Re: [PATCH 1/2] network: skip network driver init if no firewall backend is present

users are only using type='bridge'/), then this patch will be fine. If I re-assume to the latter, then: Reviewed-by: Laine Stump (and soon to be Tested-by, but first I have some errands to run :-) but we should make sure they aren't trying to use on platforms with no supported firewall

Re: [libvirt PATCH 00/28] native support for nftables in virtual network driver

On 6/12/24 6:47 AM, Daniel P. Berrangé wrote: On Wed, Jun 12, 2024 at 03:27:24AM -0700, Andrea Bolognani wrote: On Wed, Jun 12, 2024 at 09:57:15AM GMT, Daniel P. Berrangé wrote: On Wed, Jun 12, 2024 at 01:54:47AM -0700, Andrea Bolognani wrote: Is there much of a difference between having an

Re: [PATCH 2/2] network: don't attempt to initialize if non-privileged

; +} + Reviewed-by: Laine Stump About once every 3 or 4 years I've wondered why we load the network driver for unprivileged libvirt, since it's unusable. I haven't had the attention span to ask anyone and write this patch though :-)

[libvirt PATCH 00/28] native support for nftables in virtual network driver

-sending my response, but to the new mailing list :-)) On 6/10/24 2:54 PM, Roman Bogorodskiy wrote: Laine Stump wrote: This patch series enables libvirt to use nftables rules rather than iptables *when setting up virtual networks* (it does *not* add nftables support to the nwfilter driver

Re: [PATCH] network: allow for forward dev to be a transient interface

On 6/7/24 4:44 PM, Daniel P. Berrangé wrote: On Fri, Jun 07, 2024 at 01:33:30PM -0400, Laine Stump wrote: A user reported that if they set starting the network would fail if the device 'blah' didn't already exist. This is caused by using "iif" and "oif" in nft

[PATCH] network: allow for forward dev to be a transient interface

two integers (ifindex), but they don't require the interface to exist when the rule is added, and they can properly cope with the named interface being deleted and re-added later. Fixes: a4f38f6ffe6a9edc001d18890ccfc3f38e72fb94 Signed-off-by: Laine Stump --- src/network/network_nftables.c | 10 +

Re: [PATCH 1/3] meson: Improve default firewall backend configuration

On 5/28/24 12:59 PM, Andrea Bolognani wrote: On Tue, May 28, 2024 at 12:50:51PM GMT, Laine Stump wrote: On 5/28/24 12:31 PM, Pavel Hrdina wrote: On Tue, May 28, 2024 at 05:49:19PM +0200, Andrea Bolognani wrote: + if (not firewall_backend_priority.contains('nftables

Re: [PATCH 1/3] meson: Improve default firewall backend configuration

On 5/28/24 12:31 PM, Pavel Hrdina wrote: On Tue, May 28, 2024 at 05:49:19PM +0200, Andrea Bolognani wrote: The current implementation requires users to configure the preference as such: -Dfirewall_backend_default_1=iptables -Dfirewall_backend_default_2=nftables In addition to being more

Re: [PATCH 1/3] meson: Improve default firewall backend configuration

On 5/28/24 11:49 AM, Andrea Bolognani wrote: The current implementation requires users to configure the preference as such: -Dfirewall_backend_default_1=iptables -Dfirewall_backend_default_2=nftables In addition to being more verbose than one would hope, there are several things that

Re: [PATCH 0/3] meson: Improve default firewall backend configuration

firewall backends explicitly Reviewed-by: Laine Stump Thanks for doing this - I had put "make the backend default selection better" on a *mental* list, but not a physical list, and then I forgot (easy to forget because doing things in a meson build file is for me an exercise

[PATCH] NEWS: document nftables support in network driver

Signed-off-by: Laine Stump --- NEWS.rst | 10 ++ 1 file changed, 10 insertions(+) diff --git a/NEWS.rst b/NEWS.rst index 42b0f88128..14505116b1 100644 --- a/NEWS.rst +++ b/NEWS.rst @@ -33,6 +33,16 @@ v10.4.0 (unreleased) . This model is available from QEMU 8.2.0 onwards

