[PATCH] docs: document port isolated property in domain/network/networkport

[Laine Stump <laine@xxxxxxxxxx>]

Signed-off-by: Laine Stump <laine@xxxxxxxxxx>
---

I had thought I'd included documentation with the patch that added
parsing/formatting for this, but after crobinso noticed it was
missing, I realized that I had only put documentation in an earlier
version of the patches (that put the option inside
<virtualport>). Oops :-/


 docs/formatdomain.html.in      | 31 +++++++++++++++++++++++++++++++
 docs/formatnetwork.html.in     | 25 +++++++++++++++++++++++++
 docs/formatnetworkport.html.in | 11 +++++++++++
 3 files changed, 67 insertions(+)

diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index 4fef2a0a97..28770188dd 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -6539,6 +6539,37 @@ qemu-kvm -net nic,model=? /dev/null
       traffic for that VLAN will be tagged.
     </p>
 
+    <h5><a id="elementPort">Isolating guests's network traffic from each other</a></h5>
+
+<pre>
+...
+&lt;devices&gt;
+  &lt;interface type='network'&gt;
+    &lt;source network='default'/&gt;
+    <b>&lt;port isolated='yes'/&gt;</b>
+  &lt;/interface&gt;
+&lt;/devices&gt;
+...</pre>
+
+    <p>
+      <span class="since">Since 6.1.0.</span> The <code>port</code>
+      element property <code>isolated</code>, when set
+      to <code>yes</code> (default setting is <code>no</code>) is used
+      to isolate this interface's network traffic from that of other
+      guest interfaces connected to the same network that also
+      have <code>&lt;port isolated='yes'/&gt;</code>.  This setting is
+      only supported for emulated interface devices that use a
+      standard tap device to connect to the network via a Linux host
+      bridge. This property can be inherited from a libvirt network,
+      so if all guests that will be connected to the network should be
+      isolated, it is better to put the setting in the network
+      configuration. (NB: this only prevents guests that
+      have <code>isolated='yes'</code> from communicating with each
+      other; if there is a guest on the same bridge that doesn't
+      have <code>isolated='yes'</code>, even the isolated guests will
+      be able to communicate with it.)
+    </p>
+
     <h5><a id="elementLink">Modifying virtual link state</a></h5>
 <pre>
 ...
diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in
index 3d807ecab6..f1e7ce5e4e 100644
--- a/docs/formatnetwork.html.in
+++ b/docs/formatnetwork.html.in
@@ -729,6 +729,31 @@
       or <code>&lt;interface&gt;</code>.
     </p>
 
+    <h5><a id="elementPort">Isolating ports from one another</a></h5>
+
+<pre>
+&lt;network&gt;
+  &lt;name&gt;isolated-ports&lt;/name&gt;
+  &lt;forward mode='bridge'/&gt;
+  &lt;bridge name='br0'/&gt;
+  &lt;port isolated='yes'/&gt;
+&lt;/network&gt;
+</pre>
+
+    <p>
+      <span class="since">Since 6.1.0.</span> The <code>port</code>
+      element property <code>isolated</code>, when set
+      to <code>yes</code> (default setting is <code>no</code>) is used
+      to isolate the network traffic of each guest on the network from
+      all other guests connected to the network; it does not have an
+      effect on communication between the guests and the host, or
+      between the guests and destinations beyond this network. This
+      setting is only supported for networks that use a Linux host
+      bridge to connect guest interfaces via a standard tap device
+      (i.e. those with a forward mode of nat, route, open, bridge, or
+      no forward mode).
+    </p>
+
     <h5><a id="elementsPortgroup">Portgroups</a></h5>
 
 <pre>
diff --git a/docs/formatnetworkport.html.in b/docs/formatnetworkport.html.in
index 0425e069ce..199a05f929 100644
--- a/docs/formatnetworkport.html.in
+++ b/docs/formatnetworkport.html.in
@@ -84,6 +84,7 @@
     &lt;outbound average='128' peak='256' burst='256'/&gt;
   &lt;/bandwidth&gt;
   &lt;rxfilters trustGuest='yes'/&gt;
+  &lt;port isolated='yes'/&gt;
   &lt;virtualport type='802.1Qbg'&gt;
     &lt;parameters managerid='11' typeid='1193047' typeidversion='2'/&gt;
   &lt;/virtualport&gt;
@@ -110,6 +111,16 @@
         only supported for the virtio device model and for macvtap
         connections on the host.
       </dd>
+      <dt><code>port</code></dt>
+      <dd> <span class="since">Since 6.1.0.</span>
+        The <code>port</code> element property
+        <code>isolated</code>, when set to <code>yes</code> (default
+        setting is <code>no</code>) is used to isolate this port's
+        network traffic from other ports on the same network that also
+        have <code>&lt;port isolated='yes'/&gt;</code>. This setting
+        is only supported for emulated network devices connected to a
+        Linux host bridge via a standard tap device.
+      </dd>
       <dt><code>virtualport</code></dt>
       <dd>The <code>virtualport</code> element describes metadata that
         needs to be provided to the underlying network subsystem. It
-- 
2.24.1