nixos/qemu-vm: add option "restrictNetwork"

This adds an option to the qemu virtualisation module to isolate the guest's from the host's and outside networks. This is particularly useful for development sandboxes for example. The option is disabled by default to preserve the current behaviour.
2022-11-08 17:50:47 +01:00 · 2022-11-08 17:50:47 +01:00 · e039cb9d97
parent 6b572437c0
commit e039cb9d97
1 changed files with 16 additions and 1 deletions
--- a/nixos/modules/virtualisation/qemu-vm.nix
+++ b/nixos/modules/virtualisation/qemu-vm.nix
@ -528,6 +528,20 @@ in
        '';
    };

+    virtualisation.restrictNetwork =
+      mkOption {
+        type = types.bool;
+        default = false;
+        example = true;
+        description =
+          lib.mdDoc ''
+            If this option is enabled, the guest will be isolated, i.e. it will
+            not be able to contact the host and no guest IP packets will be
+            routed over the host to the outside. This option does not affect
+            any explicitly set forwarding rules.
+          '';
+      };
+
    virtualisation.vlans =
      mkOption {
        type = types.listOf types.ints.unsigned;
@ -934,10 +948,11 @@ in
              else "'guestfwd=${proto}:${guest.address}:${toString guest.port}-" +
                   "cmd:${pkgs.netcat}/bin/nc ${host.address} ${toString host.port}',"
          );
+        restrictNetworkOption = lib.optionalString cfg.restrictNetwork "restrict=on,";
      in
      [
        "-net nic,netdev=user.0,model=virtio"
-        "-netdev user,id=user.0,${forwardingOptions}\"$QEMU_NET_OPTS\""
+        "-netdev user,id=user.0,${forwardingOptions}${restrictNetworkOption}\"$QEMU_NET_OPTS\""
      ];

    # FIXME: Consolidate this one day.