[PATCH v5 31/30] network: use iif/oif instead of iifname/oifname in nftables rules

in ifindex changing), but for our uses this never happens, so Xif works for us, and undoubtedly improves performance by at least 0.001%. Signed-off-by: Laine Stump --- src/network/network_nftables.c| 28 +-- .../nat-default-linux.nftables| 12

Re: [PATCH v5 12/30] network: support setting firewallBackend from network.conf

On 5/22/24 10:36 AM, Daniel P. Berrangé wrote: On Mon, May 20, 2024 at 12:14:26PM -0400, Laine Stump wrote: [...] That is taken care of by [see [*] below], but I'll add this suggestion anyway to reduce the brain cells required for someone reading through the code :-) (and also as a backup

Re: [PATCH v5 24/30] network: add an nftables backend for network driver's firewall construction

On 5/22/24 10:44 AM, Daniel P. Berrangé wrote: On Tue, May 21, 2024 at 03:40:54PM -0400, Laine Stump wrote: On 5/17/24 1:30 PM, Laine Stump wrote: +virFirewallAddCmd(fw, layer, "insert", "rule", + nftablesLay

Re: [PATCH v5 24/30] network: add an nftables backend for network driver's firewall construction

On 5/17/24 1:30 PM, Laine Stump wrote: +virFirewallAddCmd(fw, layer, "insert", "rule", + nftablesLayerTypeToString(layer), + VIR_NFTABLES_PRIVATE_TABLE, + VIR_NFTABLES_FWD_X_CHAIN, +

Re: [PATCH v5 12/30] network: support setting firewallBackend from network.conf

On 5/20/24 6:14 AM, Daniel P. Berrangé wrote: On Fri, May 17, 2024 at 01:29:49PM -0400, Laine Stump wrote: It still can have only one useful value ("iptables"), but once a 2nd value is supported, it will be selectable by setting "firewall_backend=nftables" in /etc/

Re: [PATCH v5 00/30] native support for nftables in virtual network driver

On 5/20/24 5:39 AM, Daniel P. Berrangé wrote: On Fri, May 17, 2024 at 01:29:37PM -0400, Laine Stump wrote: V4: https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/HX3RDEIQYJ6IOS2TDQANFKCKAXJMKCJN/#HX3RDEIQYJ6IOS2TDQANFKCKAXJMKCJN V3: https://lists.libvirt.org/archives/list

[PATCH v5 24/30] network: add an nftables backend for network driver's firewall construction

though it should be very safe to change the default backend from iptables to nftables, that change is left for a later patch, to show how the change in default can be undone if someone really needs to do that. Signed-off-by: Laine Stump --- meson.build | 5 + meson_op

[PATCH v5 25/30] tests: test cases for nftables backend

. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- .../{base.args => base.iptables} | 0 tests/networkxml2firewalldata/base.nftables | 256 ++ ...-linux.args => nat-default-linux.iptables} | 0 .../nat-default-linux.nftables

[PATCH v5 29/30] network: rename chains used by network driver nftables backend

ns). Also (again because nobody else is using the private "libvirt_network" table) we can directly put our rules into the input ("guest_to_host"), output ("host_to_guest"), and postrouting ("guest_nat") chains rather than creating a subordinate chain as done in

[PATCH v5 28/30] network: name the nftables table "libvirt_network" rather than "libvirt"

This way when we implement nftables for the nwfilter driver, we can create a separate table called "libvirt_nwfilter" and everything will look all symmetrical and stuff. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- src/network/network_nftables.c

[PATCH v5 30/30] network: eliminate pointless host input/output rules from nftables backend

fault", makes it possible to eliminate the individual accept rules for DHCP, DNS, and TFTP. And once those rules are eliminated, there is no longer any need for the guest_to_host or host_to_guest tables. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- src/network/network_n

[PATCH v5 27/30] spec: require nftables rather than iptables for newer RHEL/Fedora

It will still be possible to install iptables and use the iptables backend, but we'll be showing a greater preference for nftables, which is the proper thing to be doing. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- libvirt.spec.in | 4 1 file changed, 4 insertions

