From nobody Wed May 1 19:20:48 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
207.211.31.120 as permitted sender) client-ip=207.211.31.120;
envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com;
Authentication-Results: mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as
permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com;
dmarc=pass(p=none dis=none) header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1582678228; cv=none;
d=zohomail.com; s=zohoarc;
b=VD3pWI+oPlocuEy4yD9iksLqR5XFtthgwY1B0LjdzID6hN/0F4+M5Va1p2zxtZoJ9JfxTWKdnb2rs9ug74LhZ3iZsquvfVOyLitKke5pMvPOy/tNIg9NJS+/i1rntlBGpHKhqnV6QUXgO3NCCXCvPotiKo/YZx4iNuAiTKAo5bM=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
s=zohoarc;
t=1582678228;
h=Content-Type:Content-Transfer-Encoding:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To;
bh=ZmYAKr/7FDhDQKGircn7zuXvPGe4JstRGUEuO+TiDrM=;
b=EdPV2oj5dArYoxigoGwyV3jyPswIXdYdHQDiRP2hzgGE2/XYht3X1DkbFxJwmPN9Dbe47Nz5+HA71TrGSGKmQDpYTzVn3swa1w1BJyb+MwFucRqAvfQr5PkFd0KWs8W/GbeTn98c5p06KMj82iTaxRWVRKGGfgOTx/91ZXM2fVI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
dkim=pass;
spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as
permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com;
dmarc=pass header.from=
+... +<devices> + <interface type=3D'network'> + <source network=3D'default'/> + <port isolated=3D'yes'/> + </interface> +</devices> +...+ +
+ Since 6.1.0. The port
+ element property isolated
, when set
+ to yes
(default setting is no
) is used
+ to isolate this interface's network traffic from that of other
+ guest interfaces connected to the same network that also
+ have <port isolated=3D'yes'/>
. This setting is
+ only supported for emulated interface devices that use a
+ standard tap device to connect to the network via a Linux host
+ bridge. This property can be inherited from a libvirt network,
+ so if all guests that will be connected to the network should be
+ isolated, it is better to put the setting in the network
+ configuration. (NB: this only prevents guests that
+ have isolated=3D'yes'
from communicating with each
+ other; if there is a guest on the same bridge that doesn't
+ have isolated=3D'yes'
, even the isolated guests will
+ be able to communicate with it.)
+
... diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in index 3d807ecab6..f1e7ce5e4e 100644 --- a/docs/formatnetwork.html.in +++ b/docs/formatnetwork.html.in @@ -729,6 +729,31 @@ or<interface>
. =20 +Isolating ports from one another
+ ++<network> + <name>isolated-ports</name> + <forward mode=3D'bridge'/> + <bridge name=3D'br0'/> + <port isolated=3D'yes'/> +</network> ++ ++ Since 6.1.0. The
+port
+ element propertyisolated
, when set + toyes
(default setting isno
) is used + to isolate the network traffic of each guest on the network from + all other guests connected to the network; it does not have an + effect on communication between the guests and the host, or + between the guests and destinations beyond this network. This + setting is only supported for networks that use a Linux host + bridge to connect guest interfaces via a standard tap device + (i.e. those with a forward mode of nat, route, open, bridge, or + no forward mode). +Portgroups
=20diff --git a/docs/formatnetworkport.html.in b/docs/formatnetworkport.html.in index 0425e069ce..199a05f929 100644 --- a/docs/formatnetworkport.html.in +++ b/docs/formatnetworkport.html.in @@ -84,6 +84,7 @@ <outbound average=3D'128' peak=3D'256' burst=3D'256'/> </bandwidth> <rxfilters trustGuest=3D'yes'/> + <port isolated=3D'yes'/> <virtualport type=3D'802.1Qbg'> <parameters managerid=3D'11' typeid=3D'1193047' typeidversion=3D'2'= /> </virtualport> @@ -110,6 +111,16 @@ only supported for the virtio device model and for macvtap connections on the host. +
port
port
element property
+ isolated
, when set to yes
(default
+ setting is no
) is used to isolate this port's
+ network traffic from other ports on the same network that also
+ have <port isolated=3D'yes'/>
. This setting
+ is only supported for emulated network devices connected to a
+ Linux host bridge via a standard tap device.
+ virtualport
virtualport
element describes metadata that
needs to be provided to the underlying network subsystem. It
--=20
2.24.1