users are only using type='bridge'/), then this patch will be fine.
If I re-assume to the latter, then:
Reviewed-by: Laine Stump
(and soon to be Tested-by, but first I have some errands to run :-)
but we should make sure they aren't trying to use
on platforms with no supported firewall
On 6/12/24 6:47 AM, Daniel P. Berrangé wrote:
On Wed, Jun 12, 2024 at 03:27:24AM -0700, Andrea Bolognani wrote:
On Wed, Jun 12, 2024 at 09:57:15AM GMT, Daniel P. Berrangé wrote:
On Wed, Jun 12, 2024 at 01:54:47AM -0700, Andrea Bolognani wrote:
Is there much of a difference between having an
;
+}
+
Reviewed-by: Laine Stump
About once every 3 or 4 years I've wondered why we load the network
driver for unprivileged libvirt, since it's unusable. I haven't had the
attention span to ask anyone and write this patch though :-)
-sending my response, but to the new mailing list :-))
On 6/10/24 2:54 PM, Roman Bogorodskiy wrote:
Laine Stump wrote:
This patch series enables libvirt to use nftables rules rather than
iptables *when setting up virtual networks* (it does *not* add
nftables support to the nwfilter driver
On 6/7/24 4:44 PM, Daniel P. Berrangé wrote:
On Fri, Jun 07, 2024 at 01:33:30PM -0400, Laine Stump wrote:
A user reported that if they set
starting the network would fail if the device 'blah' didn't already
exist.
This is caused by using "iif" and "oif" in nft
two integers (ifindex), but they don't require the interface to exist
when the rule is added, and they can properly cope with the named
interface being deleted and re-added later.
Fixes: a4f38f6ffe6a9edc001d18890ccfc3f38e72fb94
Signed-off-by: Laine Stump
---
src/network/network_nftables.c | 10 +
On 5/28/24 12:59 PM, Andrea Bolognani wrote:
On Tue, May 28, 2024 at 12:50:51PM GMT, Laine Stump wrote:
On 5/28/24 12:31 PM, Pavel Hrdina wrote:
On Tue, May 28, 2024 at 05:49:19PM +0200, Andrea Bolognani wrote:
+ if (not firewall_backend_priority.contains('nftables
On 5/28/24 12:31 PM, Pavel Hrdina wrote:
On Tue, May 28, 2024 at 05:49:19PM +0200, Andrea Bolognani wrote:
The current implementation requires users to configure the
preference as such:
-Dfirewall_backend_default_1=iptables
-Dfirewall_backend_default_2=nftables
In addition to being more
On 5/28/24 11:49 AM, Andrea Bolognani wrote:
The current implementation requires users to configure the
preference as such:
-Dfirewall_backend_default_1=iptables
-Dfirewall_backend_default_2=nftables
In addition to being more verbose than one would hope, there
are several things that
firewall backends explicitly
Reviewed-by: Laine Stump
Thanks for doing this - I had put "make the backend default selection
better" on a *mental* list, but not a physical list, and then I forgot
(easy to forget because doing things in a meson build file is for me an
exercise
Signed-off-by: Laine Stump
---
NEWS.rst | 10 ++
1 file changed, 10 insertions(+)
diff --git a/NEWS.rst b/NEWS.rst
index 42b0f88128..14505116b1 100644
--- a/NEWS.rst
+++ b/NEWS.rst
@@ -33,6 +33,16 @@ v10.4.0 (unreleased)
. This model is available from QEMU 8.2.0
onwards
in ifindex
changing), but for our uses this never happens, so Xif works for us,
and undoubtedly improves performance by at least 0.001%.
Signed-off-by: Laine Stump
---
src/network/network_nftables.c| 28 +--
.../nat-default-linux.nftables| 12
On 5/22/24 10:36 AM, Daniel P. Berrangé wrote:
On Mon, May 20, 2024 at 12:14:26PM -0400, Laine Stump wrote:
[...]
