util: query/set BR_ISOLATED flag on netdevs attached to bridge

When this flag is set for an interface attached to a bridge, traffic
to/from the specified interface can only enter/exit the bridge via
another attached interface that *doesn't* have the BR_ISOLATED flag
set. This can be used to permit guests to communicate with the rest of
the network, but not with each other.

Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 125d1836ddfff5448325d9756a6bde2caf589ae2..0d281ec7ed192fb2759ee4c6beb0a95a1530f358 100644 (file)
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -2554,8 +2554,10 @@ virNetDevBridgeFDBDel;
 virNetDevBridgeGetSTP;
 virNetDevBridgeGetSTPDelay;
 virNetDevBridgeGetVlanFiltering;
+virNetDevBridgePortGetIsolated;
 virNetDevBridgePortGetLearning;
 virNetDevBridgePortGetUnicastFlood;
+virNetDevBridgePortSetIsolated;
 virNetDevBridgePortSetLearning;
 virNetDevBridgePortSetUnicastFlood;
 virNetDevBridgeRemovePort;

diff --git a/src/util/virnetdevbridge.c b/src/util/virnetdevbridge.c
index 769289ae0b7cad5245efcc49f70c33451bc4ab3e..1119846e61e031ed0af563e95decc5d8506210bd 100644 (file)
--- a/src/util/virnetdevbridge.c
+++ b/src/util/virnetdevbridge.c
@@ -311,6 +311,30 @@ virNetDevBridgePortSetUnicastFlood(const char *brname,
 }
 
 
+int
+virNetDevBridgePortGetIsolated(const char *brname,
+                               const char *ifname,
+                               bool *enable)
+{
+    unsigned long value;
+
+    if (virNetDevBridgePortGet(brname, ifname, "isolated", &value) < 0)
+       return -1;
+
+    *enable = !!value;
+    return 0;
+}
+
+
+int
+virNetDevBridgePortSetIsolated(const char *brname,
+                               const char *ifname,
+                               bool enable)
+{
+    return virNetDevBridgePortSet(brname, ifname, "isolated", enable ? 1 : 0);
+}
+
+
 #else
 int
 virNetDevBridgePortGetLearning(const char *brname G_GNUC_UNUSED,
@@ -354,6 +378,28 @@ virNetDevBridgePortSetUnicastFlood(const char *brname G_GNUC_UNUSED,
                          _("Unable to set bridge port unicast_flood on this platform"));
     return -1;
 }
+
+
+int
+virNetDevBridgePortGetIsolated(const char *brname G_GNUC_UNUSED,
+                               const char *ifname G_GNUC_UNUSED,
+                               bool *enable G_GNUC_UNUSED)
+{
+    virReportSystemError(ENOSYS, "%s",
+                         _("Unable to get bridge port isolated on this platform"));
+    return -1;
+}
+
+
+int
+virNetDevBridgePortSetIsolated(const char *brname G_GNUC_UNUSED,
+                               const char *ifname G_GNUC_UNUSED,
+                               bool enable G_GNUC_UNUSED)
+{
+    virReportSystemError(ENOSYS, "%s",
+                         _("Unable to set bridge port isolated on this platform"));
+    return -1;
+}
 #endif
 
 

diff --git a/src/util/virnetdevbridge.h b/src/util/virnetdevbridge.h
index 8137914da83357586b6503fd04de00122ba4fd9d..db4099bf0bd5215791b3d0b47620e5bf2b5d5c0a 100644 (file)
--- a/src/util/virnetdevbridge.h
+++ b/src/util/virnetdevbridge.h
@@ -73,6 +73,15 @@ int virNetDevBridgePortSetUnicastFlood(const char *brname,
                                        const char *ifname,
                                        bool enable)
     ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) G_GNUC_WARN_UNUSED_RESULT;
+int virNetDevBridgePortGetIsolated(const char *brname,
+                                   const char *ifname,
+                                   bool *enable)
+    ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3)
+    G_GNUC_WARN_UNUSED_RESULT;
+int virNetDevBridgePortSetIsolated(const char *brname,
+                                   const char *ifname,
+                                   bool enable)
+    ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) G_GNUC_WARN_UNUSED_RESULT;
 
 typedef enum {
     VIR_NETDEVBRIDGE_FDB_FLAG_ROUTER    = (1 << 0),