[lxc-devel] [lxd/master] lxd/device: Add support for bridge port isolation

Wed, 09 Dec 2020 13:30:18 -0800 

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/8234

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
This is a preliminary pull request to discuss implementation of addition.

From 9076661eccd4e6389d3bd795fca78a50cca83fb1 Mon Sep 17 00:00:00 2001
From: Matthew Anderson <manders@pop-os.localdomain>
Date: Wed, 9 Dec 2020 15:28:42 -0600
Subject: [PATCH] lxd/device: Add support for bridge port isolation

---
 lxd/device/nic.go         | 1 +
 lxd/device/nic_bridged.go | 9 +++++++++
 2 files changed, 10 insertions(+)

diff --git a/lxd/device/nic.go b/lxd/device/nic.go
index 3aa3d164c2..133185b92b 100644
--- a/lxd/device/nic.go
+++ b/lxd/device/nic.go
@@ -21,6 +21,7 @@ func nicValidationRules(requiredFields []string, 
optionalFields []string) map[st
                "security.mac_filtering":  validate.IsAny,
                "security.ipv4_filtering": validate.IsAny,
                "security.ipv6_filtering": validate.IsAny,
+               "security.port_isolation": validate.IsAny,
                "maas.subnet.ipv4":        validate.IsAny,
                "maas.subnet.ipv6":        validate.IsAny,
                "ipv4.address":            
validate.Optional(validate.IsNetworkAddressV4),
diff --git a/lxd/device/nic_bridged.go b/lxd/device/nic_bridged.go
index 8e43cdfbce..23d9bdbc60 100644
--- a/lxd/device/nic_bridged.go
+++ b/lxd/device/nic_bridged.go
@@ -64,6 +64,7 @@ func (d *nicBridged) validateConfig(instConf 
instance.ConfigReader) error {
                "security.mac_filtering",
                "security.ipv4_filtering",
                "security.ipv6_filtering",
+               "security.port_isolation",
                "maas.subnet.ipv4",
                "maas.subnet.ipv6",
                "boot.priority",
@@ -309,6 +310,14 @@ func (d *nicBridged) Start() (*deviceConfig.RunConfig, 
error) {
                return nil, err
        }
 
+       // Attempt to enable port isolation
+       if !strings.HasPrefix(saveData["host_name"], "tunnel.") && 
shared.IsTrue(d.config["security.port_isolation"]) {
+               _, err = shared.RunCommand("bridge", "link", "set", "dev", 
saveData["host_name"], "isolated", "on")
+               if err != nil {
+                       return nil, err
+               }
+       }
+
        // Detech bridge type and setup VLAN settings on bridge port.
        if network.IsNativeBridge(d.config["parent"]) {
                err = d.setupNativeBridgePortVLANs(saveData["host_name"])

_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

Reply via email to