That is taken care of by [see [*] below], but I'll add this suggestion
anyway to reduce the brain cells required for someone reading through the
code :-) (and also as a backup
On 5/22/24 10:44 AM, Daniel P. Berrangé wrote:
On Tue, May 21, 2024 at 03:40:54PM -0400, Laine Stump wrote:
On 5/17/24 1:30 PM, Laine Stump wrote:
+virFirewallAddCmd(fw, layer, "insert", "rule",
+ nftablesLay
On 5/17/24 1:30 PM, Laine Stump wrote:
+virFirewallAddCmd(fw, layer, "insert", "rule",
+ nftablesLayerTypeToString(layer),
+ VIR_NFTABLES_PRIVATE_TABLE,
+ VIR_NFTABLES_FWD_X_CHAIN,
+
On 5/20/24 6:14 AM, Daniel P. Berrangé wrote:
On Fri, May 17, 2024 at 01:29:49PM -0400, Laine Stump wrote:
It still can have only one useful value ("iptables"), but once a 2nd
value is supported, it will be selectable by setting
"firewall_backend=nftables" in /etc/
On 5/20/24 5:39 AM, Daniel P. Berrangé wrote:
On Fri, May 17, 2024 at 01:29:37PM -0400, Laine Stump wrote:
V4:
https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/HX3RDEIQYJ6IOS2TDQANFKCKAXJMKCJN/#HX3RDEIQYJ6IOS2TDQANFKCKAXJMKCJN
V3:
https://lists.libvirt.org/archives/list
though it should be very safe to change the default backend from
iptables to nftables, that change is left for a later patch, to show
how the change in default can be undone if someone really needs to do
that.
Signed-off-by: Laine Stump
---
meson.build | 5 +
meson_op
.
Signed-off-by: Laine Stump
Reviewed-by: Daniel P. Berrangé
---
.../{base.args => base.iptables} | 0
tests/networkxml2firewalldata/base.nftables | 256 ++
...-linux.args => nat-default-linux.iptables} | 0
.../nat-default-linux.nftables
ns).
Also (again because nobody else is using the private "libvirt_network"
table) we can directly put our rules into the input ("guest_to_host"),
output ("host_to_guest"), and postrouting ("guest_nat") chains rather
than creating a subordinate chain as done in
This way when we implement nftables for the nwfilter driver, we can
create a separate table called "libvirt_nwfilter" and everything will
look all symmetrical and stuff.
Signed-off-by: Laine Stump
Reviewed-by: Daniel P. Berrangé
---
src/network/network_nftables.c
fault",
makes it possible to eliminate the individual accept rules for DHCP,
DNS, and TFTP. And once those rules are eliminated, there is no longer
any need for the guest_to_host or host_to_guest tables.
Signed-off-by: Laine Stump
Reviewed-by: Daniel P. Berrangé
---
src/network/network_n
It will still be possible to install iptables and use the iptables
backend, but we'll be showing a greater preference for nftables, which
is the proper thing to be doing.
Signed-off-by: Laine Stump
Reviewed-by: Daniel P. Berrangé
---
libvirt.spec.in | 4
1 file changed, 4 insertions
libvirtd/virtnetworkd will remove all the
rules that had been previously added (based on the network status),
and then add new rules (saving the new removal commands back into the
network status)
Signed-off-by: Laine Stump
Reviewed-by: Daniel P. Berrangé
---
src/network/bridge_driver.c
These functions convert a virFirewall object to/from XML so that it
can be serialized to disk (in a virNetworkObj's status file) and
restored later (e.g. after libvirtd/virtnetworkd is restarted).
Signed-off-by: Laine Stump
---
src/libvirt_private.syms | 2 +
src/util/virfirewall.c | 219
meson with "-Dfirewall_backend=iptables" during their official
package build.
In the extremely unlikely case that this causes a problem for a user,
they can work around the failure by adding " to
the guest element.
Signed-off-by: Laine Stump
---
meson_options.txt | 4 ++--
1
no longer need iptables or iptables at build time, we can
also drop the BuildRequires for them from the rpm specfile.
Inspired-by: 6aa2fa38b04b802f137e51ebbeb4ca9b67487575
Signed-off-by: Laine Stump
Reviewed-by: Daniel P. Berrangé
---
libvirt.spec.in | 2 --
meson.build
to perform the firewall removal.
