[lxc-devel] [lxd/master] lxd/device: Add support for bridge port isolation

matthewa150 on Github lxc-bot at linuxcontainers.org
Wed Dec 9 21:30:10 UTC 2020 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 374 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20201209/70ba3050/attachment.bin>
-------------- next part --------------
From 9076661eccd4e6389d3bd795fca78a50cca83fb1 Mon Sep 17 00:00:00 2001
From: Matthew Anderson <manders at pop-os.localdomain>
Date: Wed, 9 Dec 2020 15:28:42 -0600
Subject: [PATCH] lxd/device: Add support for bridge port isolation

---
 lxd/device/nic.go         | 1 +
 lxd/device/nic_bridged.go | 9 +++++++++
 2 files changed, 10 insertions(+)

diff --git a/lxd/device/nic.go b/lxd/device/nic.go
index 3aa3d164c2..133185b92b 100644
--- a/lxd/device/nic.go
+++ b/lxd/device/nic.go
@@ -21,6 +21,7 @@ func nicValidationRules(requiredFields []string, optionalFields []string) map[st
 		"security.mac_filtering":  validate.IsAny,
 		"security.ipv4_filtering": validate.IsAny,
 		"security.ipv6_filtering": validate.IsAny,
+		"security.port_isolation": validate.IsAny,
 		"maas.subnet.ipv4":        validate.IsAny,
 		"maas.subnet.ipv6":        validate.IsAny,
 		"ipv4.address":            validate.Optional(validate.IsNetworkAddressV4),
diff --git a/lxd/device/nic_bridged.go b/lxd/device/nic_bridged.go
index 8e43cdfbce..23d9bdbc60 100644
--- a/lxd/device/nic_bridged.go
+++ b/lxd/device/nic_bridged.go
@@ -64,6 +64,7 @@ func (d *nicBridged) validateConfig(instConf instance.ConfigReader) error {
 		"security.mac_filtering",
 		"security.ipv4_filtering",
 		"security.ipv6_filtering",
+		"security.port_isolation",
 		"maas.subnet.ipv4",
 		"maas.subnet.ipv6",
 		"boot.priority",
@@ -309,6 +310,14 @@ func (d *nicBridged) Start() (*deviceConfig.RunConfig, error) {
 		return nil, err
 	}
 
+	// Attempt to enable port isolation
+	if !strings.HasPrefix(saveData["host_name"], "tunnel.") && shared.IsTrue(d.config["security.port_isolation"]) {
+		_, err = shared.RunCommand("bridge", "link", "set", "dev", saveData["host_name"], "isolated", "on")
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	// Detech bridge type and setup VLAN settings on bridge port.
 	if network.IsNativeBridge(d.config["parent"]) {
 		err = d.setupNativeBridgePortVLANs(saveData["host_name"])

More information about the lxc-devel mailing list