[PATCH v5 00/30] native support for nftables in virtual network driver

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



V4: https://lists.libvirt.org/archives/list/devel@xxxxxxxxxxxxxxxxx/thread/HX3RDEIQYJ6IOS2TDQANFKCKAXJMKCJN/#HX3RDEIQYJ6IOS2TDQANFKCKAXJMKCJN
V3: https://lists.libvirt.org/archives/list/devel@xxxxxxxxxxxxxxxxx/thread/HOCDIMI3SHS6UFFZJUAXUE6VLXE6SVHV/
V2: https://lists.libvirt.org/archives/list/devel@xxxxxxxxxxxxxxxxx/thread/5RTZ6PC3N3CO6X353QUHLVOL43SWQ4JD/

This patch series enables libvirt to use nftables rules rather than
iptables *when setting up virtual networks* (it does *not* add
nftables support to the nwfilter driver).

Changes from V4:

* changed the way that default firewall backends are specified in
  meson_options.txt/on the meson commandline - instead of using a
  #defined constant string, there are now one of these for each
  backend that should be tried when none is specified:

    #define FIREWALL_BACKEND_DEFAULT_n VIR_FIREWALL_BACKEND_xyzzy

  The "n" will be 1-[number of backends], and the code will try each
  in ascending order to see if it is usable.

* properly handle the case where network.conf doesn't exist (from
  Patch 12/30 in V3)

* In RPM specfile, Require: nftables for Fedora >= 41 /RHEL >= 10,
  while continuining to Require: iptables for anything else
  (specifically older RHEL/Fedora)

* use VIR_NFTABLES_FORWARD_CHAIN instead of hardcoded "forward" in
  array of chains needed for the nftable backend.

The patches that haven't yet gotten an R-B (and/or were changed enough
from V3 to warrant removing the R-B):

   12 - network: support setting firewallBackend from network.conf
   17 - util: add name attribute to virFirewall (so that the
        element in the status XML is appropriately identifiable)
   18 - util: new function virFirewallNewFromRollback()
   19 - util: new functions virFirewallParseXML() and virFirewallFormat()
   24 - network: add an nftables backend for network driver's firewall construction
   26: network: prefer the nftables backend over iptables

(I didn't remove the R-B for patch 27 ("require nftables rather than
iptables for newer RHEl/Fedora") for example, because the change is
very small, and was exactly copy-pasted from Daniel's suggestion).

Changes from V3:

* Fixed a bug (newly added in V3) that resulted in the firewall name
  attribute not being added to the XML.

* renamed the table to "libvirt_network"

* renamed the chains to be more descriptive, and lower case rather
  than all caps.

* eliminated all the guest->host and host->guest rules since they are
  redundant in nftables.

Laine Stump (30):
  util/network: move viriptables.[ch] from util to network directory
  network: move all functions manipulating iptables rules into
    network_iptables.c
  network: make all iptables functions used only in network_iptables.c
    static
  util: #define the names used for private packet filter chains
  util: change name of virFirewallRule to virFirewallCmd
  util: rename virNetFilterAction to iptablesAction, and add
    VIR_ENUM_DECL/IMPL
  util: check for 0 args when applying iptables rule
  util: add -w/--concurrent when applying a FirewallCmd rather than when
    building it
  util: determine ignoreErrors value when creating virFirewallCmd, not
    when applying
  util/network: new virFirewallBackend enum
  network: add (empty) network.conf file to distribution files
  network: support setting firewallBackend from network.conf
  network: framework to call backend-specific function to init private
    filter chains
  util: new functions to support adding individual firewall rollback
    commands
  util: implement rollback rule autocreation for iptables commands
  network: turn on auto-rollback for the rules added for virtual
    networks
  util: add name attribute to virFirewall
  util: new function virFirewallNewFromRollback()
  util: new functions virFirewallParseXML() and virFirewallFormat()
  conf: add a virFirewall object to virNetworkObj
  network: use previously saved list of firewall removal commands
  network: save network status when firewall rules are reloaded
  meson: stop looking for iptables/ip6tables/ebtables at build time
  network: add an nftables backend for network driver's firewall
    construction
  tests: test cases for nftables backend
  network: prefer the nftables backend over iptables
  spec: require nftables rather than iptables for newer RHEL/Fedora
  network: name the nftables table "libvirt_network" rather than
    "libvirt"
  network: rename chains used by network driver nftables backend
  network: eliminate pointless host input/output rules from nftables
    backend

