On Fri, May 17, 2024 at 01:30:03PM -0400, Laine Stump wrote: > The patch that added the nftables backend for virtual networks left > iptables as the default backend when both nftables and iptables are > installed. > > The only functional difference between the two backends is that the > nftables backend doesn't add any rules to fix up the checksum of DHCP > packets, which will cause failures on guests with very old OSes > (e.g. RHEL5) that have a virtio-net network interface using vhost > packet processing (the default), connected to a libvirt virtual > network, and configured to acquire the interface IP using DHCP. Since > RHEL5 has been out of support for several years already, we might as > well start off nftables support right by making it the default. > > Distros that aren't quite ready to default to nftables (e.g. maybe > they're rebasing libvirt within a release and don't want to surprise > anyone with an automatic switch from iptables to nftables) can simply > run meson with "-Dfirewall_backend=iptables" during their official > package build. > > In the extremely unlikely case that this causes a problem for a user, > they can work around the failure by adding "<driver name='qemu'/> to > the guest <interface> element. > > Signed-off-by: Laine Stump <laine@xxxxxxxxxx> > --- > meson_options.txt | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) Reviewed-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
