*sigh*. After posting these last night, I checked on my CI pipeline and
found that everything had failed due to
#if defined(FIREWALL_BACKEND_DEFAULT_IPTABLES)
[...]
#elif defined (FIREWALL_BACKEND_DEFAULT_IPTABLES)
[...]
#else
#error blah blah
#endif
I've pushed fixed patches to gitlab, where you can find them at:
https://gitlab.com/lainestump/libvirt/tree/nftrereboot-7
or alternately, just change the 2nd "IPTABLES" above to "NFTABLES" in
patch 24/27.
w
On 4/25/24 1:38 AM, Laine Stump wrote:
V2: https://lists.libvirt.org/archives/list/devel@xxxxxxxxxxxxxxxxx/thread/5RTZ6PC3N3CO6X353QUHLVOL43SWQ4JD/
This patch series enables libvirt to use nftables rules rather than
iptables *when setting up virtual networks* (it does *not* add
nftables support to the nwfilter driver).
I've added the Reviewed-by's from Daniel where given in V2 (as long as
I haven't made any non-trivial changes). That includes patches 1-9,
11-13, 16, 20, and 22.
Changes from V2 - mainly I've addressed the issues that Dan pointed
out in his reviews (details in each patch). Functionally the main changes are:
1) You can now choose whether iptables or nftables should be the
default backend with the new meson option "firewall_backend" (which
is set to "nftables" by default).
2) rpm spec now requires iptables or nftables (rather than
recommending both)
3) The <firewall> element in the network status XML now has a
"name='fwRemoval'" attribute, just in case we ever add another
<firewall> element to keep track of all the commands that were run
to create the firewall as well as the commands needed to remove it.
4) Failure to find the binary needed for any firewall backend now
results in an error log and termination of the daemon.
Laine Stump (27):
util/network: move viriptables.[ch] from util to network directory
network: move all functions manipulating iptables rules into
network_iptables.c
network: make all iptables functions used only in network_iptables.c
static
util: #define the names used for private packet filter chains
util: change name of virFirewallRule to virFirewallCmd
util: rename virNetFilterAction to iptablesAction, and add
VIR_ENUM_DECL/IMPL
util: check for 0 args when applying iptables rule
util: add -w/--concurrent when applying a FirewallCmd rather than when
building it
util: determine ignoreErrors value when creating virFirewallCmd, not
when applying
util/network: new virFirewallBackend enum
network: add (empty) network.conf file to distribution files
network: support setting firewallBackend from network.conf
network: framework to call backend-specific function to init private
filter chains
util: new functions to support adding individual firewall rollback
commands
util: implement rollback rule autocreation for iptables commands
network: turn on auto-rollback for the rules added for virtual
networks
util: add name attribute to virFirewall
util: new function virFirewallNewFromRollback()
util: new functions virFirewallParseXML() and virFirewallFormat()
conf: add a virFirewall object to virNetworkObj
network: use previously saved list of firewall removal commands
network: save network status when firewall rules are reloaded
meson: stop looking for iptables/ip6tables/ebtables at build time
network: add an nftables backend for network driver's firewall
construction
tests: test cases for nftables backend
network: prefer the nftables backend over iptables
spec: require either iptables or nftables if network driver is
installed
libvirt.spec.in | 7 +-
meson.build | 10 +-
meson_options.txt | 1 +
po/POTFILES | 3 +-
src/conf/virnetworkobj.c | 47 +
src/conf/virnetworkobj.h | 11 +
src/libvirt_private.syms | 59 +-
