V4: https://lists.libvirt.org/archives/list/devel@xxxxxxxxxxxxxxxxx/thread/HX3RDEIQYJ6IOS2TDQANFKCKAXJMKCJN/#HX3RDEIQYJ6IOS2TDQANFKCKAXJMKCJN V3: https://lists.libvirt.org/archives/list/devel@xxxxxxxxxxxxxxxxx/thread/HOCDIMI3SHS6UFFZJUAXUE6VLXE6SVHV/ V2: https://lists.libvirt.org/archives/list/devel@xxxxxxxxxxxxxxxxx/thread/5RTZ6PC3N3CO6X353QUHLVOL43SWQ4JD/ This patch series enables libvirt to use nftables rules rather than iptables *when setting up virtual networks* (it does *not* add nftables support to the nwfilter driver). Changes from V4: * changed the way that default firewall backends are specified in meson_options.txt/on the meson commandline - instead of using a #defined constant string, there are now one of these for each backend that should be tried when none is specified: #define FIREWALL_BACKEND_DEFAULT_n VIR_FIREWALL_BACKEND_xyzzy The "n" will be 1-[number of backends], and the code will try each in ascending order to see if it is usable. * properly handle the case where network.conf doesn't exist (from Patch 12/30 in V3) * In RPM specfile, Require: nftables for Fedora >= 41 /RHEL >= 10, while continuining to Require: iptables for anything else (specifically older RHEL/Fedora) * use VIR_NFTABLES_FORWARD_CHAIN instead of hardcoded "forward" in array of chains needed for the nftable backend. The patches that haven't yet gotten an R-B (and/or were changed enough from V3 to warrant removing the R-B): 12 - network: support setting firewallBackend from network.conf 17 - util: add name attribute to virFirewall (so that the element in the status XML is appropriately identifiable) 18 - util: new function virFirewallNewFromRollback() 19 - util: new functions virFirewallParseXML() and virFirewallFormat() 24 - network: add an nftables backend for network driver's firewall construction 26: network: prefer the nftables backend over iptables (I didn't remove the R-B for patch 27 ("require nftables rather than iptables for newer RHEl/Fedora") for example, because the change is very small, and was exactly copy-pasted from Daniel's suggestion). Changes from V3: * Fixed a bug (newly added in V3) that resulted in the firewall name attribute not being added to the XML. * renamed the table to "libvirt_network" * renamed the chains to be more descriptive, and lower case rather than all caps. * eliminated all the guest->host and host->guest rules since they are redundant in nftables. Laine Stump (30): util/network: move viriptables.[ch] from util to network directory network: move all functions manipulating iptables rules into network_iptables.c network: make all iptables functions used only in network_iptables.c static util: #define the names used for private packet filter chains util: change name of virFirewallRule to virFirewallCmd util: rename virNetFilterAction to iptablesAction, and add VIR_ENUM_DECL/IMPL util: check for 0 args when applying iptables rule util: add -w/--concurrent when applying a FirewallCmd rather than when building it util: determine ignoreErrors value when creating virFirewallCmd, not when applying util/network: new virFirewallBackend enum network: add (empty) network.conf file to distribution files network: support setting firewallBackend from network.conf network: framework to call backend-specific function to init private filter chains util: new functions to support adding individual firewall rollback commands util: implement rollback rule autocreation for iptables commands network: turn on auto-rollback for the rules added for virtual networks util: add name attribute to virFirewall util: new function virFirewallNewFromRollback() util: new functions virFirewallParseXML() and virFirewallFormat() conf: add a virFirewall object to virNetworkObj network: use previously saved list of firewall removal commands network: save network status when firewall rules are reloaded meson: stop looking for iptables/ip6tables/ebtables at build time network: add