util: query/set BR_ISOLATED flag on netdevs attached to bridge

When this flag is set for an interface attached to a bridge, traffic
to/from the specified interface can only enter/exit the bridge via
another attached interface that *doesn't* have the BR_ISOLATED flag
set. This can be used to permit guests to communicate with the rest of
the network, but not with each other.
Signed-off-by: NLaine Stump <laine@redhat.com>
Reviewed-by: NJán Tomko <jtomko@redhat.com>

src/libvirt_private.syms

@@ -2554,8 +2554,10 @@ virNetDevBridgeFDBDel;
 virNetDevBridgeGetSTP;
 virNetDevBridgeGetSTPDelay;
 virNetDevBridgeGetVlanFiltering;
+virNetDevBridgePortGetIsolated;
 virNetDevBridgePortGetLearning;
 virNetDevBridgePortGetUnicastFlood;
+virNetDevBridgePortSetIsolated;
 virNetDevBridgePortSetLearning;
 virNetDevBridgePortSetUnicastFlood;
 virNetDevBridgeRemovePort;

src/util/virnetdevbridge.c

@@ -311,6 +311,30 @@ virNetDevBridgePortSetUnicastFlood(const char *brname,
 }
 
 
+int
+virNetDevBridgePortGetIsolated(const char *brname,
+                               const char *ifname,
+                               bool *enable)
+{
+    unsigned long value;
+
+    if (virNetDevBridgePortGet(brname, ifname, "isolated", &value) < 0)
+       return -1;
+
+    *enable = !!value;
+    return 0;
+}
+
+
+int
+virNetDevBridgePortSetIsolated(const char *brname,
+                               const char *ifname,
+                               bool enable)
+{
+    return virNetDevBridgePortSet(brname, ifname, "isolated", enable ? 1 : 0);
+}
+
+
 #else
 int
 virNetDevBridgePortGetLearning(const char *brname G_GNUC_UNUSED,
@@ -354,6 +378,28 @@ virNetDevBridgePortSetUnicastFlood(const char *brname G_GNUC_UNUSED,
                          _("Unable to set bridge port unicast_flood on this platform"));
     return -1;
 }
+
+
+int
+virNetDevBridgePortGetIsolated(const char *brname G_GNUC_UNUSED,
+                               const char *ifname G_GNUC_UNUSED,
+                               bool *enable G_GNUC_UNUSED)
+{
+    virReportSystemError(ENOSYS, "%s",
+                         _("Unable to get bridge port isolated on this platform"));
+    return -1;
+}
+
+
+int
+virNetDevBridgePortSetIsolated(const char *brname G_GNUC_UNUSED,
+                               const char *ifname G_GNUC_UNUSED,
+                               bool enable G_GNUC_UNUSED)
+{
+    virReportSystemError(ENOSYS, "%s",
+                         _("Unable to set bridge port isolated on this platform"));
+    return -1;
+}
 #endif
 
 

src/util/virnetdevbridge.h

@@ -73,6 +73,15 @@ int virNetDevBridgePortSetUnicastFlood(const char *brname,
                                        const char *ifname,
                                        bool enable)
     ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) G_GNUC_WARN_UNUSED_RESULT;
+int virNetDevBridgePortGetIsolated(const char *brname,
+                                   const char *ifname,
+                                   bool *enable)
+    ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3)
+    G_GNUC_WARN_UNUSED_RESULT;
+int virNetDevBridgePortSetIsolated(const char *brname,
+                                   const char *ifname,
+                                   bool enable)
+    ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) G_GNUC_WARN_UNUSED_RESULT;
 
 typedef enum {
     VIR_NETDEVBRIDGE_FDB_FLAG_ROUTER    = (1 << 0),