From nobody Sat Feb 7 09:18:16 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as permitted sender) client-ip=207.211.31.120; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1582678228; cv=none; d=zohomail.com; s=zohoarc; b=VD3pWI+oPlocuEy4yD9iksLqR5XFtthgwY1B0LjdzID6hN/0F4+M5Va1p2zxtZoJ9JfxTWKdnb2rs9ug74LhZ3iZsquvfVOyLitKke5pMvPOy/tNIg9NJS+/i1rntlBGpHKhqnV6QUXgO3NCCXCvPotiKo/YZx4iNuAiTKAo5bM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1582678228; h=Content-Type:Content-Transfer-Encoding:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To; bh=ZmYAKr/7FDhDQKGircn7zuXvPGe4JstRGUEuO+TiDrM=; b=EdPV2oj5dArYoxigoGwyV3jyPswIXdYdHQDiRP2hzgGE2/XYht3X1DkbFxJwmPN9Dbe47Nz5+HA71TrGSGKmQDpYTzVn3swa1w1BJyb+MwFucRqAvfQr5PkFd0KWs8W/GbeTn98c5p06KMj82iTaxRWVRKGGfgOTx/91ZXM2fVI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) by mx.zohomail.com with SMTPS id 1582678228053389.51316732026874; Tue, 25 Feb 2020 16:50:28 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-403-_wbwM4ShPgm_WECnD-XDpw-1; Tue, 25 Feb 2020 19:50:23 -0500 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 9F6161088385; Wed, 26 Feb 2020 00:50:17 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 0954F272AA; Wed, 26 Feb 2020 00:50:14 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 25AB61809567; Wed, 26 Feb 2020 00:50:05 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 01Q0o4lg023777 for ; Tue, 25 Feb 2020 19:50:04 -0500 Received: by smtp.corp.redhat.com (Postfix) id 29EC260C81; Wed, 26 Feb 2020 00:50:04 +0000 (UTC) Received: from vhost2.laine.org (ovpn-116-126.phx2.redhat.com [10.3.116.126]) by smtp.corp.redhat.com (Postfix) with ESMTP id D36D260C18 for ; Wed, 26 Feb 2020 00:50:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1582678226; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=ZmYAKr/7FDhDQKGircn7zuXvPGe4JstRGUEuO+TiDrM=; b=ar3IALCRmUoWPi9edjiyJeDQWAw/oOvqhnPmisdl3zY/YG1TjIkbyvzIj3NRtZUS8GHMzy 8kV3c0yEUidmiLGHia2ZmvoiQ/XUqROt9z61eWeAAllX5Ih+tgvSUODapNN4/ZCEU5+Jnp 6HhAK1N83VeikGsGPVbj1tjIBe7BqPE= X-MC-Unique: _wbwM4ShPgm_WECnD-XDpw-1 From: Laine Stump To: libvir-list@redhat.com Subject: [PATCH] docs: document port isolated property in domain/network/networkport Date: Tue, 25 Feb 2020 19:49:56 -0500 Message-Id: <20200226004956.3665484-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" Signed-off-by: Laine Stump Reviewed-by: Michal Privoznik --- I had thought I'd included documentation with the patch that added parsing/formatting for this, but after crobinso noticed it was missing, I realized that I had only put documentation in an earlier version of the patches (that put the option inside ). Oops :-/ docs/formatdomain.html.in | 31 +++++++++++++++++++++++++++++++ docs/formatnetwork.html.in | 25 +++++++++++++++++++++++++ docs/formatnetworkport.html.in | 11 +++++++++++ 3 files changed, 67 insertions(+) diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in index 4fef2a0a97..28770188dd 100644 --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -6539,6 +6539,37 @@ qemu-kvm -net nic,model=3D? /dev/null traffic for that VLAN will be tagged.

=20 +
Isolating guests's network traffic from each= other
+ +
+...
+<devices>
+  <interface type=3D'network'>
+    <source network=3D'default'/>
+    <port isolated=3D'yes'/>
+  </interface>
+</devices>
+...
+ +

+ Since 6.1.0. The port + element property isolated, when set + to yes (default setting is no) is used + to isolate this interface's network traffic from that of other + guest interfaces connected to the same network that also + have <port isolated=3D'yes'/>. This setting is + only supported for emulated interface devices that use a + standard tap device to connect to the network via a Linux host + bridge. This property can be inherited from a libvirt network, + so if all guests that will be connected to the network should be + isolated, it is better to put the setting in the network + configuration. (NB: this only prevents guests that + have isolated=3D'yes' from communicating with each + other; if there is a guest on the same bridge that doesn't + have isolated=3D'yes', even the isolated guests will + be able to communicate with it.) +

+
Modifying virtual link state
 ...
diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in
index 3d807ecab6..f1e7ce5e4e 100644
--- a/docs/formatnetwork.html.in
+++ b/docs/formatnetwork.html.in
@@ -729,6 +729,31 @@
       or <interface>.
     

=20
+    
Isolating ports from one another

+
+
+<network>
+  <name>isolated-ports</name>
+  <forward mode=3D'bridge'/>
+  <bridge name=3D'br0'/>
+  <port isolated=3D'yes'/>
+</network>
+

+
+    

+      Since 6.1.0. The port
+      element property isolated, when set
+      to yes (default setting is no) is used
+      to isolate the network traffic of each guest on the network from
+      all other guests connected to the network; it does not have an
+      effect on communication between the guests and the host, or
+      between the guests and destinations beyond this network. This
+      setting is only supported for networks that use a Linux host
+      bridge to connect guest interfaces via a standard tap device
+      (i.e. those with a forward mode of nat, route, open, bridge, or
+      no forward mode).
+    

+
     
Portgroups

=20
 
diff --git a/docs/formatnetworkport.html.in b/docs/formatnetworkport.html.in
index 0425e069ce..199a05f929 100644
--- a/docs/formatnetworkport.html.in
+++ b/docs/formatnetworkport.html.in
@@ -84,6 +84,7 @@
     <outbound average=3D'128' peak=3D'256' burst=3D'256'/>
   </bandwidth>
   <rxfilters trustGuest=3D'yes'/>
+  <port isolated=3D'yes'/>
   <virtualport type=3D'802.1Qbg'>
     <parameters managerid=3D'11' typeid=3D'1193047' typeidversion=3D'2'=
/>
   </virtualport>
@@ -110,6 +111,16 @@
         only supported for the virtio device model and for macvtap
         connections on the host.
       
+      
port

+      
 Since 6.1.0.
+        The port element property
+        isolated, when set to yes (default
+        setting is no) is used to isolate this port's
+        network traffic from other ports on the same network that also
+        have <port isolated=3D'yes'/>. This setting
+        is only supported for emulated network devices connected to a
+        Linux host bridge via a standard tap device.
+      

       
virtualport

       
The virtualport element describes metadata that
         needs to be provided to the underlying network subsystem. It
--=20
2.24.1