On Mon, Jun 10, 2024 at 09:10:08PM +0200, Roman Bogorodskiy wrote: > Laine Stump wrote: > > > This patch series enables libvirt to use nftables rules rather than > > iptables *when setting up virtual networks* (it does *not* add > > nftables support to the nwfilter driver). It accomplishes this by > > abstracting several iptables functions (from viriptables.[ch] called > > by the virtual network driver into a rudimentary "virNetfilter API" > > (in virnetfilter.[ch], having the virtual network driver call the > > virNetFilter API rather than calling the existing iptables functions > > directly, and then finally adding an equivalent virNftables backend > > that can be used instead of iptables (selected manually via a > > network.conf setting, or automatically if iptables isn't found on the > > host). > > [resend to a proper list] > > Hi, > > Apparently, I'm late to the discussion. > > I noticed that now I cannot use the bridge driver on FreeBSD as it's > failing to initialize both iptables and nftables backends (which is > expect). > > What would be a good way to address that? I see at least two options: > > 1. Add a Noop firewall driver > 2. Implement a "real" FreeBSD driver based either on pf or ipfw (that's > been on my TODO list forever, but I somehow got stuck on the very first > step on choosing between pf and ipfw). This obviously will take much > more time. How about both :-) There will always be platforms for which no suitable FW driver exists, so a no-op driver that just returns errors for everything will be beneficial for many cases. Then you can worry about a real freebsd driver at your leisure. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
