From fc6fae2548ddc7fe353f6d26741fd2d5c4408493 Mon Sep 17 00:00:00 2001 From: Nir Soffer Date: Wed, 12 Feb 2025 22:37:03 +0200 Subject: [PATCH] Add --enable-isolation option Vmnet provides an option to isolate vment guests. Supporting it is trivial so lets add it. /*! * @constant vmnet_enable_isolation_key * Enable isolation for this interface. Interface isolation ensures that * network communication between multiple vmnet_interface instances is * not possible. */ extern const char * vmnet_enable_isolation_key API_AVAILABLE(macos(11.0)) API_UNAVAILABLE(ios, watchos, tvos); The isolation feature seems to be broken. vmnet_start_interface() fails with both "shared" and "bridged" modes: ERROR [main] vmnet_start_interface: VMNET_FAILURE --- example | 8 ++++++++ helper.c | 1 + options.c | 7 ++++++- options.h | 1 + 4 files changed, 16 insertions(+), 1 deletion(-) diff --git a/example b/example index 5bbf296..09f5dcd 100755 --- a/example +++ b/example @@ -122,6 +122,11 @@ def main(): "--shared-interface", help="vmnet shared interface, required for --operation-mode=bridged", ) + p.add_argument( + "--enable-isolation", + action="store_true", + help="Isolate the guest from other guests on the vmnet interface", + ) p.add_argument( "--vmnet-offload", choices=["auto", "on", "off"], @@ -310,6 +315,9 @@ def start_helper(args, fd=None, socket=None): if args.shared_interface: cmd.append(f"--shared-interface={args.shared_interface}") + if args.enable_isolation: + cmd.append("--enable-isolation") + if args.verbose: cmd.append("--verbose") diff --git a/helper.c b/helper.c index 6008429..fe79d59 100644 --- a/helper.c +++ b/helper.c @@ -256,6 +256,7 @@ static void start_host_interface(void) xpc_dictionary_set_bool(desc, vmnet_enable_tso_key, options.enable_tso); xpc_dictionary_set_bool(desc, vmnet_enable_checksum_offload_key, options.enable_checksum_offload); + xpc_dictionary_set_bool(desc, vmnet_enable_isolation_key, options.enable_isolation); dispatch_semaphore_t completed = dispatch_semaphore_create(0); diff --git a/options.c b/options.c index a1d2b23..66b15ea 100644 --- a/options.c +++ b/options.c @@ -29,7 +29,7 @@ static void usage(int code) " vmnet-helper (--fd FD|--socket SOCKET) [--interface-id UUID]\n" " [--operation-mode shared|bridged|host] [--shared-interface NAME]\n" " [--start-address ADDR] [--end-address ADDR] [--subnet-mask MASK]\n" -" [--enable-tso] [--enable-checksum-offload]\n" +" [--enable-tso] [--enable-checksum-offload] [--enable-isolation]\n" " [-v|--verbose] [--version] [-h|--help]\n" "\n"; fputs(msg, stderr); @@ -44,6 +44,7 @@ enum { OPT_SUBNET_MASK, OPT_ENABLE_TSO, OPT_ENABLE_CHECKSUM_OFFLOAD, + OPT_ENABLE_ISOLATION, OPT_VERSION, }; @@ -60,6 +61,7 @@ static struct option long_options[] = { {"subnet-mask", required_argument, 0, OPT_SUBNET_MASK}, {"enable-tso", no_argument, 0, OPT_ENABLE_TSO}, {"enable-checksum-offload", no_argument, 0, OPT_ENABLE_CHECKSUM_OFFLOAD}, + {"enable-isolation", no_argument, 0, OPT_ENABLE_ISOLATION}, {"verbose", no_argument, 0, 'v'}, {"version", no_argument, 0, OPT_VERSION}, {"help", no_argument, 0, 'h'}, @@ -195,6 +197,9 @@ void parse_options(struct options *opts, int argc, char **argv) case OPT_ENABLE_CHECKSUM_OFFLOAD: opts->enable_checksum_offload = true; break; + case OPT_ENABLE_ISOLATION: + opts->enable_isolation = true; + break; case 'v': verbose = true; break; diff --git a/options.h b/options.h index 79c3a77..caf3a6d 100644 --- a/options.h +++ b/options.h @@ -16,6 +16,7 @@ struct options { const char *end_address; const char *subnet_mask; const char *shared_interface; + bool enable_isolation; bool enable_tso; bool enable_checksum_offload; uid_t uid;