 libvirt.spec.in                               |    9 +-
 meson.build                                   |   12 +-
 meson_options.txt                             |    2 +
 po/POTFILES                                   |    3 +-
 src/conf/virnetworkobj.c                      |   41 +
 src/conf/virnetworkobj.h                      |    8 +
 src/libvirt_private.syms                      |   58 +-
 src/network/bridge_driver.c                   |   39 +-
 src/network/bridge_driver_conf.c              |   86 +-
 src/network/bridge_driver_conf.h              |    3 +
 src/network/bridge_driver_linux.c             |  630 +------
 src/network/bridge_driver_nop.c               |    6 +-
 src/network/bridge_driver_platform.h          |    6 +-
 src/network/libvirtd_network.aug              |   39 +
 src/network/meson.build                       |   36 +
 src/network/network.conf.in                   |   28 +
 src/network/network_iptables.c                | 1677 +++++++++++++++++
 src/network/network_iptables.h                |   30 +
 src/network/network_nftables.c                |  968 ++++++++++
 src/network/network_nftables.h                |   28 +
 src/network/test_libvirtd_network.aug.in      |    5 +
 src/nwfilter/nwfilter_ebiptables_driver.c     | 1004 +++++-----
 src/util/meson.build                          |    1 -
 src/util/virebtables.c                        |   36 +-
 src/util/virfirewall.c                        |  820 ++++++--
 src/util/virfirewall.h                        |   87 +-
 src/util/viriptables.c                        | 1072 -----------
 src/util/viriptables.h                        |  155 --
 .../{base.args => base.iptables}              |    0
 tests/networkxml2firewalldata/base.nftables   |  256 +++
 ...-linux.args => nat-default-linux.iptables} |    0
 .../nat-default-linux.nftables                |  144 ++
 ...pv6-linux.args => nat-ipv6-linux.iptables} |    0
 .../nat-ipv6-linux.nftables                   |  202 ++
 ...rgs => nat-ipv6-masquerade-linux.iptables} |    0
 .../nat-ipv6-masquerade-linux.nftables        |  274 +++
 ...linux.args => nat-many-ips-linux.iptables} |    0
 .../nat-many-ips-linux.nftables               |  368 ++++
 ...-linux.args => nat-no-dhcp-linux.iptables} |    0
 .../nat-no-dhcp-linux.nftables                |  202 ++
 ...ftp-linux.args => nat-tftp-linux.iptables} |    0
 .../nat-tftp-linux.nftables                   |  144 ++
 ...inux.args => route-default-linux.iptables} |    0
 .../route-default-linux.nftables              |   58 +
 tests/networkxml2firewalltest.c               |   56 +-
 tests/virfirewalltest.c                       |  424 ++---
 46 files changed, 6258 insertions(+), 2759 deletions(-)
 create mode 100644 src/network/libvirtd_network.aug
 create mode 100644 src/network/network.conf.in
 create mode 100644 src/network/network_iptables.c
 create mode 100644 src/network/network_iptables.h
 create mode 100644 src/network/network_nftables.c
 create mode 100644 src/network/network_nftables.h
 create mode 100644 src/network/test_libvirtd_network.aug.in
 delete mode 100644 src/util/viriptables.c
 delete mode 100644 src/util/viriptables.h
 rename tests/networkxml2firewalldata/{base.args => base.iptables} (100%)
 create mode 100644 tests/networkxml2firewalldata/base.nftables
 rename tests/networkxml2firewalldata/{nat-default-linux.args => nat-default-linux.iptables} (100%)
 create mode 100644 tests/networkxml2firewalldata/nat-default-linux.nftables
 rename tests/networkxml2firewalldata/{nat-ipv6-linux.args => nat-ipv6-linux.iptables} (100%)
 create mode 100644 tests/networkxml2firewalldata/nat-ipv6-linux.nftables
 rename tests/networkxml2firewalldata/{nat-ipv6-masquerade-linux.args => nat-ipv6-masquerade-linux.iptables} (100%)
 create mode 100644 tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
 rename tests/networkxml2firewalldata/{nat-many-ips-linux.args => nat-many-ips-linux.iptables} (100%)
 create mode 100644 tests/networkxml2firewalldata/nat-many-ips-linux.nftables
 rename tests/networkxml2firewalldata/{nat-no-dhcp-linux.args => nat-no-dhcp-linux.iptables} (100%)
 create mode 100644 tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
 rename tests/networkxml2firewalldata/{nat-tftp-linux.args => nat-tftp-linux.iptables} (100%)
 create mode 100644 tests/networkxml2firewalldata/nat-tftp-linux.nftables
 rename tests/networkxml2firewalldata/{route-default-linux.args => route-default-linux.iptables} (100%)
 create mode 100644 tests/networkxml2firewalldata/route-default-linux.nftables

-- 
2.45.0




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux