On Tue, Apr 30, 2024 at 01:44:18PM -0400, Laine Stump wrote:
> Because the chains added by the network driver nftables backend will
> go into a table used only by libvirt, we don't need to have "libvirt"
> in the chain names. Instead, we can make them more descriptive and
> less abrasive (by using lower case, and using full words rather than
> abbreviations).
>
> Also (again because nobody else is using the private "libvirt_network"
> table) we can directly put our rules into the input ("guest_to_host"),
> output ("host_to_guest"), and postrouting ("guest_nat") chains rather
> than creating a subordinate chain as done in the iptables backend.
>
> Signed-off-by: Laine Stump <la...@redhat.com>
> ---
> src/network/network_nftables.c | 30 ++++-----
> .../nat-default-linux.nftables | 36 +++++-----
> .../nat-ipv6-linux.nftables | 58 ++++++++--------
> .../nat-ipv6-masquerade-linux.nftables | 66 +++++++++----------
> .../nat-many-ips-linux.nftables | 64 +++++++++---------
> .../nat-no-dhcp-linux.nftables | 58 ++++++++--------
> .../nat-tftp-linux.nftables | 40 +++++------
> .../route-default-linux.nftables | 26 ++++----
> 8 files changed, 188 insertions(+), 190 deletions(-)
>
> diff --git a/src/network/network_nftables.c b/src/network/network_nftables.c
> index ec9194a8b8..fd0d0f82dc 100644
> --- a/src/network/network_nftables.c
> +++ b/src/network/network_nftables.c
> @@ -40,12 +40,13 @@ VIR_LOG_INIT("network.nftables");
>
> #define VIR_FROM_THIS VIR_FROM_NONE
>
> -#define VIR_NFTABLES_INPUT_CHAIN "LIBVIRT_INP"
> -#define VIR_NFTABLES_OUTPUT_CHAIN "LIBVIRT_OUT"
> -#define VIR_NFTABLES_FWD_IN_CHAIN "LIBVIRT_FWI"
> -#define VIR_NFTABLES_FWD_OUT_CHAIN "LIBVIRT_FWO"
> -#define VIR_NFTABLES_FWD_X_CHAIN "LIBVIRT_FWX"
> -#define VIR_NFTABLES_NAT_POSTROUTE_CHAIN "LIBVIRT_PRT"
> +#define VIR_NFTABLES_INPUT_CHAIN "guest_to_host"
> +#define VIR_NFTABLES_OUTPUT_CHAIN "host_to_guest"
> +#define VIR_NFTABLES_FORWARD_CHAIN "forward"
> +#define VIR_NFTABLES_FWD_IN_CHAIN "guest_input"
> +#define VIR_NFTABLES_FWD_OUT_CHAIN "guest_output"
> +#define VIR_NFTABLES_FWD_X_CHAIN "guest_cross"
> +#define VIR_NFTABLES_NAT_POSTROUTE_CHAIN "guest_nat"
>
> /* we must avoid using the standard "filter" table as used by
> * iptables, as any subsequent attempts to use iptables commands will
> @@ -87,18 +88,15 @@ typedef struct {
>
> nftablesGlobalChain nftablesChains[] = {
> /* chains for filter rules */
> - {NULL, "INPUT", "{ type filter hook input priority 0; policy accept; }"},
> - {NULL, "FORWARD", "{ type filter hook forward priority 0; policy accept;
> }"},
> - {NULL, "OUTPUT", "{ type filter hook output priority 0; policy accept;
> }"},
> - {"INPUT", VIR_NFTABLES_INPUT_CHAIN, NULL},
> - {"OUTPUT", VIR_NFTABLES_OUTPUT_CHAIN, NULL},
> - {"FORWARD", VIR_NFTABLES_FWD_OUT_CHAIN, NULL},
> - {"FORWARD", VIR_NFTABLES_FWD_IN_CHAIN, NULL},
> - {"FORWARD", VIR_NFTABLES_FWD_X_CHAIN, NULL},
> + {NULL, VIR_NFTABLES_INPUT_CHAIN, "{ type filter hook input priority 0;
> policy accept; }"},
> + {NULL, VIR_NFTABLES_FORWARD_CHAIN, "{ type filter hook forward priority
> 0; policy accept; }"},
> + {NULL, VIR_NFTABLES_OUTPUT_CHAIN, "{ type filter hook output priority 0;
> policy accept; }"},
> + {"forward", VIR_NFTABLES_FWD_OUT_CHAIN, NULL},
> + {"forward", VIR_NFTABLES_FWD_IN_CHAIN, NULL},
> + {"forward", VIR_NFTABLES_FWD_X_CHAIN, NULL},
The first arg should use the constant VIR_NFTABLES_FORWARD_CHAIN in these
three lines
>
> /* chains for NAT rules */
> - {NULL, "POSTROUTING", "{ type nat hook postrouting priority 100; policy
> accept; }"},
> - {"POSTROUTING", VIR_NFTABLES_NAT_POSTROUTE_CHAIN, NULL},
> + {NULL, "guest_nat", "{ type nat hook postrouting priority 100; policy
> accept; }"},
The second line shoyuld use the constant VIR_NFTABLES_NAT_POSTROUTE_CHAIN
With those changed
Reviewed-by: Daniel P. Berrangé <berra...@redhat.com>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
_______________________________________________
Devel mailing list -- devel@lists.libvirt.org
To unsubscribe send an email to devel-le...@lists.libvirt.org
