External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-10-03 04:45:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

network: propagate <port isolated='yes'/> between network and domain

Browse Source 
Similar to the way that the <vlan>, <bandwidth>, and <virtualport>
elements and the trustGuestRxFilters attribute in a <network> (or in
the appropriate <portgroup> element of a <network> can be applied to a
port when it is allocated for a domain's network interface, this patch
checks for a configured value of <port isolated="yes|no"/> in
either the domain <interface> or in the network, setting isolatedPort
in the <networkport> to the first one it finds (the setting from the
domain's <interface> is preferred). This, in turn, is passed back to
the domain when a port is allocated, so that the domain will use that
setting.

(One difference from <vlan>, <bandwidth>, <virtualport>, and
trustGuestRxFilters, is that all of those can be set in a <portgroup>
so that they can be applied only to a subset of interfaces connected
to the network. This didn't really make sense for the isolated setting
due to the way that it's implemented in Linux - the BR_ISOLATED flag
will prevent traffic from passing between two ports that both have
BR_ISOLATED set, but traffic can still go between those ports and
other ports that *don't* have BR_ISOLATED. (It would be nice if all
traffic from a BR_ISOLATED port could be blocked except traffic going
to/from a designated egress port or ports, but instead the entire
feature is implemented as a single flag. Because of this, it's really
only useful if all the ports on a network are isolated, so setting it
for a subset has no practical utility.)

Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
This commit is contained in:
Laine Stump 2020-02-06 18:15:25 -05:00
parent 31d95b182e
commit de7c347d9b
2 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/conf/domain_conf.c
View File

@ -30886,6 +30886,7 @@ virDomainNetDefToNetworkPort(virDomainDefPtr dom,
if (virNetDevVlanCopy(&port->vlan, &iface->vlan) < 0)
return NULL;
port->isolatedPort = iface->isolatedPort;
port->trustGuestRxFilters = iface->trustGuestRxFilters;
return g_steal_pointer(&port);
@ -30985,6 +30986,7 @@ virDomainNetDefActualFromNetworkPort(virDomainNetDefPtr iface,
if (virNetDevVlanCopy(&actual->vlan, &port->vlan) < 0)
goto error;
actual->isolatedPort = port->isolatedPort;
actual->class_id = port->class_id;
actual->trustGuestRxFilters = port->trustGuestRxFilters;
@ -31124,6 +31126,7 @@ virDomainNetDefActualToNetworkPort(virDomainDefPtr dom,
if (virNetDevVlanCopy(&port->vlan, &actual->vlan) < 0)
return NULL;
port->isolatedPort = actual->isolatedPort;
port->class_id = actual->class_id;
port->trustGuestRxFilters = actual->trustGuestRxFilters;

3
src/network/bridge_driver.c
View File

@ -4532,6 +4532,9 @@ networkAllocatePort(virNetworkObjPtr obj,
port->trustGuestRxFilters = netdef->trustGuestRxFilters;
}
if (port->isolatedPort == VIR_TRISTATE_BOOL_ABSENT)
port->isolatedPort = netdef->isolatedPort;
/* merge virtualports from interface, network, and portgroup to
* arrive at actual virtualport to use
*/