From a378d8fa55c121b5a3c1e575cd986adaa3671e3d Mon Sep 17 00:00:00 2001 From: Laine Stump Date: Mon, 20 Jan 2020 16:27:02 -0500 Subject: [PATCH] util: query/set BR_ISOLATED flag on netdevs attached to bridge MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When this flag is set for an interface attached to a bridge, traffic to/from the specified interface can only enter/exit the bridge via another attached interface that *doesn't* have the BR_ISOLATED flag set. This can be used to permit guests to communicate with the rest of the network, but not with each other. Signed-off-by: Laine Stump Reviewed-by: Ján Tomko --- src/libvirt_private.syms | 2 ++ src/util/virnetdevbridge.c | 46 ++++++++++++++++++++++++++++++++++++++ src/util/virnetdevbridge.h | 9 ++++++++ 3 files changed, 57 insertions(+) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 125d1836dd..0d281ec7ed 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2554,8 +2554,10 @@ virNetDevBridgeFDBDel; virNetDevBridgeGetSTP; virNetDevBridgeGetSTPDelay; virNetDevBridgeGetVlanFiltering; +virNetDevBridgePortGetIsolated; virNetDevBridgePortGetLearning; virNetDevBridgePortGetUnicastFlood; +virNetDevBridgePortSetIsolated; virNetDevBridgePortSetLearning; virNetDevBridgePortSetUnicastFlood; virNetDevBridgeRemovePort; diff --git a/src/util/virnetdevbridge.c b/src/util/virnetdevbridge.c index 769289ae0b..1119846e61 100644 --- a/src/util/virnetdevbridge.c +++ b/src/util/virnetdevbridge.c @@ -311,6 +311,30 @@ virNetDevBridgePortSetUnicastFlood(const char *brname, } +int +virNetDevBridgePortGetIsolated(const char *brname, + const char *ifname, + bool *enable) +{ + unsigned long value; + + if (virNetDevBridgePortGet(brname, ifname, "isolated", &value) < 0) + return -1; + + *enable = !!value; + return 0; +} + + +int +virNetDevBridgePortSetIsolated(const char *brname, + const char *ifname, + bool enable) +{ + return virNetDevBridgePortSet(brname, ifname, "isolated", enable ? 1 : 0); +} + + #else int virNetDevBridgePortGetLearning(const char *brname G_GNUC_UNUSED, @@ -354,6 +378,28 @@ virNetDevBridgePortSetUnicastFlood(const char *brname G_GNUC_UNUSED, _("Unable to set bridge port unicast_flood on this platform")); return -1; } + + +int +virNetDevBridgePortGetIsolated(const char *brname G_GNUC_UNUSED, + const char *ifname G_GNUC_UNUSED, + bool *enable G_GNUC_UNUSED) +{ + virReportSystemError(ENOSYS, "%s", + _("Unable to get bridge port isolated on this platform")); + return -1; +} + + +int +virNetDevBridgePortSetIsolated(const char *brname G_GNUC_UNUSED, + const char *ifname G_GNUC_UNUSED, + bool enable G_GNUC_UNUSED) +{ + virReportSystemError(ENOSYS, "%s", + _("Unable to set bridge port isolated on this platform")); + return -1; +} #endif diff --git a/src/util/virnetdevbridge.h b/src/util/virnetdevbridge.h index 8137914da8..db4099bf0b 100644 --- a/src/util/virnetdevbridge.h +++ b/src/util/virnetdevbridge.h @@ -73,6 +73,15 @@ int virNetDevBridgePortSetUnicastFlood(const char *brname, const char *ifname, bool enable) ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) G_GNUC_WARN_UNUSED_RESULT; +int virNetDevBridgePortGetIsolated(const char *brname, + const char *ifname, + bool *enable) + ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3) + G_GNUC_WARN_UNUSED_RESULT; +int virNetDevBridgePortSetIsolated(const char *brname, + const char *ifname, + bool enable) + ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) G_GNUC_WARN_UNUSED_RESULT; typedef enum { VIR_NETDEVBRIDGE_FDB_FLAG_ROUTER = (1 << 0),