Signed-off-by: Laine Stump
Reviewed-by: Daniel P. Berrangé
---
src/conf/virnetworkobj.c| 1 +
src/network/bridge_driver.c | 8 +++-
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/conf/virnetworkobj.c b/src/conf/virnetworkobj.c
index
ses of the fwRemoval object in the virNetworkObj yet,
but everything is in place to add it to the XML when formatted, parse
it from the XML when reading network status, and free the virFirewall
object when the virNetworkObj is freed.
Signed-off-by: Laine Stump
Reviewed-by: Daniel P. Berrangé
---
src/
k.
Signed-off-by: Laine Stump
---
src/libvirt_private.syms | 1 +
src/util/virfirewall.c | 59
src/util/virfirewall.h | 1 +
3 files changed, 61 insertions(+)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 9897caea21..4e6a113
is in the code).
Signed-off-by: Laine Stump
Reviewed-by: Daniel P. Berrangé
---
src/libvirt_private.syms | 3 +++
src/network/network_iptables.c| 6 +++---
src/nwfilter/nwfilter_ebiptables_driver.c | 16
src/util/virebtables.c
firewall, we can just run those commands.
This isn't yet used anywhere, since
VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK isn't being set.
Signed-off-by: Laine Stump
Reviewed-by: Daniel P. Berrangé
---
src/util/virfirewall.c | 55 --
1 file changed, 48 insertions
This will be used to label (via "name='blah'") a firewall when it is
formatted to XML and written to the network status.
Signed-off-by: Laine Stump
---
src/libvirt_private.syms | 2 ++
src/util/virfirewall.c | 20 +++-
src/util/virfirewall.h | 2 ++
3 files c
to change the ordering
of the auto-detection when no backend is set in network.conf).
virNetworkLoadDriverConfig() may look more complicated than necessary,
but as additional backends are added, it will be easier to add checks
for those backends (and to re-order the checks based on b
for the network when it is destroyed.
Signed-off-by: Laine Stump
Reviewed-by: Daniel P. Berrangé
---
src/network/network_iptables.c | 15 +++
1 file changed, 3 insertions(+), 12 deletions(-)
diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c
index db35a4c5a0..467d43c1e9
-by: Laine Stump
Reviewed-by: Daniel P. Berrangé
---
src/network/bridge_driver_linux.c | 556 +
src/network/network_iptables.c| 562 +-
src/network/network_iptables.h| 7 +-
3 files changed, 574 insertions(+), 551 deletions(-)
diff
Flags() API),
and 2) add a new command to the current group's rollback command list (with
the new virFirewallAddRollbackCmd()).
We will actually use this capability in an upcoming patch.
Signed-off-by: Laine Stump
Reviewed-by: Daniel P. Berrangé
---
src/libvirt_private.syms | 1 +
src/util/v
This file is generated from network.conf.in because it will soon have
an item that must be modified according to meson buildtime config.
Signed-off-by: Laine Stump
Reviewed-by: Daniel P. Berrangé
---
libvirt.spec.in | 3 ++
src/network/libvirtd_network.aug
y argument to specify backend).
(If it turns out to be significant, we could optimize this by checking
for chainInitDone outside the lock guard, returning immediately if
it's already set, and then moving the setting of chainInitDone up to
the top of the guarded section.)
Signed-off-by: Laine Stump
riptive, and lower case rather
than all caps.
* eliminated all the guest->host and host->guest rules since they are
redundant in nftables.
Laine Stump (30):
util/network: move viriptables.[ch] from util to network directory
network: move all functions manipulating iptables rules into
-by: Laine Stump
Reviewed-by: Daniel P. Berrangé
---
po/POTFILES | 2 +-
src/libvirt_private.syms | 31 ---
src/network/bridge_driver_linux.c | 2 +-
src/network/meson.build | 1
() rather than cluttering up the argument list on the
entire call chain.
Signed-off-by: Laine Stump
Reviewed-by: Daniel P. Berrangé
---
src/util/virfirewall.c | 28 +---
1 file changed, 13 insertions(+), 15 deletions(-)
diff --git a/src/util/virfirewall.c b/src/util/virf
at the same time). We can just as well add in the
-w/--concurrent during virFirewallApplyCmd, so move the arg-add to
ApplyCmd to keep AddCmd simple.
