Isolated network

Sources/ContainerCommands/Network/NetworkCreate.swift

@@ -31,6 +31,9 @@ extension Application {
         @Option(name: .customLong("label"), help: "Set metadata for a network")
         var labels: [String] = []
 
+        @Flag(name: .customLong("internal"), help: "Restrict external access to the network")
+        var hostOnly: Bool = false
+
         @Option(
             name: .customLong("subnet"), help: "Set subnet for a network",
             transform: {
@@ -55,9 +58,10 @@ extension Application {
 
         public func run() async throws {
             let parsedLabels = Utility.parseKeyValuePairs(labels)
+            let mode: NetworkMode = hostOnly ? .hostOnly : .nat
             let config = try NetworkConfiguration(
                 id: self.name,
-                mode: .nat,
+                mode: mode,
                 ipv4Subnet: ipv4Subnet,
                 ipv6Subnet: ipv6Subnet,
                 labels: parsedLabels

Sources/ContainerResource/Network/NetworkMode.swift

@@ -20,6 +20,10 @@ public enum NetworkMode: String, Codable, Sendable {
     /// Containers do not have routable IPs, and the host performs network
     /// address translation to allow containers to reach external services.
     case nat = "nat"
+
+    /// Host only networking mode
+    /// Containers can talk with each other in the same subnet only.
+    case hostOnly = "hostOnly"
 }
 
 extension NetworkMode {
@@ -30,6 +34,7 @@ extension NetworkMode {
     public init?(_ value: String) {
         switch value.lowercased() {
         case "nat": self = .nat
+        case "hostOnly": self = .hostOnly
         default: return nil
         }
     }

Sources/Helpers/NetworkVmnet/NetworkVmnetHelper+Start.swift

@@ -39,6 +39,9 @@ extension NetworkVmnetHelper {
         @Option(name: .shortAndLong, help: "Network identifier")
         var id: String
 
+        @Flag(name: .long, help: "Restrict external access to the network")
+        var hostOnly: Bool = false
+
         @Option(name: .customLong("subnet"), help: "CIDR address for the IPv4 subnet")
         var ipv4Subnet: String?
 
@@ -57,9 +60,10 @@ extension NetworkVmnetHelper {
                 log.info("configuring XPC server")
                 let ipv4Subnet = try self.ipv4Subnet.map { try CIDRv4($0) }
                 let ipv6Subnet = try self.ipv6Subnet.map { try CIDRv6($0) }
+                let mode: NetworkMode = self.hostOnly ? .hostOnly : .nat
                 let configuration = try NetworkConfiguration(
                     id: id,
-                    mode: .nat,
+                    mode: mode,
                     ipv4Subnet: ipv4Subnet,
                     ipv6Subnet: ipv6Subnet,
                 )

Sources/Services/ContainerAPIService/Server/Networks/NetworksService.swift

@@ -269,7 +269,7 @@ public actor NetworksService {
     }
 
     private func registerService(configuration: NetworkConfiguration) async throws {
-        guard configuration.mode == .nat else {
+        guard configuration.mode == .nat || configuration.mode == .hostOnly else {
             throw ContainerizationError(.invalidArgument, message: "unsupported network mode \(configuration.mode.rawValue)")
         }
 
@@ -284,6 +284,10 @@ public actor NetworksService {
             serviceIdentifier,
         ]
 
+        if case .hostOnly = configuration.mode {
+            args += ["--host-only"]
+        }
+
         if let ipv4Subnet = configuration.ipv4Subnet {
             var existingCidrs: [CIDRv4] = []
             for networkState in networkStates.values {

Sources/Services/ContainerNetworkService/Server/AllocationOnlyVmnetNetwork.swift

@@ -32,7 +32,7 @@ public actor AllocationOnlyVmnetNetwork: Network {
         configuration: NetworkConfiguration,
         log: Logger
     ) throws {
-        guard configuration.mode == .nat else {
+        guard configuration.mode == .nat || configuration.mode == .hostOnly else {
             throw ContainerizationError(.unsupported, message: "invalid network mode \(configuration.mode)")
         }
 

Sources/Services/ContainerNetworkService/Server/ReservedVmnetNetwork.swift

@@ -52,7 +52,7 @@ public final class ReservedVmnetNetwork: Network {
         configuration: NetworkConfiguration,
         log: Logger
     ) throws {
-        guard configuration.mode == .nat else {
+        guard configuration.mode == .nat || configuration.mode == .hostOnly else {
             throw ContainerizationError(.unsupported, message: "invalid network mode \(configuration.mode)")
         }
 
@@ -110,7 +110,8 @@ public final class ReservedVmnetNetwork: Network {
 
         // set up the vmnet configuration
         var status: vmnet_return_t = .VMNET_SUCCESS
-        guard let vmnetConfiguration = vmnet_network_configuration_create(vmnet.operating_modes_t.VMNET_SHARED_MODE, &status), status == .VMNET_SUCCESS else {
+        let mode: vmnet.operating_modes_t = configuration.mode == .hostOnly ? .VMNET_HOST_MODE : .VMNET_SHARED_MODE
+        guard let vmnetConfiguration = vmnet_network_configuration_create(mode, &status), status == .VMNET_SUCCESS else {
             throw ContainerizationError(.unsupported, message: "failed to create vmnet config with status \(status)")
         }
 

Tests/CLITests/Subcommands/Networks/TestCLINetwork.swift

@@ -190,4 +190,61 @@ class TestCLINetwork: CLITest {
             return
         }
     }
+
+    @available(macOS 26, *)
+    @Test func testIsolatedNetwork() async throws {
+        do {
+            let name = getLowercasedTestName()
+            let networkDeleteArgs = ["network", "delete", name]
+            _ = try? run(arguments: networkDeleteArgs)
+
+            let networkCreateArgs = ["network", "create", "--internal", name]
+            let result = try run(arguments: networkCreateArgs)
+            if result.status != 0 {
+                throw CLIError.executionFailed("command failed: \(result.error)")
+            }
+            defer {
+                _ = try? run(arguments: networkDeleteArgs)
+            }
+            let port = UInt16.random(in: 50000..<60000)
+            try doLongRun(
+                name: name,
+                image: "docker.io/library/python:alpine",
+                args: ["--network", name],
+                containerArgs: ["python3", "-m", "http.server", "--bind", "0.0.0.0", "\(port)"]
+            )
+            defer {
+                try? doStop(name: name)
+            }
+
+            let container = try inspectContainer(name)
+            #expect(container.networks.count > 0)
+            let curlImage = "docker.io/curlimages/curl:8.6.0"
+            let cidrAddress = container.networks[0].ipv4Address
+            let url = "http://\(cidrAddress.address):\(port)"
+            let (_, _, _, succeed) = try run(arguments: [
+                "run",
+                "--rm",
+                "--network",
+                name,
+                curlImage,
+                "curl",
+                url,
+            ])
+
+            #expect(succeed == 0, "internal connection should succeed")
+
+            let (_, _, _, failed) = try run(arguments: [
+                "run",
+                "--rm",
+                "--network",
+                name,
+                curlImage,
+                "curl",
+                "http://google.com",
+            ])
+
+            #expect(failed == 6, "external connection should fail")
+        }
+    }
 }