util: query/set BR_ISOLATED flag on netdevs attached to bridge

When this flag is set for an interface attached to a bridge, traffic to/from the specified interface can only enter/exit the bridge via another attached interface that *doesn't* have the BR_ISOLATED flag set. This can be used to permit guests to communicate with the rest of the network, but not with each other. Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
2025-01-22 04:25:18 +00:00 · 2020-01-20 16:27:02 -05:00 · 2020-01-20 16:27:02 -05:00 · a378d8fa55
commit a378d8fa55
parent 3f8b57a61f
3 changed files with 57 additions and 0 deletions
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@ -2554,8 +2554,10 @@ virNetDevBridgeFDBDel;
 virNetDevBridgeGetSTP;
 virNetDevBridgeGetSTPDelay;
 virNetDevBridgeGetVlanFiltering;
+virNetDevBridgePortGetIsolated;
 virNetDevBridgePortGetLearning;
 virNetDevBridgePortGetUnicastFlood;
+virNetDevBridgePortSetIsolated;
 virNetDevBridgePortSetLearning;
 virNetDevBridgePortSetUnicastFlood;
 virNetDevBridgeRemovePort;
--- a/src/util/virnetdevbridge.c
+++ b/src/util/virnetdevbridge.c
@ -311,6 +311,30 @@ virNetDevBridgePortSetUnicastFlood(const char *brname,
 }


+int
+virNetDevBridgePortGetIsolated(const char *brname,
+                               const char *ifname,
+                               bool *enable)
+{
+    unsigned long value;
+
+    if (virNetDevBridgePortGet(brname, ifname, "isolated", &value) < 0)
+       return -1;
+
+    *enable = !!value;
+    return 0;
+}
+
+
+int
+virNetDevBridgePortSetIsolated(const char *brname,
+                               const char *ifname,
+                               bool enable)
+{
+    return virNetDevBridgePortSet(brname, ifname, "isolated", enable ? 1 : 0);
+}
+
+
 #else
 int
 virNetDevBridgePortGetLearning(const char *brname G_GNUC_UNUSED,
@ -354,6 +378,28 @@ virNetDevBridgePortSetUnicastFlood(const char *brname G_GNUC_UNUSED,
                         _("Unable to set bridge port unicast_flood on this platform"));
    return -1;
 }
+
+
+int
+virNetDevBridgePortGetIsolated(const char *brname G_GNUC_UNUSED,
+                               const char *ifname G_GNUC_UNUSED,
+                               bool *enable G_GNUC_UNUSED)
+{
+    virReportSystemError(ENOSYS, "%s",
+                         _("Unable to get bridge port isolated on this platform"));
+    return -1;
+}
+
+
+int
+virNetDevBridgePortSetIsolated(const char *brname G_GNUC_UNUSED,
+                               const char *ifname G_GNUC_UNUSED,
+                               bool enable G_GNUC_UNUSED)
+{
+    virReportSystemError(ENOSYS, "%s",
+                         _("Unable to set bridge port isolated on this platform"));
+    return -1;
+}
 #endif


--- a/src/util/virnetdevbridge.h
+++ b/src/util/virnetdevbridge.h
@ -73,6 +73,15 @@ int virNetDevBridgePortSetUnicastFlood(const char *brname,
                                       const char *ifname,
                                       bool enable)
    ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) G_GNUC_WARN_UNUSED_RESULT;
+int virNetDevBridgePortGetIsolated(const char *brname,
+                                   const char *ifname,
+                                   bool *enable)
+    ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3)
+    G_GNUC_WARN_UNUSED_RESULT;
+int virNetDevBridgePortSetIsolated(const char *brname,
+                                   const char *ifname,
+                                   bool enable)
+    ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) G_GNUC_WARN_UNUSED_RESULT;

 typedef enum {
    VIR_NETDEVBRIDGE_FDB_FLAG_ROUTER    = (1 << 0),