Signed-off-by: Laine Stump
Reviewed-by: Daniel P. Berrangé
---
src/util/virfirewall.c | 27 +--
1 file changed, 13 insertions(+), 14
the values to IPTABLES_ACTION_*, and taking
advantage of the newly defined (via VIR_ENUM_DECL/IMPL)
iptablesActionTypeToString() to replace all the ternary operators used
to translate the enum into a string for the iptables commandline with
iptablesActionTypeToString().
Signed-off-by: Laine Stump
Signed-off-by: Laine Stump
Reviewed-by: Daniel P. Berrangé
---
src/network/network_iptables.c | 51 +++---
1 file changed, 29 insertions(+), 22 deletions(-)
diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c
index 697ad5d8d6..ac3e60b79f
permanently check for it.
Signed-off-by: Laine Stump
Reviewed-by: Daniel P. Berrangé
---
src/util/virfirewall.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
index 902cb8e445..1897a66070 100644
--- a/src/util/virfirewall.c
+++ b/src/util
Now that the toplevel iptables functions have been moved out of the
linux bridge driver into network_iptables.c, all of the utility
functions are used only within that same file, so simplify it.
Signed-off-by: Laine Stump
Reviewed-by: Daniel P. Berrangé
---
src/network/network_iptables.c | 52
On 5/2/24 8:20 AM, Daniel P. Berrangé wrote:
On Tue, Apr 30, 2024 at 01:44:01PM -0400, Laine Stump wrote:
It still can have only one useful value ("iptables"), but once a 2nd
value is supported, it will be selectable by setting
"firewall_backend=nftables" in /etc/
ior
between the iptables and nftables backends is that noted in item (2)
above, we could instead decide to make nftables the default backend
rather than iptables - it all depends on how important it is to work
properly on 15 year old guest OSes using DHCP with virtio-net
interfaces).
Signed-off-b
.
Signed-off-by: Laine Stump
---
.../{base.args => base.iptables} | 0
tests/networkxml2firewalldata/base.nftables | 256 ++
...-linux.args => nat-default-linux.iptables} | 0
.../nat-default-linux.nftables| 248 +
...pv6-linux.args =>
This way when we implement nftables for the nwfilter driver, we can
create a separate table called "libvirt_nwfilter" and everything will
look all symmetrical and stuff.
Signed-off-by: Laine Stump
---
src/network/network_nftables.c| 2 +-
.../nat-default-linu
fault",
makes it possible to eliminate the individual accept rules for DHCP,
DNS, and TFTP. And once those rules are eliminated, there is no longer
any need for the guest_to_host or host_to_guest tables.
Signed-off-by: Laine Stump
---
I've just #ifdef'ed out the code that adds these rules so that
ns).
Also (again because nobody else is using the private "libvirt_network"
table) we can directly put our rules into the input ("guest_to_host"),
output ("host_to_guest"), and postrouting ("guest_nat") chains rather
than creating a subordinate chain as done in
libvirtd/virtnetworkd will remove all the
rules that had been previously added (based on the network status),
and then add new rules (saving the new removal commands back into the
network status)
Signed-off-by: Laine Stump
==
NB: the current implementation saves only the commands necessary
ses of the fwRemoval object in the virNetworkObj yet,
but everything is in place to add it to the XML when formatted, parse
it from the XML when reading network status, and free the virFirewall
object when the virNetworkObj is freed.
Signed-off-by: Laine Stump
Reviewed-by: Daniel P. Berrangé
---
src/
These functions convert a virFirewall object to/from XML so that it
can be serialized to disk (in a virNetworkObj's status file) and
restored later (e.g. after libvirtd/virtnetworkd is restarted).
Signed-off-by: Laine Stump
---
src/libvirt_private.syms | 2 +
src/util/virfirewall.c | 219
meson with "-Dfirewall_backend=iptables" during their official
package build.
In the extremely unlikely case that this causes a problem for a user,
they can work around the failure by adding " to
the guest element.
