On Sun, Apr 21, 2024 at 10:53:34PM -0400, Laine Stump wrote:
> The initial patches to support nftables for virtual networks left
> iptables as the default backend.
>
> The only functional difference between the two backends is that the
> nftables backend doesn't add any rules to fix up the checksum of DHCP
> packets, which will cause failures on guests with very old OSes
> (e.g. RHEL5) that have a virtio-net network interface using vhost
> packet processing (the default), connected to a libvirt virtual
> network, and configured to acquire the interface IP using DHCP. Since
> RHEL5 has been out of support for several years already, we might as
> well start off nftables support right by making it the default.
>
> In the extremely unlikely case that this causes a problem for anyone,
> they can work around the failure by adding "<driver name='qemu'/> to
> the guest <interface> element.
>
> Signed-off-by: Laine Stump <laine@xxxxxxxxxx>
> ---
> src/network/bridge_driver_conf.c | 6 +++---
> src/network/network.conf | 9 ++++++---
> src/network/test_libvirtd_network.aug.in | 2 +-
> 3 files changed, 10 insertions(+), 7 deletions(-)
I wonder if we shouldn't make the default firewall backend be
a meson_options.txt parameter.
If a distro rebases libvirt in their existing release, they
probably don't want the firewall backend silently changing
as a side effect. A meson option would let them turn on the
new behaviour for only new releases. We could make the meson
option default to 'nft' though.
> diff --git a/src/network/bridge_driver_conf.c b/src/network/bridge_driver_conf.c
> index f1159ed245..0139ece5ad 100644
> --- a/src/network/bridge_driver_conf.c
> +++ b/src/network/bridge_driver_conf.c
> @@ -106,10 +106,10 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_GNUC_UNUSED,
> * which allows absolute paths, and verifies that
> * the file is executable.
> */
> - if ((iptablesInPath = virFindFileInPath(IPTABLES)))
> - cfg->firewallBackend = VIR_FIREWALL_BACKEND_IPTABLES;
> - else if ((nftInPath = virFindFileInPath(NFT)))
> + if ((nftInPath = virFindFileInPath(NFT)))
> cfg->firewallBackend = VIR_FIREWALL_BACKEND_NFTABLES;
> + else if ((iptablesInPath = virFindFileInPath(IPTABLES)))
> + cfg->firewallBackend = VIR_FIREWALL_BACKEND_IPTABLES;
>
> if (cfg->firewallBackend == VIR_FIREWALL_BACKEND_UNSET)
> VIR_INFO("firewall_backend not set, and no usable backend auto-detected");
> diff --git a/src/network/network.conf b/src/network/network.conf
> index 630c4387a1..31723bccd5 100644
> --- a/src/network/network.conf
> +++ b/src/network/network.conf
> @@ -12,8 +12,11 @@
> # iptables - use iptables commands to construct the firewall
> # nftables - use nft commands to construct the firewall
> #
> -# For backward compatibility, and to reduce surprises, the
> -# default setting is "iptables".
> +# If firewall_backend isn't explicitly specified here, libvirt
> +# will default to using nftables if the "nft" command is available
> +# on the host, otherwise it will use iptables if the "iptables"
> +# command is available. If neither is available, then libvirt
> +# will log an error the first time any network is started.
> #
> # (NB: switching from one backend to another while there are active
> # virtual networks *is* supported. The change will take place the
> @@ -21,4 +24,4 @@
> # virtual networks will have their old firewalls removed, and then
> # reloaded using the new backend.)
> #
> -#firewall_backend = "iptables"
> +#firewall_backend = "nftables"
> diff --git a/src/network/test_libvirtd_network.aug.in b/src/network/test_libvirtd_network.aug.in
> index 3aa7b4cc22..81a6256919 100644
> --- a/src/network/test_libvirtd_network.aug.in
> +++ b/src/network/test_libvirtd_network.aug.in
> @@ -2,4 +2,4 @@ module Test_libvirtd_network =
> @CONFIG@
>
> test Libvirtd_network.lns get conf =
> -{ "firewall_backend" = "iptables" }
> +{ "firewall_backend" = "nftables" }
> --
> 2.44.0
> _______________________________________________
> Devel mailing list -- devel@xxxxxxxxxxxxxxxxx
> To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxx
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
_______________________________________________
Devel mailing list -- devel@xxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxx
