating a new element, but that ended up creating lots of extra code since none of the existing virtualport types would support this new flag, Linux host bridges already work with *no* <virtualport> (much less a virtualport type), and there are some attributes in the <virtualport> parameters subelement that are always autogenerated if there is no virtualport type specified, so I would needed to add a new virtualport type for Linux host bridge, which seems redundant as that information is already implicit in the interface's connection type. etc. etc. It all just turned into a big mess, and starting over fresh with something generic (and hopefully expandable in a sensible way) seemed cleaner). (I am of course open to suggestions though!) Laine Stump (10): schema: trivial indentation fix schema: add missing vlan element to networkport RNG qemu: save/restore original error when recovering from failed bridge attach util: query/set BR_ISOLATED flag on netdevs attached to bridge conf: parse/format <portOptions isolated='yes|no'/> network: propagate <portOptions isolated='yes'/> between network and domain qemu/lxc: plumb isolatedPort from config down through bridge attachment qemu: support updating <portOptions isolated='yes|no'/> during device update conf: extra validation for <portOptions isolated='yes'/> docs: add info about <portOptions isolated='yes'/> to news file docs/news.xml | 21 +++++ docs/schemas/domaincommon.rng | 3 + docs/schemas/network.rng | 9 ++- docs/schemas/networkcommon.rng | 11 +++ docs/schemas/networkport.rng | 6 ++ src/bhyve/bhyve_command.c | 1 + src/conf/domain_conf.c | 79 +++++++++++++++++++ src/conf/domain_conf.h | 4 + src/conf/network_conf.c | 32 ++++++++ src/conf/network_conf.h | 9 +++ src/conf/virnetworkportdef.c | 3 + src/conf/virnetworkportdef.h | 1 + src/libvirt_private.syms | 3 + src/lxc/lxc_process.c | 10 +++ src/network/bridge_driver.c | 4 + src/qemu/qemu_hotplug.c | 47 +++++++++-- src/qemu/qemu_interface.c | 1 + src/util/virnetdevbridge.c | 46 +++++++++++ src/util/virnetdevbridge.h | 9 +++ src/util/virnetdevtap.c | 17 +++- src/util/virnetdevtap.h | 3 + tests/bhyvexml2argvmock.c | 1 + tests/networkxml2xmlin/isolated-ports.xml | 7 ++ tests/networkxml2xmlout/isolated-ports.xml | 7 ++ tests/networkxml2xmltest.c | 1 + tests/qemuxml2argvdata/net-isolated-port.xml | 34 ++++++++ .../net-isolated-port.x86_64-latest.xml | 63 +++++++++++++++ tests/qemuxml2xmltest.c | 1 + 28 files changed, 423 insertions(+), 10 deletions(-) create mode 100644 tests/networkxml2xmlin/isolated-ports.xml create mode 100644 tests/networkxml2xmlout/isolated-ports.xml create mode 100644 tests/qemuxml2argvdata/net-isolated-port.xml create mode 100644 tests/qemuxml2xmloutdata/net-isolated-port.x86_64-latest.xml -- 2.24.1