Signed-off-by: Laine Stump
---
meson_options.txt | 2 +-
1 file chang
This makes it possible to uninstall iptables, as long as nftables is
installed.
Signed-off-by: Laine Stump
---
libvirt.spec.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libvirt.spec.in b/libvirt.spec.in
index 05f7a7e7c0..55f32172b3 100644
--- a/libvirt.spec.in
+++ b
() rather than cluttering up the argument list on the
entire call chain.
Signed-off-by: Laine Stump
Reviewed-by: Daniel P. Berrangé
---
src/util/virfirewall.c | 28 +---
1 file changed, 13 insertions(+), 15 deletions(-)
diff --git a/src/util/virfirewall.c b/src/util/virf
no longer need iptables or iptables at build time, we can
also drop the BuildRequires for them from the rpm specfile.
Inspired-by: 6aa2fa38b04b802f137e51ebbeb4ca9b67487575
Signed-off-by: Laine Stump
Reviewed-by: Daniel P. Berrangé
---
libvirt.spec.in | 2 --
meson.build
to perform the firewall removal.
Signed-off-by: Laine Stump
---
src/conf/virnetworkobj.c| 1 +
src/network/bridge_driver.c | 8 +++-
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/conf/virnetworkobj.c b/src/conf/virnetworkobj.c
index f5db4c5804..19305798cb 100644
onf.in at build time,
and the advertised default setting of firewall_backend (in a commented
out line) is set from the meson_options.txt setting
"firewall_backend". This way the conf file will have correct
information no matter what default backend is chosen at build time.
Signed-off-by: Lain
k.
Signed-off-by: Laine Stump
---
src/libvirt_private.syms | 1 +
src/util/virfirewall.c | 59
src/util/virfirewall.h | 1 +
3 files changed, 61 insertions(+)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 9e16ae4225..42d2f94
firewall, we can just run those commands.
This isn't yet used anywhere, since
VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK isn't being set.
Signed-off-by: Laine Stump
---
src/util/virfirewall.c | 55 --
1 file changed, 48 insertions(+), 7 deletions(-)
diff --git a/src
This will be used to label (via "name='blah'") a firewall when it is
formatted to XML and written to the network status.
Signed-off-by: Laine Stump
---
src/libvirt_private.syms | 2 ++
src/util/virfirewall.c | 20 +++-
src/util/virfirewall.h | 2 ++
3 files c
is in the code).
Signed-off-by: Laine Stump
---
src/libvirt_private.syms | 3 +++
src/network/network_iptables.c| 6 +++---
src/nwfilter/nwfilter_ebiptables_driver.c | 16
src/util/virebtables.c| 4 ++--
src/util/virfirewall.c
This file is generated from network.conf.in because it will soon have
an item that must be modified according to meson buildtime config.
Signed-off-by: Laine Stump
Reviewed-by: Daniel P. Berrangé
---
libvirt.spec.in | 3 ++
src/network/libvirtd_network.aug
y argument to specify backend).
(If it turns out to be significant, we could optimize this by checking
for chainInitDone outside the lock guard, returning immediately if
it's already set, and then moving the setting of chainInitDone up to
the top of the guarded section.)
Signed-off-by: Laine Stump
Flags() API),
and 2) add a new command to the current group's rollback command list (with
the new virFirewallAddRollbackCmd()).
We will actually use this capability in an upcoming patch.
Signed-off-by: Laine Stump
---
src/libvirt_private.syms | 1 +
src/util/virfirewall.c | 55
for the network when it is destroyed.
Signed-off-by: Laine Stump
Reviewed-by: Daniel P. Berrangé
---
src/network/network_iptables.c | 15 +++
1 file changed, 3 insertions(+), 12 deletions(-)
diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c
index db35a4c5a0..467d43c1e9
* renamed the chains to be more descriptive, and lower case rather
than all caps. (new patch 29)
* eliminated all the guest->host and host->guest rules since they are
redundant in nftables. (new patch 30)
Laine Stump (30):
util/network: move viriptables.[ch] from util to network directory
n
the values to IPTABLES_ACTION_*, and taking
advantage of the newly defined (via VIR_ENUM_DECL/IMPL)
iptablesActionTypeToString() to replace all the ternary operators used
to translate the enum into a string for the iptables commandline with
iptablesActionTypeToString().
