Re: [PATCH v2 1/1] network: introduce Packet Filter firewall backend

Tue, 22 Jul 2025 03:02:12 -0700 

On Sun, Jul 13, 2025 at 01:57:03PM +0200, Roman Bogorodskiy wrote:
> Implement NAT networking support based on the Packet Filter (pf)
> firewall in FreeBSD. At this point, the implementation is very basic.
> It creates:
> 
>  - Essential NAT translation rules
>  - Basic forwarding rules
> 
> Implementation uses pf's anchor feature to group rules. All rules live
> in the "libvirt" anchor and every libvirt's network has its own
> sub-anchor.
> 
> Currently there are some assumptions and limitations:
> 
>  - We assume that a user has created the "libvirt" (nat-)anchors. As
>    they cannot be created on fly, it's better not to touch global pf
>    configuration and let the user do the changes. If the user doesn't
>    have these anchors configured, the rules will still be created in
>    sub-anchors, but will not be effective until these anchors are
>    activated. Should we check if these anchors are not active to
>    give some runtime warning?
> 
>  - Currently, rule reloading is not smart: it always deletes rules,
>    flushes rules and re-creates that. It would be better to do that
>    more gracefully.
> 
>  - IPv6 configurations are currently not supported
> 
>  - For NAT, pf requires explicit IP address or an interface to NAT to.
>    We try to obtain that from the network XML definition, and if it's
>    not specified, we try to determine interface corresponding to the
>    default route.
> 
> Signed-off-by: Roman Bogorodskiy <bogorods...@gmail.com>
> ---
>  meson.build                       |   2 +
>  po/POTFILES                       |   1 +
>  src/network/bridge_driver_conf.c  |   4 +
>  src/network/bridge_driver_linux.c |   2 +
>  src/network/meson.build           |   4 +
>  src/network/network_pf.c          | 326 ++++++++++++++++++++++++++++++
>  src/network/network_pf.h          |  26 +++
>  src/util/virfirewall.c            |   4 +-
>  src/util/virfirewall.h            |   2 +
>  9 files changed, 370 insertions(+), 1 deletion(-)
>  create mode 100644 src/network/network_pf.c
>  create mode 100644 src/network/network_pf.h

Reviewed-by: Daniel P. Berrangé <berra...@redhat.com>


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Reply via email to