From: Laine Stump <laine@redhat.com>
Date: Thu, 6 Feb 2020 23:15:25 +0000 (-0500)
Subject: network: propagate <port isolated='yes'/> between network and domain
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=de7c347d9b7c571f19ebe0e9af4c1025a7115b5f;p=libvirt.git

network: propagate <port isolated='yes'/> between network and domain

Similar to the way that the <vlan>, <bandwidth>, and <virtualport>
elements and the trustGuestRxFilters attribute in a <network> (or in
the appropriate <portgroup> element of a <network> can be applied to a
port when it is allocated for a domain's network interface, this patch
checks for a configured value of <port isolated="yes|no"/> in
either the domain <interface> or in the network, setting isolatedPort
in the <networkport> to the first one it finds (the setting from the
domain's <interface> is preferred). This, in turn, is passed back to
the domain when a port is allocated, so that the domain will use that
setting.

(One difference from <vlan>, <bandwidth>, <virtualport>, and
trustGuestRxFilters, is that all of those can be set in a <portgroup>
so that they can be applied only to a subset of interfaces connected
to the network. This didn't really make sense for the isolated setting
due to the way that it's implemented in Linux - the BR_ISOLATED flag
will prevent traffic from passing between two ports that both have
BR_ISOLATED set, but traffic can still go between those ports and
other ports that *don't* have BR_ISOLATED. (It would be nice if all
traffic from a BR_ISOLATED port could be blocked except traffic going
to/from a designated egress port or ports, but instead the entire
feature is implemented as a single flag. Because of this, it's really
only useful if all the ports on a network are isolated, so setting it
for a subset has no practical utility.)

Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
---

diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index e34e6ad372..d88947c131 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -30886,6 +30886,7 @@ virDomainNetDefToNetworkPort(virDomainDefPtr dom,
     if (virNetDevVlanCopy(&port->vlan, &iface->vlan) < 0)
         return NULL;
 
+    port->isolatedPort = iface->isolatedPort;
     port->trustGuestRxFilters = iface->trustGuestRxFilters;
 
     return g_steal_pointer(&port);
@@ -30985,6 +30986,7 @@ virDomainNetDefActualFromNetworkPort(virDomainNetDefPtr iface,
     if (virNetDevVlanCopy(&actual->vlan, &port->vlan) < 0)
         goto error;
 
+    actual->isolatedPort = port->isolatedPort;
     actual->class_id = port->class_id;
     actual->trustGuestRxFilters = port->trustGuestRxFilters;
 
@@ -31124,6 +31126,7 @@ virDomainNetDefActualToNetworkPort(virDomainDefPtr dom,
     if (virNetDevVlanCopy(&port->vlan, &actual->vlan) < 0)
         return NULL;
 
+    port->isolatedPort = actual->isolatedPort;
     port->class_id = actual->class_id;
     port->trustGuestRxFilters = actual->trustGuestRxFilters;
 
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index e826f608da..0048907f6c 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -4532,6 +4532,9 @@ networkAllocatePort(virNetworkObjPtr obj,
             port->trustGuestRxFilters = netdef->trustGuestRxFilters;
     }
 
+    if (port->isolatedPort == VIR_TRISTATE_BOOL_ABSENT)
+        port->isolatedPort = netdef->isolatedPort;
+
     /* merge virtualports from interface, network, and portgroup to
      * arrive at actual virtualport to use
      */