On Sun, Feb 16, 2020 at 11:22:55PM -0500, Laine Stump wrote:
Similar to the way that the <vlan>, <bandwidth>, and <virtualport> elements and the trustGuestRxFilters attribute in a <network> (or in the appropriate <portgroup> element of a <network> can be applied to a port when it is allocated for a domain's network interface, this patch checks for a configured value of <portOptions isolated="yes|no"/> in either the domain <interface> or in the network, setting isolatedPort in the <networkport> to the first one it finds (the setting from the domain's <interface> is preferred). This, in turn, is passed back to the domain when a port is allocated, so that the domain will use that setting.(One difference from <vlan>, <bandwidth>, <virtualport>, and trustGuestRxFilters, is that all of those can be set in a <portgroup> so that they can be applied only to a subset of interfaces connected to the network. This didn't really make sense for the isolated setting due to the way that it's implemented in Linux - the BR_ISOLATED flag will prevent traffic from passing between two ports that both have BR_ISOLATED set, but traffic can still go between those ports and other ports that *don't* have BR_ISOLATED. (It would be nice if all traffic from a BR_ISOLATED port could be blocked except traffic going to/from a designated egress port or ports, but instead the entire feature is implemented as a single flag. Because of this, it's really only useful if all the ports on a network are isolated, so setting it for a subset has no practical utility.) Signed-off-by: Laine Stump <la...@redhat.com> --- src/conf/domain_conf.c | 3 +++ src/network/bridge_driver.c | 3 +++ 2 files changed, 6 insertions(+)
Reviewed-by: Ján Tomko <jto...@redhat.com> Jano
signature.asc
Description: PGP signature
