[libvirt PATCH 00/10] support BR_ISOLATED flag for guest interfaces attached to a Linux host bridge
https://bugzilla.redhat.com/1727263
Since Linux kernel 4.18, the Linux host bridge has had a flag
BR_ISOLATED that can be applied to individual ports. When this flag is
set for a port, traffic is blocked between that port and any other
port that also has the BR_ISOLATED flag set. libvirt domain interface
config now supports setting this flag via the <portOptions
isolated='yes'/> setting. It can also be set for all connections to
a particular libvirt network by setting the same option in the network
config - since the port for the host itself does not have BR_ISOLATED
set, the guests can communicate with the host and the outside world,
but guests on that network can't communicate with each other. This
feature works for QEMU and LXC guests with interfaces attached to a
Linux host bridge.
(I had contemplated (and experimented with) putting this new flag in
the <virtualport> element to avoid creating a new element, but that
ended up creating lots of extra code since none of the existing
virtualport types would support this new flag, Linux host bridges
already work with *no* <virtualport> (much less a virtualport type),
and there are some attributes in the <virtualport> parameters
subelement that are always autogenerated if there is no virtualport
type specified, so I would needed to add a new virtualport type for
Linux host bridge, which seems redundant as that information is
already implicit in the interface's connection type. etc. etc. It all
just turned into a big mess, and starting over fresh with something
generic (and hopefully expandable in a sensible way) seemed
cleaner). (I am of course open to suggestions though!)
Laine Stump (10):
schema: trivial indentation fix
schema: add missing vlan element to networkport RNG
qemu: save/restore original error when recovering from failed bridge
attach
util: query/set BR_ISOLATED flag on netdevs attached to bridge
conf: parse/format <portOptions isolated='yes|no'/>
network: propagate <portOptions isolated='yes'/> between network and
domain
qemu/lxc: plumb isolatedPort from config down through bridge
attachment
qemu: support updating <portOptions isolated='yes|no'/> during device
update
conf: extra validation for <portOptions isolated='yes'/>
docs: add info about <portOptions isolated='yes'/> to news file
docs/news.xml | 21 +++++
docs/schemas/domaincommon.rng | 3 +
docs/schemas/network.rng | 9 ++-
docs/schemas/networkcommon.rng | 11 +++
docs/schemas/networkport.rng | 6 ++
src/bhyve/bhyve_command.c | 1 +
src/conf/domain_conf.c | 79 +++++++++++++++++++
src/conf/domain_conf.h | 4 +
src/conf/network_conf.c | 32 ++++++++
src/conf/network_conf.h | 9 +++
src/conf/virnetworkportdef.c | 3 +
src/conf/virnetworkportdef.h | 1 +
src/libvirt_private.syms | 3 +
src/lxc/lxc_process.c | 10 +++
src/network/bridge_driver.c | 4 +
src/qemu/qemu_hotplug.c | 47 +++++++++--
src/qemu/qemu_interface.c | 1 +
src/util/virnetdevbridge.c | 46 +++++++++++
src/util/virnetdevbridge.h | 9 +++
src/util/virnetdevtap.c | 17 +++-
src/util/virnetdevtap.h | 3 +
tests/bhyvexml2argvmock.c | 1 +
tests/networkxml2xmlin/isolated-ports.xml | 7 ++
tests/networkxml2xmlout/isolated-ports.xml | 7 ++
tests/networkxml2xmltest.c | 1 +
tests/qemuxml2argvdata/net-isolated-port.xml | 34 ++++++++
.../net-isolated-port.x86_64-latest.xml | 63 +++++++++++++++
tests/qemuxml2xmltest.c | 1 +
28 files changed, 423 insertions(+), 10 deletions(-)
create mode 100644 tests/networkxml2xmlin/isolated-ports.xml
create mode 100644 tests/networkxml2xmlout/isolated-ports.xml
create mode 100644 tests/qemuxml2argvdata/net-isolated-port.xml
create mode 100644 tests/qemuxml2xmloutdata/net-isolated-port.x86_64-latest.xml
--
2.24.1