Signed-off-by: Laine Stump
at the same time). We can just as well add in the
-w/--concurrent during virFirewallApplyCmd, so move the arg-add to
ApplyCmd to keep AddCmd simple.
Signed-off-by: Laine Stump
Reviewed-by: Daniel P. Berrangé
---
src/util/virfirewall.c | 27 +--
1 file changed, 13 insertions(+), 14
Signed-off-by: Laine Stump
Reviewed-by: Daniel P. Berrangé
---
src/network/network_iptables.c | 51 +++---
1 file changed, 29 insertions(+), 22 deletions(-)
diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c
index 697ad5d8d6..ac3e60b79f
Now that the toplevel iptables functions have been moved out of the
linux bridge driver into network_iptables.c, all of the utility
functions are used only within that same file, so simplify it.
Signed-off-by: Laine Stump
Reviewed-by: Daniel P. Berrangé
---
src/network/network_iptables.c | 52
-by: Laine Stump
Reviewed-by: Daniel P. Berrangé
---
po/POTFILES | 2 +-
src/libvirt_private.syms | 31 ---
src/network/bridge_driver_linux.c | 2 +-
src/network/meson.build | 1
permanently check for it.
Signed-off-by: Laine Stump
Reviewed-by: Daniel P. Berrangé
---
src/util/virfirewall.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
index 902cb8e445..1897a66070 100644
--- a/src/util/virfirewall.c
+++ b/src/util
-by: Laine Stump
Reviewed-by: Daniel P. Berrangé
---
src/network/bridge_driver_linux.c | 556 +
src/network/network_iptables.c| 562 +-
src/network/network_iptables.h| 7 +-
3 files changed, 574 insertions(+), 551 deletions(-)
diff
On 4/25/24 1:22 PM, Daniel P. Berrangé wrote:
On Thu, Apr 25, 2024 at 01:38:06AM -0400, Laine Stump wrote:
V2:
https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/5RTZ6PC3N3CO6X353QUHLVOL43SWQ4JD/
This patch series enables libvirt to use nftables rules rather than
iptables
On 4/26/24 6:24 AM, Daniel P. Berrangé wrote:
On Thu, Apr 25, 2024 at 06:22:33PM +0100, Daniel P. Berrangé wrote:
On Thu, Apr 25, 2024 at 01:38:06AM -0400, Laine Stump wrote:
V2:
https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/5RTZ6PC3N3CO6X353QUHLVOL43SWQ4JD
On 4/25/24 12:30 PM, Daniel P. Berrangé wrote:
On Thu, Apr 25, 2024 at 01:38:18AM -0400, Laine Stump wrote:
It still can have only one useful value ("iptables"), but once a 2nd
value is supported, it will be selectable by setting
"firewall_backend=nftables" in /etc/
On 4/25/24 12:33 PM, Daniel P. Berrangé wrote:
On Thu, Apr 25, 2024 at 01:38:26AM -0400, Laine Stump wrote:
This virFirewall object will store the list of actions required to
remove the firewall that was added for the currently active instance
of the network, so it has been named "fwRe
, where you can find them at:
https://gitlab.com/lainestump/libvirt/tree/nftrereboot-7
or alternately, just change the 2nd "IPTABLES" above to "NFTABLES" in
patch 24/27.
w
On 4/25/24 1:38 AM, Laine Stump wrote:
V2:
https://lists.libvirt.org/archives/list/devel@list
.
Signed-off-by: Laine Stump
---
Change from V2:
* add in the chunk about looking for "-ae" option that had been
accidentally put in patch 16.
.../{base.args => base.iptables} | 0
tests/networkxml2firewalldata/base.nftables | 256 ++
...-linux.args =
ior
between the iptables and nftables backends is that noted in item (2)
above, we could instead decide to make nftables the default backend
rather than iptables - it all depends on how important it is to work
properly on 15 year old guest OSes using DHCP with virtio-net
interfaces).
Signed-off-by:
onf.in at build time,
and the advertised default setting of firewall_backend (in a commented
out line) is set from the meson_options.txt setting
"firewall_backend". This way the conf file will have correct
information no matter what default backend is chosen at build time.
Signed-off-by: Lain
libvirtd/virtnetworkd will remove all the
rules that had been previously added (based on the network status),
and then add new rules (saving the new removal commands back into the
network status)
Signed-off-by: Laine Stump
==
NB: the current implementation saves only the commands necessary
no longer need iptables or iptables at build time, we can
also drop the BuildRequires for them from the rpm specfile.
Inspired-by: 6aa2fa38b04b802f137e51ebbeb4ca9b67487575
Signed-off-by: Laine Stump
Reviewed-by: Daniel P. Berrangé
---
Change from V2:
* This was 2 patches in V2 (22 & 23), combined
meson with "-Dfirewall_backend=iptables" during their official
package build.
In the extremely unlikely case that this causes a problem for a user,
they can work around the failure by adding " to
the guest element.
Signed-off-by: Laine Stump
---
Change from V2:
* greatly simplif
This makes it possible to uninstall iptables, as long as nftables is
installed.
Signed-off-by: Laine Stump
---
Change from V2:
* Require one or the other instead of recommending both.
libvirt.spec.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libvirt.spec.in b
to perform the firewall removal.
Signed-off-by: Laine Stump
---
src/conf/virnetworkobj.c| 1 +
src/network/bridge_driver.c | 8 +++-
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/conf/virnetworkobj.c b/src/conf/virnetworkobj.c
index fef4c69004..228d0a6585 100644
Signed-off-by: Laine Stump
Reviewed-by: Daniel P. Berrangé
---
src/network/network_iptables.c | 51 +++---
1 file changed, 29 insertions(+), 22 deletions(-)
diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c
index 697ad5d8d6..ac3e60b79f
firewall, we can just run those commands.
This isn't yet used anywhere, since
VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK isn't being set.
Signed-off-by: Laine Stump
---
Change from V2:
* change VIR_IPTABLES_ARG_IS_INSERT to VIR_IPTABLES_ARG_IS_CREATE
src/util/virfirewall.c | 55
These functions convert a virFirewall object to/from XML so that it
can be serialized to disk (in a virNetworkObj's status file) and
restored later (e.g. after libvirtd/virtnetworkd is restarted).
Signed-off-by: Laine Stump
---
Change from V2:
* report nargs == 0 as an error rather than
ses of the fwRemoval object in the virNetworkObj yet,
but everything is in place to add it to the XML when formatted, parse
it from the XML when reading network status, and free the virFirewall
object when the virNetworkObj is freed.
Signed-off-by: Laine Stump
Reviewed-by: Daniel P. Berrangé
---
C
This will be used to label (via "name='blah'") a firewall when it is
formatted to XML and written to the network status.
Signed-off-by: Laine Stump
---
This is new in V3.
src/libvirt_private.syms | 2 ++
src/util/virfirewall.c | 20 +++-
src/util/virfirewall.h
y argument to specify backend).
(If it turns out to be significant, we could optimize this by checking
for chainInitDone outside the lock guard, returning immediately if
it's already set, and then moving the setting of chainInitDone up to
the top of the guarded section.)
Signed-off-by: Laine Stump
This file is generated from network.conf.in because it will soon have
an item that must be modified according to meson buildtime config.
Signed-off-by: Laine Stump
Reviewed-by: Daniel P. Berrangé
---
libvirt.spec.in | 3 ++
src/network/libvirtd_network.aug
permanently check for it.
Signed-off-by: Laine Stump
Reviewed-by: Daniel P. Berrangé
---
src/util/virfirewall.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
index 902cb8e445..1897a66070 100644
--- a/src/util/virfirewall.c
+++ b/src/util
Flags() API),
and 2) add a new command to the current group's rollback command list (with
the new virFirewallAddRollbackCmd()).
We will actually use this capability in an upcoming patch.
Signed-off-by: Laine Stump
---
src/libvirt_private.syms | 1 +
src/util/virfirewall.c | 55
1 - 100 of 202 matches
Mail list logo