On Thu, Jun 13, 2024 at 05:33:43PM +0100, Daniel P. Berrangé wrote: > On Wed, Jun 12, 2024 at 07:31:51PM -0400, Laine Stump wrote: > > On 6/12/24 2:32 PM, Roman Bogorodskiy wrote: > > > > > > Unfortunately, I don't have access to that setup anymore and I haven't > > > re-created it yet. IIRC, it could probably show some warnings about > > > missing iptables, but it didn't affect anything for me. > > > > I'm surprised that there wasn't a fatal error while starting the network > > though. > > Having actually looked at the code again, the answer is amuzingly/depressingly > obvious.... we already implemented a NULL firewall driver, which is used on > non-Linux, many years ago: > > See bridge_driver_platform.c, which does: > > #if defined(__linux__) > # include "bridge_driver_linux.c" > #else > # include "bridge_driver_nop.c" > #endif > > The bridge_driver_nop.c simply does nothing and returns success for > everything. So all the different virtual network modes "work" in > so much as libvirt can start them, but they don't work in the sense > that we're never creating the firewall rules to implement NAT, etc. > > So the root cause here is that our "firewall_backend" config logic > completely forgot that the 'nop' driver already existed, and offers > no way to configure it. This is quite simple to address. I've sent a patch that ought to fix this problem, though I admit I have not actually tried it on FreeBSD. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