[PATCH v5 21/30] network: use previously saved list of firewall removal commands

libvirtd/virtnetworkd will remove all the rules that had been previously added (based on the network status), and then add new rules (saving the new removal commands back into the network status) Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- src/network/bridge_driver.c

[PATCH v5 19/30] util: new functions virFirewallParseXML() and virFirewallFormat()

These functions convert a virFirewall object to/from XML so that it can be serialized to disk (in a virNetworkObj's status file) and restored later (e.g. after libvirtd/virtnetworkd is restarted). Signed-off-by: Laine Stump --- src/libvirt_private.syms | 2 + src/util/virfirewall.c | 219

[PATCH v5 26/30] network: prefer the nftables backend over iptables

meson with "-Dfirewall_backend=iptables" during their official package build. In the extremely unlikely case that this causes a problem for a user, they can work around the failure by adding " to the guest element. Signed-off-by: Laine Stump --- meson_options.txt | 4 ++-- 1

[PATCH v5 23/30] meson: stop looking for iptables/ip6tables/ebtables at build time

no longer need iptables or iptables at build time, we can also drop the BuildRequires for them from the rpm specfile. Inspired-by: 6aa2fa38b04b802f137e51ebbeb4ca9b67487575 Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- libvirt.spec.in | 2 -- meson.build

[PATCH v5 22/30] network: save network status when firewall rules are reloaded

to perform the firewall removal. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- src/conf/virnetworkobj.c| 1 + src/network/bridge_driver.c | 8 +++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/src/conf/virnetworkobj.c b/src/conf/virnetworkobj.c index

[PATCH v5 20/30] conf: add a virFirewall object to virNetworkObj

ses of the fwRemoval object in the virNetworkObj yet, but everything is in place to add it to the XML when formatted, parse it from the XML when reading network status, and free the virFirewall object when the virNetworkObj is freed. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- src/

[PATCH v5 18/30] util: new function virFirewallNewFromRollback()

k. Signed-off-by: Laine Stump --- src/libvirt_private.syms | 1 + src/util/virfirewall.c | 59 src/util/virfirewall.h | 1 + 3 files changed, 61 insertions(+) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 9897caea21..4e6a113

[PATCH v5 10/30] util/network: new virFirewallBackend enum

is in the code). Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- src/libvirt_private.syms | 3 +++ src/network/network_iptables.c| 6 +++--- src/nwfilter/nwfilter_ebiptables_driver.c | 16 src/util/virebtables.c

[PATCH v5 15/30] util: implement rollback rule autocreation for iptables commands

firewall, we can just run those commands. This isn't yet used anywhere, since VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK isn't being set. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- src/util/virfirewall.c | 55 -- 1 file changed, 48 insertions

[PATCH v5 17/30] util: add name attribute to virFirewall

This will be used to label (via "name='blah'") a firewall when it is formatted to XML and written to the network status. Signed-off-by: Laine Stump --- src/libvirt_private.syms | 2 ++ src/util/virfirewall.c | 20 +++- src/util/virfirewall.h | 2 ++ 3 files c

[PATCH v5 12/30] network: support setting firewallBackend from network.conf

to change the ordering of the auto-detection when no backend is set in network.conf). virNetworkLoadDriverConfig() may look more complicated than necessary, but as additional backends are added, it will be easier to add checks for those backends (and to re-order the checks based on b

[PATCH v5 16/30] network: turn on auto-rollback for the rules added for virtual networks

for the network when it is destroyed. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- src/network/network_iptables.c | 15 +++ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c index db35a4c5a0..467d43c1e9

[PATCH v5 02/30] network: move all functions manipulating iptables rules into network_iptables.c

-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- src/network/bridge_driver_linux.c | 556 + src/network/network_iptables.c| 562 +- src/network/network_iptables.h| 7 +- 3 files changed, 574 insertions(+), 551 deletions(-) diff

[PATCH v5 14/30] util: new functions to support adding individual firewall rollback commands

Flags() API), and 2) add a new command to the current group's rollback command list (with the new virFirewallAddRollbackCmd()). We will actually use this capability in an upcoming patch. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- src/libvirt_private.syms | 1 + src/util/v

[PATCH v5 11/30] network: add (empty) network.conf file to distribution files

This file is generated from network.conf.in because it will soon have an item that must be modified according to meson buildtime config. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- libvirt.spec.in | 3 ++ src/network/libvirtd_network.aug

[PATCH v5 13/30] network: framework to call backend-specific function to init private filter chains

y argument to specify backend). (If it turns out to be significant, we could optimize this by checking for chainInitDone outside the lock guard, returning immediately if it's already set, and then moving the setting of chainInitDone up to the top of the guarded section.) Signed-off-by: Laine Stump

[PATCH v5 00/30] native support for nftables in virtual network driver

riptive, and lower case rather than all caps. * eliminated all the guest->host and host->guest rules since they are redundant in nftables. Laine Stump (30): util/network: move viriptables.[ch] from util to network directory network: move all functions manipulating iptables rules into

[PATCH v5 01/30] util/network: move viriptables.[ch] from util to network directory

-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- po/POTFILES | 2 +- src/libvirt_private.syms | 31 --- src/network/bridge_driver_linux.c | 2 +- src/network/meson.build | 1

[PATCH v5 09/30] util: determine ignoreErrors value when creating virFirewallCmd, not when applying

() rather than cluttering up the argument list on the entire call chain. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- src/util/virfirewall.c | 28 +--- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/src/util/virfirewall.c b/src/util/virf

[PATCH v5 08/30] util: add -w/--concurrent when applying a FirewallCmd rather than when building it

at the same time). We can just as well add in the -w/--concurrent during virFirewallApplyCmd, so move the arg-add to ApplyCmd to keep AddCmd simple. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- src/util/virfirewall.c | 27 +-- 1 file changed, 13 insertions(+), 14

[PATCH v5 06/30] util: rename virNetFilterAction to iptablesAction, and add VIR_ENUM_DECL/IMPL

the values to IPTABLES_ACTION_*, and taking advantage of the newly defined (via VIR_ENUM_DECL/IMPL) iptablesActionTypeToString() to replace all the ternary operators used to translate the enum into a string for the iptables commandline with iptablesActionTypeToString(). Signed-off-by: Laine Stump

[PATCH v5 04/30] util: #define the names used for private packet filter chains

Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- src/network/network_iptables.c | 51 +++--- 1 file changed, 29 insertions(+), 22 deletions(-) diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c index 697ad5d8d6..ac3e60b79f

[PATCH v5 07/30] util: check for 0 args when applying iptables rule

permanently check for it. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- src/util/virfirewall.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index 902cb8e445..1897a66070 100644 --- a/src/util/virfirewall.c +++ b/src/util

[PATCH v5 03/30] network: make all iptables functions used only in network_iptables.c static

Now that the toplevel iptables functions have been moved out of the linux bridge driver into network_iptables.c, all of the utility functions are used only within that same file, so simplify it. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- src/network/network_iptables.c | 52

Re: [PATCH v4 12/30] network: support setting firewallBackend from network.conf

On 5/2/24 8:20 AM, Daniel P. Berrangé wrote: On Tue, Apr 30, 2024 at 01:44:01PM -0400, Laine Stump wrote: It still can have only one useful value ("iptables"), but once a 2nd value is supported, it will be selectable by setting "firewall_backend=nftables" in /etc/

[PATCH v4 24/30] network: add an nftables backend for network driver's firewall construction

ior between the iptables and nftables backends is that noted in item (2) above, we could instead decide to make nftables the default backend rather than iptables - it all depends on how important it is to work properly on 15 year old guest OSes using DHCP with virtio-net interfaces). Signed-off-b

[PATCH v4 25/30] tests: test cases for nftables backend

. Signed-off-by: Laine Stump --- .../{base.args => base.iptables} | 0 tests/networkxml2firewalldata/base.nftables | 256 ++ ...-linux.args => nat-default-linux.iptables} | 0 .../nat-default-linux.nftables| 248 + ...pv6-linux.args =>

[PATCH v4 28/30] network: name the nftables table "libvirt_network" rather than "libvirt"

This way when we implement nftables for the nwfilter driver, we can create a separate table called "libvirt_nwfilter" and everything will look all symmetrical and stuff. Signed-off-by: Laine Stump --- src/network/network_nftables.c| 2 +- .../nat-default-linu

[PATCH v4 30/30] network: eliminate pointless host input/output rules from nftables backend

fault", makes it possible to eliminate the individual accept rules for DHCP, DNS, and TFTP. And once those rules are eliminated, there is no longer any need for the guest_to_host or host_to_guest tables. Signed-off-by: Laine Stump --- I've just #ifdef'ed out the code that adds these rules so that

[PATCH v4 29/30] network: rename chains used by network driver nftables backend

ns). Also (again because nobody else is using the private "libvirt_network" table) we can directly put our rules into the input ("guest_to_host"), output ("host_to_guest"), and postrouting ("guest_nat") chains rather than creating a subordinate chain as done in

[PATCH v4 21/30] network: use previously saved list of firewall removal commands

libvirtd/virtnetworkd will remove all the rules that had been previously added (based on the network status), and then add new rules (saving the new removal commands back into the network status) Signed-off-by: Laine Stump == NB: the current implementation saves only the commands necessary

[PATCH v4 20/30] conf: add a virFirewall object to virNetworkObj

ses of the fwRemoval object in the virNetworkObj yet, but everything is in place to add it to the XML when formatted, parse it from the XML when reading network status, and free the virFirewall object when the virNetworkObj is freed. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- src/

[PATCH v4 19/30] util: new functions virFirewallParseXML() and virFirewallFormat()

These functions convert a virFirewall object to/from XML so that it can be serialized to disk (in a virNetworkObj's status file) and restored later (e.g. after libvirtd/virtnetworkd is restarted). Signed-off-by: Laine Stump --- src/libvirt_private.syms | 2 + src/util/virfirewall.c | 219

[PATCH v4 26/30] network: prefer the nftables backend over iptables

meson with "-Dfirewall_backend=iptables" during their official package build. In the extremely unlikely case that this causes a problem for a user, they can work around the failure by adding " to the guest element. Signed-off-by: Laine Stump --- meson_options.txt | 2 +- 1 file chang

[PATCH v4 27/30] spec: require either iptables or nftables if network driver is installed

This makes it possible to uninstall iptables, as long as nftables is installed. Signed-off-by: Laine Stump --- libvirt.spec.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libvirt.spec.in b/libvirt.spec.in index 05f7a7e7c0..55f32172b3 100644 --- a/libvirt.spec.in +++ b

[PATCH v4 09/30] util: determine ignoreErrors value when creating virFirewallCmd, not when applying

() rather than cluttering up the argument list on the entire call chain. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- src/util/virfirewall.c | 28 +--- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/src/util/virfirewall.c b/src/util/virf

[PATCH v4 23/30] meson: stop looking for iptables/ip6tables/ebtables at build time

no longer need iptables or iptables at build time, we can also drop the BuildRequires for them from the rpm specfile. Inspired-by: 6aa2fa38b04b802f137e51ebbeb4ca9b67487575 Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- libvirt.spec.in | 2 -- meson.build

[PATCH v4 22/30] network: save network status when firewall rules are reloaded

to perform the firewall removal. Signed-off-by: Laine Stump --- src/conf/virnetworkobj.c| 1 + src/network/bridge_driver.c | 8 +++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/src/conf/virnetworkobj.c b/src/conf/virnetworkobj.c index f5db4c5804..19305798cb 100644

[PATCH v4 12/30] network: support setting firewallBackend from network.conf

onf.in at build time, and the advertised default setting of firewall_backend (in a commented out line) is set from the meson_options.txt setting "firewall_backend". This way the conf file will have correct information no matter what default backend is chosen at build time. Signed-off-by: Lain

[PATCH v4 18/30] util: new function virFirewallNewFromRollback()

k. Signed-off-by: Laine Stump --- src/libvirt_private.syms | 1 + src/util/virfirewall.c | 59 src/util/virfirewall.h | 1 + 3 files changed, 61 insertions(+) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 9e16ae4225..42d2f94

[PATCH v4 15/30] util: implement rollback rule autocreation for iptables commands

firewall, we can just run those commands. This isn't yet used anywhere, since VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK isn't being set. Signed-off-by: Laine Stump --- src/util/virfirewall.c | 55 -- 1 file changed, 48 insertions(+), 7 deletions(-) diff --git a/src

[PATCH v4 17/30] util: add name attribute to virFirewall

This will be used to label (via "name='blah'") a firewall when it is formatted to XML and written to the network status. Signed-off-by: Laine Stump --- src/libvirt_private.syms | 2 ++ src/util/virfirewall.c | 20 +++- src/util/virfirewall.h | 2 ++ 3 files c

[PATCH v4 10/30] util/network: new virFirewallBackend enum

is in the code). Signed-off-by: Laine Stump --- src/libvirt_private.syms | 3 +++ src/network/network_iptables.c| 6 +++--- src/nwfilter/nwfilter_ebiptables_driver.c | 16 src/util/virebtables.c| 4 ++-- src/util/virfirewall.c

[PATCH v4 11/30] network: add (empty) network.conf file to distribution files

This file is generated from network.conf.in because it will soon have an item that must be modified according to meson buildtime config. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- libvirt.spec.in | 3 ++ src/network/libvirtd_network.aug

[PATCH v4 13/30] network: framework to call backend-specific function to init private filter chains

y argument to specify backend). (If it turns out to be significant, we could optimize this by checking for chainInitDone outside the lock guard, returning immediately if it's already set, and then moving the setting of chainInitDone up to the top of the guarded section.) Signed-off-by: Laine Stump

[PATCH v4 14/30] util: new functions to support adding individual firewall rollback commands

Flags() API), and 2) add a new command to the current group's rollback command list (with the new virFirewallAddRollbackCmd()). We will actually use this capability in an upcoming patch. Signed-off-by: Laine Stump --- src/libvirt_private.syms | 1 + src/util/virfirewall.c | 55

[PATCH v4 16/30] network: turn on auto-rollback for the rules added for virtual networks

for the network when it is destroyed. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- src/network/network_iptables.c | 15 +++ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c index db35a4c5a0..467d43c1e9

[PATCH v4 00/30] [PATCH v3 00/27] native support for nftables in virtual network driver

* renamed the chains to be more descriptive, and lower case rather than all caps. (new patch 29) * eliminated all the guest->host and host->guest rules since they are redundant in nftables. (new patch 30) Laine Stump (30): util/network: move viriptables.[ch] from util to network directory n

[PATCH v4 06/30] util: rename virNetFilterAction to iptablesAction, and add VIR_ENUM_DECL/IMPL

the values to IPTABLES_ACTION_*, and taking advantage of the newly defined (via VIR_ENUM_DECL/IMPL) iptablesActionTypeToString() to replace all the ternary operators used to translate the enum into a string for the iptables commandline with iptablesActionTypeToString(). Signed-off-by: Laine Stump

[PATCH v4 08/30] util: add -w/--concurrent when applying a FirewallCmd rather than when building it

at the same time). We can just as well add in the -w/--concurrent during virFirewallApplyCmd, so move the arg-add to ApplyCmd to keep AddCmd simple. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- src/util/virfirewall.c | 27 +-- 1 file changed, 13 insertions(+), 14

[PATCH v4 04/30] util: #define the names used for private packet filter chains

Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- src/network/network_iptables.c | 51 +++--- 1 file changed, 29 insertions(+), 22 deletions(-) diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c index 697ad5d8d6..ac3e60b79f

[PATCH v4 03/30] network: make all iptables functions used only in network_iptables.c static

Now that the toplevel iptables functions have been moved out of the linux bridge driver into network_iptables.c, all of the utility functions are used only within that same file, so simplify it. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- src/network/network_iptables.c | 52

[PATCH v4 01/30] util/network: move viriptables.[ch] from util to network directory

-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- po/POTFILES | 2 +- src/libvirt_private.syms | 31 --- src/network/bridge_driver_linux.c | 2 +- src/network/meson.build | 1

[PATCH v4 07/30] util: check for 0 args when applying iptables rule

permanently check for it. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- src/util/virfirewall.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index 902cb8e445..1897a66070 100644 --- a/src/util/virfirewall.c +++ b/src/util

[PATCH v4 02/30] network: move all functions manipulating iptables rules into network_iptables.c

-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- src/network/bridge_driver_linux.c | 556 + src/network/network_iptables.c| 562 +- src/network/network_iptables.h| 7 +- 3 files changed, 574 insertions(+), 551 deletions(-) diff

Re: [PATCH v3 00/27] [PATCH v3 00/27] native support for nftables in virtual network driver

On 4/25/24 1:22 PM, Daniel P. Berrangé wrote: On Thu, Apr 25, 2024 at 01:38:06AM -0400, Laine Stump wrote: V2: https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/5RTZ6PC3N3CO6X353QUHLVOL43SWQ4JD/ This patch series enables libvirt to use nftables rules rather than iptables

Re: [PATCH v3 00/27] [PATCH v3 00/27] native support for nftables in virtual network driver

On 4/26/24 6:24 AM, Daniel P. Berrangé wrote: On Thu, Apr 25, 2024 at 06:22:33PM +0100, Daniel P. Berrangé wrote: On Thu, Apr 25, 2024 at 01:38:06AM -0400, Laine Stump wrote: V2: https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/5RTZ6PC3N3CO6X353QUHLVOL43SWQ4JD

Re: [PATCH v3 12/27] network: support setting firewallBackend from network.conf

On 4/25/24 12:30 PM, Daniel P. Berrangé wrote: On Thu, Apr 25, 2024 at 01:38:18AM -0400, Laine Stump wrote: It still can have only one useful value ("iptables"), but once a 2nd value is supported, it will be selectable by setting "firewall_backend=nftables" in /etc/

Re: [PATCH v3 20/27] conf: add a virFirewall object to virNetworkObj

On 4/25/24 12:33 PM, Daniel P. Berrangé wrote: On Thu, Apr 25, 2024 at 01:38:26AM -0400, Laine Stump wrote: This virFirewall object will store the list of actions required to remove the firewall that was added for the currently active instance of the network, so it has been named "fwRe

Re: [PATCH v3 00/27] [PATCH v3 00/27] native support for nftables in virtual network driver

, where you can find them at: https://gitlab.com/lainestump/libvirt/tree/nftrereboot-7 or alternately, just change the 2nd "IPTABLES" above to "NFTABLES" in patch 24/27. w On 4/25/24 1:38 AM, Laine Stump wrote: V2: https://lists.libvirt.org/archives/list/devel@list

[PATCH v3 25/27] tests: test cases for nftables backend

. Signed-off-by: Laine Stump --- Change from V2: * add in the chunk about looking for "-ae" option that had been accidentally put in patch 16. .../{base.args => base.iptables} | 0 tests/networkxml2firewalldata/base.nftables | 256 ++ ...-linux.args =

[PATCH v3 24/27] network: add an nftables backend for network driver's firewall construction

ior between the iptables and nftables backends is that noted in item (2) above, we could instead decide to make nftables the default backend rather than iptables - it all depends on how important it is to work properly on 15 year old guest OSes using DHCP with virtio-net interfaces). Signed-off-by:

[PATCH v3 12/27] network: support setting firewallBackend from network.conf

onf.in at build time, and the advertised default setting of firewall_backend (in a commented out line) is set from the meson_options.txt setting "firewall_backend". This way the conf file will have correct information no matter what default backend is chosen at build time. Signed-off-by: Lain

[PATCH v3 21/27] network: use previously saved list of firewall removal commands

libvirtd/virtnetworkd will remove all the rules that had been previously added (based on the network status), and then add new rules (saving the new removal commands back into the network status) Signed-off-by: Laine Stump == NB: the current implementation saves only the commands necessary

[PATCH v3 23/27] meson: stop looking for iptables/ip6tables/ebtables at build time

no longer need iptables or iptables at build time, we can also drop the BuildRequires for them from the rpm specfile. Inspired-by: 6aa2fa38b04b802f137e51ebbeb4ca9b67487575 Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- Change from V2: * This was 2 patches in V2 (22 & 23), combined

[PATCH v3 26/27] network: prefer the nftables backend over iptables

meson with "-Dfirewall_backend=iptables" during their official package build. In the extremely unlikely case that this causes a problem for a user, they can work around the failure by adding " to the guest element. Signed-off-by: Laine Stump --- Change from V2: * greatly simplif

[PATCH v3 27/27] spec: require either iptables or nftables if network driver is installed

This makes it possible to uninstall iptables, as long as nftables is installed. Signed-off-by: Laine Stump --- Change from V2: * Require one or the other instead of recommending both. libvirt.spec.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libvirt.spec.in b

[PATCH v3 22/27] network: save network status when firewall rules are reloaded

to perform the firewall removal. Signed-off-by: Laine Stump --- src/conf/virnetworkobj.c| 1 + src/network/bridge_driver.c | 8 +++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/src/conf/virnetworkobj.c b/src/conf/virnetworkobj.c index fef4c69004..228d0a6585 100644

[PATCH v3 04/27] util: #define the names used for private packet filter chains

Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- src/network/network_iptables.c | 51 +++--- 1 file changed, 29 insertions(+), 22 deletions(-) diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c index 697ad5d8d6..ac3e60b79f

[PATCH v3 15/27] util: implement rollback rule autocreation for iptables commands

firewall, we can just run those commands. This isn't yet used anywhere, since VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK isn't being set. Signed-off-by: Laine Stump --- Change from V2: * change VIR_IPTABLES_ARG_IS_INSERT to VIR_IPTABLES_ARG_IS_CREATE src/util/virfirewall.c | 55

[PATCH v3 19/27] util: new functions virFirewallParseXML() and virFirewallFormat()

These functions convert a virFirewall object to/from XML so that it can be serialized to disk (in a virNetworkObj's status file) and restored later (e.g. after libvirtd/virtnetworkd is restarted). Signed-off-by: Laine Stump --- Change from V2: * report nargs == 0 as an error rather than

[PATCH v3 20/27] conf: add a virFirewall object to virNetworkObj

ses of the fwRemoval object in the virNetworkObj yet, but everything is in place to add it to the XML when formatted, parse it from the XML when reading network status, and free the virFirewall object when the virNetworkObj is freed. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- C

[PATCH v3 17/27] util: add name attribute to virFirewall

This will be used to label (via "name='blah'") a firewall when it is formatted to XML and written to the network status. Signed-off-by: Laine Stump --- This is new in V3. src/libvirt_private.syms | 2 ++ src/util/virfirewall.c | 20 +++- src/util/virfirewall.h

[PATCH v3 13/27] network: framework to call backend-specific function to init private filter chains

y argument to specify backend). (If it turns out to be significant, we could optimize this by checking for chainInitDone outside the lock guard, returning immediately if it's already set, and then moving the setting of chainInitDone up to the top of the guarded section.) Signed-off-by: Laine Stump

[PATCH v3 11/27] network: add (empty) network.conf file to distribution files

This file is generated from network.conf.in because it will soon have an item that must be modified according to meson buildtime config. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- libvirt.spec.in | 3 ++ src/network/libvirtd_network.aug

[PATCH v3 07/27] util: check for 0 args when applying iptables rule

permanently check for it. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- src/util/virfirewall.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index 902cb8e445..1897a66070 100644 --- a/src/util/virfirewall.c +++ b/src/util

[PATCH v3 14/27] util: new functions to support adding individual firewall rollback commands

Flags() API), and 2) add a new command to the current group's rollback command list (with the new virFirewallAddRollbackCmd()). We will actually use this capability in an upcoming patch. Signed-off-by: Laine Stump --- src/libvirt_private.syms | 1 + src/util/virfirewall.c | 55

  1   2   3   >