Patch 4/4 explains the problem and how these patches fix it. Assuming no problems are found (none so far) this should go into 10.10.0, as it solves a regression caused by switching the network driver to the nftables backend. There was a prior attempt at fixing this that was accepted, pushed, bugs were discovered, and it was reverted (see Patch 4/4 for details). This will hopefully be the final attempt. Please test with as many different guests as possible, both with nftables backend and iptables backend, and using different guest interface types, etc. Laine Stump (5): util: make it optional to clear existing tc qdiscs/filters in virNetDevBandwidthSet() util: put the command that adds a tx filter qdisc into a separate function util: don't re-add the qdisc used for tx filters if it already exists util: add new "raw" layer for virFirewallCmd objects network: add tc filter rule to nftables backend to fix checksum of DHCP responses src/libvirt_private.syms | 1 + src/lxc/lxc_driver.c | 2 +- src/lxc/lxc_process.c | 2 +- src/network/bridge_driver.c | 4 +- src/network/network_nftables.c | 69 +++++++++++++++++ src/qemu/qemu_command.c | 2 +- src/qemu/qemu_driver.c | 3 +- src/qemu/qemu_hotplug.c | 4 +- src/util/virfirewall.c | 74 ++++++++++++------- src/util/virfirewall.h | 1 + src/util/virfirewalld.c | 1 + src/util/virnetdevbandwidth.c | 70 ++++++++++++++++-- src/util/virnetdevbandwidth.h | 4 + .../forward-dev-linux.nftables | 40 ++++++++++ .../isolated-linux.nftables | 40 ++++++++++ .../nat-default-linux.nftables | 40 ++++++++++ .../nat-ipv6-linux.nftables | 40 ++++++++++ .../nat-ipv6-masquerade-linux.nftables | 40 ++++++++++ .../nat-many-ips-linux.nftables | 40 ++++++++++ .../nat-no-dhcp-linux.nftables | 40 ++++++++++ .../nat-port-range-ipv6-linux.nftables | 40 ++++++++++ .../nat-port-range-linux.nftables | 40 ++++++++++ .../nat-tftp-linux.nftables | 40 ++++++++++ .../route-default-linux.nftables | 40 ++++++++++ tests/virnetdevbandwidthtest.c | 5 +- 25 files changed, 639 insertions(+), 43 deletions(-) -- 2.47.0