Re: [PATCH 4/5] util: add new "raw" layer for virFirewallCmd objects

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Nov 25, 2024 at 11:56:31AM -0500, Laine Stump wrote:
> On 11/25/24 5:44 AM, Daniel P. Berrangé wrote:
> > On Fri, Nov 22, 2024 at 04:16:38PM -0500, Laine Stump wrote:
> > > If the layer of a FirewallCmd is "raw", then the first arg is the name
> > > of an arbitrary binary to exec, and the rest are the arguments to that
> > > binary.
> > > 
> > > raw layer doesn't support auto-rollback command creation (any rollback
> > > needs to be added manually with virFirewallAddRollbackCmd()), and also
> > > raw layer isn't supported by the iptables backend (it would have been
> > > straightforward to add, but the iptables backend doesn't need it, and
> > > I didn't want to take the chance of causing a regression in that
> > > code for no good reason).
> > 
> > I guess the obvious question to ask is why you chose to define
> > a "raw" layer, as opposed to defining a "tc" layer ? Being
> > more targetted about the anticipated usage feels better IMHO.
> 
> I thought about that, but while layer is used to figure out the binary name
> for the iptables backend (because the different layers use ebtables,
> iptables, or ip6tables), in the case of the nftables backend all of the
> different layers use "nft" as the binary, and the layer indicates changes in
> a few of the arguments to that command (and really both your suggestion and
> mine are technically messed up, since the layer in the case of this
> checksum-fix filter should really be "ipv4").

Maybe we just shouldn't be pretending this is a firewall command at
all ?

Even with iptables, this really isn't anything to do with traffic
filtering. iptables just happened to be a convenient place to put
the logic in the kernel at the time.

'tc' is the new "convenient" place to put the logic today. How about
putting a virNetDevFixDHCPChecksum()   in virnetdev.h/c ?

and just invoking this API after we've setup nftables rules ?


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux