From 366ceeec4b6728041ae15b45c33730ca120922ae Mon Sep 17 00:00:00 2001 From: Laine Stump Date: Tue, 25 Feb 2020 19:47:07 -0500 Subject: [PATCH] docs: document port isolated property in domain/network/networkport Signed-off-by: Laine Stump Reviewed-by: Michal Privoznik --- docs/formatdomain.html.in | 31 +++++++++++++++++++++++++++++++ docs/formatnetwork.html.in | 25 +++++++++++++++++++++++++ docs/formatnetworkport.html.in | 11 +++++++++++ 3 files changed, 67 insertions(+) diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in index 4fef2a0a97..28770188dd 100644 --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -6539,6 +6539,37 @@ qemu-kvm -net nic,model=? /dev/null traffic for that VLAN will be tagged.

+
Isolating guests's network traffic from each other
+ +
+...
+<devices>
+  <interface type='network'>
+    <source network='default'/>
+    <port isolated='yes'/>
+  </interface>
+</devices>
+...
+ +

+ Since 6.1.0. The port + element property isolated, when set + to yes (default setting is no) is used + to isolate this interface's network traffic from that of other + guest interfaces connected to the same network that also + have <port isolated='yes'/>. This setting is + only supported for emulated interface devices that use a + standard tap device to connect to the network via a Linux host + bridge. This property can be inherited from a libvirt network, + so if all guests that will be connected to the network should be + isolated, it is better to put the setting in the network + configuration. (NB: this only prevents guests that + have isolated='yes' from communicating with each + other; if there is a guest on the same bridge that doesn't + have isolated='yes', even the isolated guests will + be able to communicate with it.) +

+
Modifying virtual link state
 ...
diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in
index ec055c8360..2bccac014b 100644
--- a/docs/formatnetwork.html.in
+++ b/docs/formatnetwork.html.in
@@ -729,6 +729,31 @@
       or <interface>.
     

 
+    
Isolating ports from one another

+
+
+<network>
+  <name>isolated-ports</name>
+  <forward mode='bridge'/>
+  <bridge name='br0'/>
+  <port isolated='yes'/>
+</network>
+

+
+    

+      Since 6.1.0. The port
+      element property isolated, when set
+      to yes (default setting is no) is used
+      to isolate the network traffic of each guest on the network from
+      all other guests connected to the network; it does not have an
+      effect on communication between the guests and the host, or
+      between the guests and destinations beyond this network. This
+      setting is only supported for networks that use a Linux host
+      bridge to connect guest interfaces via a standard tap device
+      (i.e. those with a forward mode of nat, route, open, bridge, or
+      no forward mode).
+    

+
     
Portgroups

 
 
diff --git a/docs/formatnetworkport.html.in b/docs/formatnetworkport.html.in
index 0425e069ce..199a05f929 100644
--- a/docs/formatnetworkport.html.in
+++ b/docs/formatnetworkport.html.in
@@ -84,6 +84,7 @@
     <outbound average='128' peak='256' burst='256'/>
   </bandwidth>
   <rxfilters trustGuest='yes'/>
+  <port isolated='yes'/>
   <virtualport type='802.1Qbg'>
     <parameters managerid='11' typeid='1193047' typeidversion='2'/>
   </virtualport>
@@ -110,6 +111,16 @@
         only supported for the virtio device model and for macvtap
         connections on the host.
       
+      
port

+      
 Since 6.1.0.
+        The port element property
+        isolated, when set to yes (default
+        setting is no) is used to isolate this port's
+        network traffic from other ports on the same network that also
+        have <port isolated='yes'/>. This setting
+        is only supported for emulated network devices connected to a
+        Linux host bridge via a standard tap device.
+      

       
virtualport

       
The virtualport element describes metadata that
         needs to be provided to the underlying network subsystem. It