docs: document port isolated property in domain/network/networkport

Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

docs/formatdomain.html.in

@@ -6539,6 +6539,37 @@ qemu-kvm -net nic,model=? /dev/null
       traffic for that VLAN will be tagged.
     </p>
 
+    <h5><a id="elementPort">Isolating guests's network traffic from each other</a></h5>
+
+<pre>
+...
+&lt;devices&gt;
+  &lt;interface type='network'&gt;
+    &lt;source network='default'/&gt;
+    <b>&lt;port isolated='yes'/&gt;</b>
+  &lt;/interface&gt;
+&lt;/devices&gt;
+...</pre>
+
+    <p>
+      <span class="since">Since 6.1.0.</span> The <code>port</code>
+      element property <code>isolated</code>, when set
+      to <code>yes</code> (default setting is <code>no</code>) is used
+      to isolate this interface's network traffic from that of other
+      guest interfaces connected to the same network that also
+      have <code>&lt;port isolated='yes'/&gt;</code>.  This setting is
+      only supported for emulated interface devices that use a
+      standard tap device to connect to the network via a Linux host
+      bridge. This property can be inherited from a libvirt network,
+      so if all guests that will be connected to the network should be
+      isolated, it is better to put the setting in the network
+      configuration. (NB: this only prevents guests that
+      have <code>isolated='yes'</code> from communicating with each
+      other; if there is a guest on the same bridge that doesn't
+      have <code>isolated='yes'</code>, even the isolated guests will
+      be able to communicate with it.)
+    </p>
+
     <h5><a id="elementLink">Modifying virtual link state</a></h5>
 <pre>
 ...

docs/formatnetwork.html.in

@@ -729,6 +729,31 @@
       or <code>&lt;interface&gt;</code>.
     </p>
 
+    <h5><a id="elementPort">Isolating ports from one another</a></h5>
+
+<pre>
+&lt;network&gt;
+  &lt;name&gt;isolated-ports&lt;/name&gt;
+  &lt;forward mode='bridge'/&gt;
+  &lt;bridge name='br0'/&gt;
+  &lt;port isolated='yes'/&gt;
+&lt;/network&gt;
+</pre>
+
+    <p>
+      <span class="since">Since 6.1.0.</span> The <code>port</code>
+      element property <code>isolated</code>, when set
+      to <code>yes</code> (default setting is <code>no</code>) is used
+      to isolate the network traffic of each guest on the network from
+      all other guests connected to the network; it does not have an
+      effect on communication between the guests and the host, or
+      between the guests and destinations beyond this network. This
+      setting is only supported for networks that use a Linux host
+      bridge to connect guest interfaces via a standard tap device
+      (i.e. those with a forward mode of nat, route, open, bridge, or
+      no forward mode).
+    </p>
+
     <h5><a id="elementsPortgroup">Portgroups</a></h5>
 
 <pre>

docs/formatnetworkport.html.in

@@ -84,6 +84,7 @@
     <outbound average='128' peak='256' burst='256'/>
   </bandwidth>
   <rxfilters trustGuest='yes'/>
+  <port isolated='yes'/>
   <virtualport type='802.1Qbg'>
     <parameters managerid='11' typeid='1193047' typeidversion='2'/>
   </virtualport>
@@ -110,6 +111,16 @@
         only supported for the virtio device model and for macvtap
         connections on the host.
       </dd>
+      <dt><code>port</code></dt>
+      <dd> <span class="since">Since 6.1.0.</span>
+        The <code>port</code> element property
+        <code>isolated</code>, when set to <code>yes</code> (default
+        setting is <code>no</code>) is used to isolate this port's
+        network traffic from other ports on the same network that also
+        have <code>&lt;port isolated='yes'/&gt;</code>. This setting
+        is only supported for emulated network devices connected to a
+        Linux host bridge via a standard tap device.
+      </dd>
       <dt><code>virtualport</code></dt>
       <dd>The <code>virtualport</code> element describes metadata that
         needs to be provided to the underlying network subsystem. It