src/network/bridge_driver.c | 35 +-
src/network/bridge_driver_conf.c | 64 +
src/network/bridge_driver_conf.h | 3 +
src/network/bridge_driver_linux.c | 630 +------
src/network/bridge_driver_nop.c | 6 +-
src/network/bridge_driver_platform.h | 6 +-
src/network/libvirtd_network.aug | 39 +
src/network/meson.build | 36 +
src/network/network.conf.in | 28 +
src/network/network_iptables.c | 1677 +++++++++++++++++
src/network/network_iptables.h | 30 +
src/network/network_nftables.c | 940 +++++++++
src/network/network_nftables.h | 28 +
src/network/test_libvirtd_network.aug.in | 5 +
src/nwfilter/nwfilter_ebiptables_driver.c | 1004 +++++-----
src/util/meson.build | 1 -
src/util/virebtables.c | 36 +-
src/util/virfirewall.c | 820 ++++++--
src/util/virfirewall.h | 87 +-
src/util/viriptables.c | 1072 -----------
src/util/viriptables.h | 155 --
.../{base.args => base.iptables} | 0
tests/networkxml2firewalldata/base.nftables | 256 +++
...-linux.args => nat-default-linux.iptables} | 0
.../nat-default-linux.nftables | 248 +++
...pv6-linux.args => nat-ipv6-linux.iptables} | 0
.../nat-ipv6-linux.nftables | 384 ++++
...rgs => nat-ipv6-masquerade-linux.iptables} | 0
.../nat-ipv6-masquerade-linux.nftables | 456 +++++
...linux.args => nat-many-ips-linux.iptables} | 0
.../nat-many-ips-linux.nftables | 472 +++++
...-linux.args => nat-no-dhcp-linux.iptables} | 0
.../nat-no-dhcp-linux.nftables | 384 ++++
...ftp-linux.args => nat-tftp-linux.iptables} | 0
.../nat-tftp-linux.nftables | 274 +++
...inux.args => route-default-linux.iptables} | 0
.../route-default-linux.nftables | 162 ++
tests/networkxml2firewalltest.c | 56 +-
tests/virfirewalltest.c | 424 ++---
46 files changed, 7205 insertions(+), 2751 deletions(-)
create mode 100644 src/network/libvirtd_network.aug
create mode 100644 src/network/network.conf.in
create mode 100644 src/network/network_iptables.c
create mode 100644 src/network/network_iptables.h
create mode 100644 src/network/network_nftables.c
create mode 100644 src/network/network_nftables.h
create mode 100644 src/network/test_libvirtd_network.aug.in
delete mode 100644 src/util/viriptables.c
delete mode 100644 src/util/viriptables.h
rename tests/networkxml2firewalldata/{base.args => base.iptables} (100%)
create mode 100644 tests/networkxml2firewalldata/base.nftables
rename tests/networkxml2firewalldata/{nat-default-linux.args => nat-default-linux.iptables} (100%)
create mode 100644 tests/networkxml2firewalldata/nat-default-linux.nftables
rename tests/networkxml2firewalldata/{nat-ipv6-linux.args => nat-ipv6-linux.iptables} (100%)
create mode 100644 tests/networkxml2firewalldata/nat-ipv6-linux.nftables
rename tests/networkxml2firewalldata/{nat-ipv6-masquerade-linux.args => nat-ipv6-masquerade-linux.iptables} (100%)
create mode 100644 tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
rename tests/networkxml2firewalldata/{nat-many-ips-linux.args => nat-many-ips-linux.iptables} (100%)
create mode 100644 tests/networkxml2firewalldata/nat-many-ips-linux.nftables
rename tests/networkxml2firewalldata/{nat-no-dhcp-linux.args => nat-no-dhcp-linux.iptables} (100%)
create mode 100644 tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
rename tests/networkxml2firewalldata/{nat-tftp-linux.args => nat-tftp-linux.iptables} (100%)
create mode 100644 tests/networkxml2firewalldata/nat-tftp-linux.nftables
rename tests/networkxml2firewalldata/{route-default-linux.args => route-default-linux.iptables} (100%)
create mode 100644 tests/networkxml2firewalldata/route-default-linux.nftables
_______________________________________________
Devel mailing list -- devel@xxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxx
