mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-23 06:05:27 +00:00
network: propagate <port isolated='yes'/> between network and domain
Similar to the way that the <vlan>, <bandwidth>, and <virtualport> elements and the trustGuestRxFilters attribute in a <network> (or in the appropriate <portgroup> element of a <network> can be applied to a port when it is allocated for a domain's network interface, this patch checks for a configured value of <port isolated="yes|no"/> in either the domain <interface> or in the network, setting isolatedPort in the <networkport> to the first one it finds (the setting from the domain's <interface> is preferred). This, in turn, is passed back to the domain when a port is allocated, so that the domain will use that setting. (One difference from <vlan>, <bandwidth>, <virtualport>, and trustGuestRxFilters, is that all of those can be set in a <portgroup> so that they can be applied only to a subset of interfaces connected to the network. This didn't really make sense for the isolated setting due to the way that it's implemented in Linux - the BR_ISOLATED flag will prevent traffic from passing between two ports that both have BR_ISOLATED set, but traffic can still go between those ports and other ports that *don't* have BR_ISOLATED. (It would be nice if all traffic from a BR_ISOLATED port could be blocked except traffic going to/from a designated egress port or ports, but instead the entire feature is implemented as a single flag. Because of this, it's really only useful if all the ports on a network are isolated, so setting it for a subset has no practical utility.) Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
This commit is contained in:
parent
31d95b182e
commit
de7c347d9b
@ -30886,6 +30886,7 @@ virDomainNetDefToNetworkPort(virDomainDefPtr dom,
|
||||
if (virNetDevVlanCopy(&port->vlan, &iface->vlan) < 0)
|
||||
return NULL;
|
||||
|
||||
port->isolatedPort = iface->isolatedPort;
|
||||
port->trustGuestRxFilters = iface->trustGuestRxFilters;
|
||||
|
||||
return g_steal_pointer(&port);
|
||||
@ -30985,6 +30986,7 @@ virDomainNetDefActualFromNetworkPort(virDomainNetDefPtr iface,
|
||||
if (virNetDevVlanCopy(&actual->vlan, &port->vlan) < 0)
|
||||
goto error;
|
||||
|
||||
actual->isolatedPort = port->isolatedPort;
|
||||
actual->class_id = port->class_id;
|
||||
actual->trustGuestRxFilters = port->trustGuestRxFilters;
|
||||
|
||||
@ -31124,6 +31126,7 @@ virDomainNetDefActualToNetworkPort(virDomainDefPtr dom,
|
||||
if (virNetDevVlanCopy(&port->vlan, &actual->vlan) < 0)
|
||||
return NULL;
|
||||
|
||||
port->isolatedPort = actual->isolatedPort;
|
||||
port->class_id = actual->class_id;
|
||||
port->trustGuestRxFilters = actual->trustGuestRxFilters;
|
||||
|
||||
|
@ -4532,6 +4532,9 @@ networkAllocatePort(virNetworkObjPtr obj,
|
||||
port->trustGuestRxFilters = netdef->trustGuestRxFilters;
|
||||
}
|
||||
|
||||
if (port->isolatedPort == VIR_TRISTATE_BOOL_ABSENT)
|
||||
port->isolatedPort = netdef->isolatedPort;
|
||||
|
||||
/* merge virtualports from interface, network, and portgroup to
|
||||
* arrive at actual virtualport to use
|
||||
*/
|
||||
|
Loading…
Reference in New Issue
Block a user