an nftables backend for network driver's firewall construction tests: test cases for nftables backend network: prefer the nftables backend over iptables spec: require nftables rather than iptables for newer RHEL/Fedora network: name the nftables table "libvirt_network" rather than "libvirt" network: rename chains used by network driver nftables backend network: eliminate pointless host input/output rules from nftables backend libvirt.spec.in | 9 +- meson.build | 12 +- meson_options.txt | 2 + po/POTFILES | 3 +- src/conf/virnetworkobj.c | 41 + src/conf/virnetworkobj.h | 8 + src/libvirt_private.syms | 58 +- src/network/bridge_driver.c | 39 +- src/network/bridge_driver_conf.c | 86 +- src/network/bridge_driver_conf.h | 3 + src/network/bridge_driver_linux.c | 630 +------ src/network/bridge_driver_nop.c | 6 +- src/network/bridge_driver_platform.h | 6 +- src/network/libvirtd_network.aug | 39 + src/network/meson.build | 36 + src/network/network.conf.in | 28 + src/network/network_iptables.c | 1677 +++++++++++++++++ src/network/network_iptables.h | 30 + src/network/network_nftables.c | 968 ++++++++++ src/network/network_nftables.h | 28 + src/network/test_libvirtd_network.aug.in | 5 + src/nwfilter/nwfilter_ebiptables_driver.c | 1004 +++++----- src/util/meson.build | 1 - src/util/virebtables.c | 36 +- src/util/virfirewall.c | 820 ++++++-- src/util/virfirewall.h | 87 +- src/util/viriptables.c | 1072 ----------- src/util/viriptables.h | 155 -- .../{base.args => base.iptables} | 0 tests/networkxml2firewalldata/base.nftables | 256 +++ ...-linux.args => nat-default-linux.iptables} | 0 .../nat-default-linux.nftables | 144 ++ ...pv6-linux.args => nat-ipv6-linux.iptables} | 0 .../nat-ipv6-linux.nftables | 202 ++ ...rgs => nat-ipv6-masquerade-linux.iptables} | 0 .../nat-ipv6-masquerade-linux.nftables | 274 +++ ...linux.args => nat-many-ips-linux.iptables} | 0 .../nat-many-ips-linux.nftables | 368 ++++ ...-linux.args => nat-no-dhcp-linux.iptables} | 0 .../nat-no-dhcp-linux.nftables | 202 ++ ...ftp-linux.args => nat-tftp-linux.iptables} | 0 .../nat-tftp-linux.nftables | 144 ++ ...inux.args => route-default-linux.iptables} | 0 .../route-default-linux.nftables | 58 + tests/networkxml2firewalltest.c | 56 +- tests/virfirewalltest.c | 424 ++--- 46 files changed, 6258 insertions(+), 2759 deletions(-) create mode 100644 src/network/libvirtd_network.aug create mode 100644 src/network/network.conf.in create mode 100644 src/network/network_iptables.c create mode 100644 src/network/network_iptables.h create mode 100644 src/network/network_nftables.c create mode 100644 src/network/network_nftables.h create mode 100644 src/network/test_libvirtd_network.aug.in delete mode 100644 src/util/viriptables.c delete mode 100644 src/util/viriptables.h rename tests/networkxml2firewalldata/{base.args => base.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/base.nftables rename tests/networkxml2firewalldata/{nat-default-linux.args => nat-default-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-default-linux.nftables rename tests/networkxml2firewalldata/{nat-ipv6-linux.args => nat-ipv6-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-ipv6-linux.nftables rename tests/networkxml2firewalldata/{nat-ipv6-masquerade-linux.args => nat-ipv6-masquerade-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables rename tests/networkxml2firewalldata/{nat-many-ips-linux.args => nat-many-ips-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-many-ips-linux.nftables rename tests/networkxml2firewalldata/{nat-no-dhcp-linux.args => nat-no-dhcp-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables rename tests/networkxml2firewalldata/{nat-tftp-linux.args => nat-tftp-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-tftp-linux.nftables rename tests/networkxml2firewalldata/{route-default-linux.args => route-default-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/route-default-linux.nftables -- 2.45.0
