[lxc-devel] [lxd/master] lxd/device: Add support for bridge port isolation
matthewa150 on Github
lxc-bot at linuxcontainers.org
Wed Dec 9 21:30:10 UTC 2020
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 374 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20201209/70ba3050/attachment.bin>
-------------- next part --------------
From 9076661eccd4e6389d3bd795fca78a50cca83fb1 Mon Sep 17 00:00:00 2001
From: Matthew Anderson <manders at pop-os.localdomain>
Date: Wed, 9 Dec 2020 15:28:42 -0600
Subject: [PATCH] lxd/device: Add support for bridge port isolation
---
lxd/device/nic.go | 1 +
lxd/device/nic_bridged.go | 9 +++++++++
2 files changed, 10 insertions(+)
diff --git a/lxd/device/nic.go b/lxd/device/nic.go
index 3aa3d164c2..133185b92b 100644
--- a/lxd/device/nic.go
+++ b/lxd/device/nic.go
@@ -21,6 +21,7 @@ func nicValidationRules(requiredFields []string, optionalFields []string) map[st
"security.mac_filtering": validate.IsAny,
"security.ipv4_filtering": validate.IsAny,
"security.ipv6_filtering": validate.IsAny,
+ "security.port_isolation": validate.IsAny,
"maas.subnet.ipv4": validate.IsAny,
"maas.subnet.ipv6": validate.IsAny,
"ipv4.address": validate.Optional(validate.IsNetworkAddressV4),
diff --git a/lxd/device/nic_bridged.go b/lxd/device/nic_bridged.go
index 8e43cdfbce..23d9bdbc60 100644
--- a/lxd/device/nic_bridged.go
+++ b/lxd/device/nic_bridged.go
@@ -64,6 +64,7 @@ func (d *nicBridged) validateConfig(instConf instance.ConfigReader) error {
"security.mac_filtering",
"security.ipv4_filtering",
"security.ipv6_filtering",
+ "security.port_isolation",
"maas.subnet.ipv4",
"maas.subnet.ipv6",
"boot.priority",
@@ -309,6 +310,14 @@ func (d *nicBridged) Start() (*deviceConfig.RunConfig, error) {
return nil, err
}
+ // Attempt to enable port isolation
+ if !strings.HasPrefix(saveData["host_name"], "tunnel.") && shared.IsTrue(d.config["security.port_isolation"]) {
+ _, err = shared.RunCommand("bridge", "link", "set", "dev", saveData["host_name"], "isolated", "on")
+ if err != nil {
+ return nil, err
+ }
+ }
+
// Detech bridge type and setup VLAN settings on bridge port.
if network.IsNativeBridge(d.config["parent"]) {
err = d.setupNativeBridgePortVLANs(saveData["host_name"])
More information about the lxc-devel
mailing list