[libvirt PATCH 00/10] support BR_ISOLATED flag for guest interfaces attached to a Linux host bridge

Laine Stump laine at redhat.com
Mon Feb 17 04:22:49 UTC 2020


Since Linux kernel 4.18, the Linux host bridge has had a flag
BR_ISOLATED that can be applied to individual ports. When this flag is
set for a port, traffic is blocked between that port and any other
port that also has the BR_ISOLATED flag set. libvirt domain interface
config now supports setting this flag via the <portOptions
isolated='yes'/> setting. It can also be set for all connections to
a particular libvirt network by setting the same option in the network
config - since the port for the host itself does not have BR_ISOLATED
set, the guests can communicate with the host and the outside world,
but guests on that network can't communicate with each other. This
feature works for QEMU and LXC guests with interfaces attached to a
Linux host bridge.

(I had contemplated (and experimented with) putting this new flag in
the <virtualport> element to avoid creating a new element, but that
ended up creating lots of extra code since none of the existing
virtualport types would support this new flag, Linux host bridges
already work with *no* <virtualport> (much less a virtualport type),
and there are some attributes in the <virtualport> parameters
subelement that are always autogenerated if there is no virtualport
type specified, so I would needed to add a new virtualport type for
Linux host bridge, which seems redundant as that information is
already implicit in the interface's connection type. etc. etc. It all
just turned into a big mess, and starting over fresh with something
generic (and hopefully expandable in a sensible way) seemed
cleaner). (I am of course open to suggestions though!)

Laine Stump (10):
  schema: trivial indentation fix
  schema: add missing vlan element to networkport RNG
  qemu: save/restore original error when recovering from failed bridge
  util: query/set BR_ISOLATED flag on netdevs attached to bridge
  conf: parse/format <portOptions isolated='yes|no'/>
  network: propagate <portOptions isolated='yes'/> between network and
  qemu/lxc: plumb isolatedPort from config down through bridge
  qemu: support updating <portOptions isolated='yes|no'/> during device
  conf: extra validation for <portOptions isolated='yes'/>
  docs: add info about <portOptions isolated='yes'/> to news file

 docs/news.xml                                 | 21 +++++
 docs/schemas/domaincommon.rng                 |  3 +
 docs/schemas/network.rng                      |  9 ++-
 docs/schemas/networkcommon.rng                | 11 +++
 docs/schemas/networkport.rng                  |  6 ++
 src/bhyve/bhyve_command.c                     |  1 +
 src/conf/domain_conf.c                        | 79 +++++++++++++++++++
 src/conf/domain_conf.h                        |  4 +
 src/conf/network_conf.c                       | 32 ++++++++
 src/conf/network_conf.h                       |  9 +++
 src/conf/virnetworkportdef.c                  |  3 +
 src/conf/virnetworkportdef.h                  |  1 +
 src/libvirt_private.syms                      |  3 +
 src/lxc/lxc_process.c                         | 10 +++
 src/network/bridge_driver.c                   |  4 +
 src/qemu/qemu_hotplug.c                       | 47 +++++++++--
 src/qemu/qemu_interface.c                     |  1 +
 src/util/virnetdevbridge.c                    | 46 +++++++++++
 src/util/virnetdevbridge.h                    |  9 +++
 src/util/virnetdevtap.c                       | 17 +++-
 src/util/virnetdevtap.h                       |  3 +
 tests/bhyvexml2argvmock.c                     |  1 +
 tests/networkxml2xmlin/isolated-ports.xml     |  7 ++
 tests/networkxml2xmlout/isolated-ports.xml    |  7 ++
 tests/networkxml2xmltest.c                    |  1 +
 tests/qemuxml2argvdata/net-isolated-port.xml  | 34 ++++++++
 .../net-isolated-port.x86_64-latest.xml       | 63 +++++++++++++++
 tests/qemuxml2xmltest.c                       |  1 +
 28 files changed, 423 insertions(+), 10 deletions(-)
 create mode 100644 tests/networkxml2xmlin/isolated-ports.xml
 create mode 100644 tests/networkxml2xmlout/isolated-ports.xml
 create mode 100644 tests/qemuxml2argvdata/net-isolated-port.xml
 create mode 100644 tests/qemuxml2xmloutdata/net-isolated-port.x86_64-latest.xml


More information about the libvir-list mailing list