The new attribute "isolated" of linux bridge ports should be configurable by the interface definition in libvirt XML. Since https://github.com/torvalds/linux/commit/7d850abd5f4edb1b1ca4b4141a4453305736f564 the communication of ports of linux bridges can be restricted by this new "isolated" attribute.
Someone in public IRC requested this exact capability. We came up with an nwfilter rule that had the same effect, but supporting the flag on the bridge port would be much more efficient.
(In reply to Laine Stump from comment #1) > Someone in public IRC requested this exact capability. We came up with an > nwfilter rule that had the same effect, The limitations of bug 1651499 and bug 1651467 will be resolved, and no additional configuration like in bug 1009608, which is a, maybe the, new netfilter rule. > but supporting the flag on the > bridge port would be much more efficient.
Patches posted upstream: https://www.redhat.com/archives/libvir-list/2020-February/msg00596.html The config looks like this: <portOptions isolated='yes'/> in either a domain <interface> (to affect a single port) or a <network> (to affect all ports).
Patches were pushed upstream, so it will be in libvirt 6.1.0. The final syntax chosen was: <port isolated='yes'/> in both the network and the interface xml. commit a378d8fa55c121b5a3c1e575cd986adaa3671e3d Author: Laine Stump <laine> Date: Mon Jan 20 16:27:02 2020 -0500 util: query/set BR_ISOLATED flag on netdevs attached to bridge commit 31d95b182e692fb52711c5818780599f440c1f37 Author: Laine Stump <laine> Date: Wed Jan 29 10:29:21 2020 -0500 conf: parse/format <port isolated='yes|no'/> commit de7c347d9b7c571f19ebe0e9af4c1025a7115b5f Author: Laine Stump <laine> Date: Thu Feb 6 18:15:25 2020 -0500 network: propagate <port isolated='yes'/> between network and domain commit 2b8fd7334df62e760d22112cc960b46301d791fc Author: Laine Stump <laine> Date: Thu Feb 13 12:57:47 2020 -0500 qemu/lxc: plumb isolatedPort from config down through bridge attachment commit db7f2628841b113c3bc1f2ed1295a0a484ce327f Author: Laine Stump <laine> Date: Fri Feb 14 13:51:31 2020 -0500 qemu: support updating <port isolated='yes|no'/> during device update commit ef8de28cb045c7c426392177cb56718dac8b18af Author: Laine Stump <laine> Date: Sun Feb 16 22:34:59 2020 -0500 conf: extra validation for <port isolated='yes'/>
Hi laine, I have a question about live update interface, please check scenario B step 4, as the interface type changed from "network" to "bridge" in live xml, live update fail in step 4: "error: Operation not supported: unable to change config on 'bridge' network type" But after updating the type to "network", it updated successfully. Is this expected? Please help to confirm, Thank you! Test on libvirt-libs-6.3.0-1.module+el8.3.0+6478+69f490bb.x86_64, the result is as expected. 1. network with <port isolated='yes'/> - PASS 2. Interface with <port isolated='yes'/> - PASS 3. live update interface with <port isolated='yes'/> - PASS with interface type as network 4. xml validation for network xml and vm xml - PASS Details: A. network with <port isolated='yes'/> 1). define network with <port isolated='yes'/>; # cat isolated-ports.xml <network> <name>isolated-ports</name> <uuid>84f510a1-ae1d-4a73-a84e-7123d749ca8f</uuid> <forward mode='bridge'/> <bridge name='br0'/> <port isolated='yes'/> </network> # virsh net-define isolated-ports.xml # virsh net-start isolated-ports 2). start 2 VMs connected to the network; 3). login one of the VM and ping other VM: [root@dhcp182-254 ~]# ping 10.10.181.68 PING 10.10.181.68 (10.10.181.68) 56(84) bytes of data. From 10.10.182.254 icmp_seq=1 Destination Host Unreachable From 10.10.182.254 icmp_seq=2 Destination Host Unreachable ... B. interface with <port isolated='yes'/> 1). Prepare network and vm # virsh net-dumpxml isolated-ports <network> <name>isolated-ports</name> <uuid>84f510a1-ae1d-4a73-a84e-7123d749ca8f</uuid> <forward mode='bridge'/> <bridge name='br0'/> </network> # virsh dumpxml rhel | grep /interface -B6 <interface type='network'> <mac address='52:54:00:96:fe:66'/> <source network='isolated-ports'/> <port isolated='yes'/> <model type='virtio'/> <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/> </interface> # virsh dumpxml rhel-clone | grep /interface -B6 <interface type='network'> <mac address='52:54:00:0f:7b:6e'/> <source network='isolated-ports'/> <port isolated='yes'/> <model type='virtio'/> <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/> </interface> 2) Start the vm: # virsh start rhel; virsh start rhel-clone Domain rhel started Domain rhel-clone started 3) Check the network function: on vm1 ping vm2: # ping 10.10.181.117 PING 10.10.181.117 (10.10.181.117) 56(84) bytes of data. From 10.10.182.175 icmp_seq=1 Destination Host Unreachable From 10.10.182.175 icmp_seq=2 Destination Host Unreachable ... 4) live update the interface: # virsh dumpxml rhel | grep /interface -B8 <interface type='bridge'> <mac address='52:54:00:96:fe:66'/> <source network='isolated-ports' portid='df9a858b-3e03-457b-b35f-454fb928e45b' bridge='br0'/> <port isolated='yes'/> <target dev='vnet0'/> <model type='virtio'/> <alias name='net0'/> <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/> </interface> # virsh dumpxml rhel | grep /interface -B8 > interface.xml edit the xml to be: # cat interface.xml <interface type='bridge'> <mac address='52:54:00:96:fe:66'/> <source network='isolated-ports' portid='df9a858b-3e03-457b-b35f-454fb928e45b' bridge='br0'/> <port isolated='no'/> <target dev='vnet0'/> <model type='virtio'/> <alias name='net0'/> <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/> </interface> # virsh update-device rhel interface.xml error: Failed to update device from interface.xml error: Operation not supported: unable to change config on 'bridge' network type 5) edit the update xml to be: # cat interface2.xml <interface type='network'> <mac address='52:54:00:96:fe:66'/> <source network='isolated-ports' portid='df9a858b-3e03-457b-b35f-454fb928e45b' bridge='br0'/> <port isolated='no'/> <target dev='vnet0'/> <model type='virtio'/> <alias name='net0'/> <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/> </interface> # virsh update-device rhel interface2.xml Device updated successfully on vm1 ping vm2: # ping 10.10.182.175 PING 10.10.182.175 (10.10.182.175) 56(84) bytes of data. 64 bytes from 10.10.182.175: icmp_seq=1 ttl=64 time=0.336 ms 64 bytes from 10.10.182.175: icmp_seq=2 ttl=64 time=0.272 ms ...
Sorry for the delay. So, this isn't related to the isolated attribute - you're incorrectly using the status XML as a template for changing the current interface (you should used the config XML instead), but this *is* incorrect behavior. Consider the case where the original config was: <interface type='network'/> <source network='bridgenet'/> ... </interface> and the updated interface config was: <interface type='bridge'> <source bridge='br1'/> ... </interface> We should be able to handle that properly, and we don't. I've made a patch for it that I'm posting upstream. It is *not* related to the port isolation feature though, so should not hold up resolution of this BZ.
Get it, Thank you! verify this bug with comment 9
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (virt:8.3 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:5137