From e039cb9d97d4a5939b6567c4b683cd8a8aa98777 Mon Sep 17 00:00:00 2001 From: pacien Date: Tue, 8 Nov 2022 17:50:47 +0100 Subject: [PATCH] nixos/qemu-vm: add option "restrictNetwork" This adds an option to the qemu virtualisation module to isolate the guest's from the host's and outside networks. This is particularly useful for development sandboxes for example. The option is disabled by default to preserve the current behaviour. --- nixos/modules/virtualisation/qemu-vm.nix | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index edc6dfdc15ae..f56cc2cdb8dd 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -528,6 +528,20 @@ in ''; }; + virtualisation.restrictNetwork = + mkOption { + type = types.bool; + default = false; + example = true; + description = + lib.mdDoc '' + If this option is enabled, the guest will be isolated, i.e. it will + not be able to contact the host and no guest IP packets will be + routed over the host to the outside. This option does not affect + any explicitly set forwarding rules. + ''; + }; + virtualisation.vlans = mkOption { type = types.listOf types.ints.unsigned; @@ -934,10 +948,11 @@ in else "'guestfwd=${proto}:${guest.address}:${toString guest.port}-" + "cmd:${pkgs.netcat}/bin/nc ${host.address} ${toString host.port}'," ); + restrictNetworkOption = lib.optionalString cfg.restrictNetwork "restrict=on,"; in [ "-net nic,netdev=user.0,model=virtio" - "-netdev user,id=user.0,${forwardingOptions}\"$QEMU_NET_OPTS\"" + "-netdev user,id=user.0,${forwardingOptions}${restrictNetworkOption}\"$QEMU_NET_OPTS\"" ]; # FIXME: Consolidate this one day.