On 8/13/25 19:00, Roman Bogorodskiy wrote:
> Add BSD-specific platform flavor of the bridge driver which will be used
> as a base for Packet Filter (pf) based NAT networking implementation.
>
> Signed-off-by: Roman Bogorodskiy <bogorods...@gmail.com>
> ---
> po/POTFILES | 1 +
> src/network/bridge_driver_bsd.c | 114 +++++++++++++++++++++++++++
> src/network/bridge_driver_conf.c | 4 +
> src/network/bridge_driver_platform.c | 2 +
> 4 files changed, 121 insertions(+)
> create mode 100644 src/network/bridge_driver_bsd.c
>
> diff --git a/po/POTFILES b/po/POTFILES
> index 084f60ba00..dc7293d0cd 100644
> --- a/po/POTFILES
> +++ b/po/POTFILES
> @@ -145,6 +145,7 @@ src/lxc/lxc_hostdev.c
> src/lxc/lxc_native.c
> src/lxc/lxc_process.c
> src/network/bridge_driver.c
> +src/network/bridge_driver_bsd.c
> src/network/bridge_driver_conf.c
> src/network/bridge_driver_linux.c
> src/network/bridge_driver_nop.c
> diff --git a/src/network/bridge_driver_bsd.c b/src/network/bridge_driver_bsd.c
> new file mode 100644
> index 0000000000..5914300763
> --- /dev/null
> +++ b/src/network/bridge_driver_bsd.c
> @@ -0,0 +1,114 @@
> +/*
> + * Copyright (C) 2025 FreeBSD Foundation
> + *
> + * This library is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2.1 of the License, or (at your option) any later version.
> + *
> + * This library is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with this library. If not, see
> + * <http://www.gnu.org/licenses/>.
> + */
> +
> +#include <config.h>
> +
> +#include "virlog.h"
> +#include "network_pf.h"
> +
> +#define VIR_FROM_THIS VIR_FROM_NONE
> +
> +VIR_LOG_INIT("network.bridge_driver_bsd");
> +
> +static virErrorPtr errInitV4;
> +static virErrorPtr errInitV6;
> +
> +void networkPreReloadFirewallRules(virNetworkDriverState *driver
> G_GNUC_UNUSED,
> + bool startup G_GNUC_UNUSED,
> + bool force G_GNUC_UNUSED)
> +{
> +}
> +
> +
> +void networkPostReloadFirewallRules(bool startup G_GNUC_UNUSED)
> +{
> +}
> +
> +
> +int networkCheckRouteCollision(virNetworkDef *def G_GNUC_UNUSED)
> +{
> + return 0;
> +}
> +
> +int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED,
> + virFirewallBackend firewallBackend,
> + virFirewall **fwRemoval G_GNUC_UNUSED)
> +{
> + if (def->bridgeZone) {
> + virReportError(VIR_ERR_INTERNAL_ERROR,
> + _("zone %1$s requested for network %2$s but firewalld
> is not supported on BSD"),
> + def->bridgeZone, def->name);
> + return -1;
> + }
> +
> + if (def->forward.type == VIR_NETWORK_FORWARD_OPEN) {
> + VIR_DEBUG("No firewall rules to add for mode='open' network '%s'",
> def->name);
> + } else {
> + VIR_DEBUG("Adding firewall rules for mode='%s' network '%s' using
> %s",
> + virNetworkForwardTypeToString(def->forward.type),
> + def->name,
> + virFirewallBackendTypeToString(firewallBackend));
> +
> + if (errInitV4 &&
> + (virNetworkDefGetIPByIndex(def, AF_INET, 0) ||
> + virNetworkDefGetRouteByIndex(def, AF_INET, 0))) {
> + virSetError(errInitV4);
> + return -1;
> + }
> +
> + if (errInitV6 &&
> + (virNetworkDefGetIPByIndex(def, AF_INET6, 0) ||
> + virNetworkDefGetRouteByIndex(def, AF_INET6, 0) ||
> + def->ipv6nogw)) {
> + virSetError(errInitV6);
> + return -1;
> + }
Both of these blocks are dead code pretty much. In _linux.c these global
variables can be set, but here they are never set. Just drop them.
> +
> + /* now actually add the rules */
> + switch (firewallBackend) {
> + case VIR_FIREWALL_BACKEND_NONE:
> + virReportError(VIR_ERR_NO_SUPPORT, "%s",
> + _("No firewall backend is available"));
> + return -1;
> +
> + case VIR_FIREWALL_BACKEND_PF:
> + return pfAddFirewallRules(def);
> +
> + case VIR_FIREWALL_BACKEND_IPTABLES:
> + case VIR_FIREWALL_BACKEND_NFTABLES:
> + case VIR_FIREWALL_BACKEND_LAST:
> + virReportEnumRangeError(virFirewallBackend, firewallBackend);
> + return -1;
> + }
> + }
> + return 0;
> +}
> +
> +void
> +networkRemoveFirewallRules(virNetworkObj *obj,
> + bool unsetZone G_GNUC_UNUSED)
> +{
> + virNetworkDef *def = virNetworkObjGetDef(obj);
> + if (def->forward.type == VIR_NETWORK_FORWARD_OPEN) {
Nitpick, separate variable declaration block and code block with an
empty line.
> + VIR_DEBUG("No firewall rules to remove for mode='open' network '%s'",
> + def->name);
> + return;
> + }
> +
> + pfRemoveFirewallRules(def);
> +}
> diff --git a/src/network/bridge_driver_conf.c
> b/src/network/bridge_driver_conf.c
> index 309d64fa84..280c0f9c4f 100644
> --- a/src/network/bridge_driver_conf.c
> +++ b/src/network/bridge_driver_conf.c
> @@ -130,6 +130,10 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg
> G_GNUC_UNUSED,
> }
>
> case VIR_FIREWALL_BACKEND_PF: {
> + g_autofree char *pfctlInPath = virFindFileInPath(PFCTL);
> +
> + if (pfctlInPath)
> + fwBackendSelected = true;
> break;
> }
>
> diff --git a/src/network/bridge_driver_platform.c
> b/src/network/bridge_driver_platform.c
> index 9ddcb71063..42fbcdbc0b 100644
> --- a/src/network/bridge_driver_platform.c
> +++ b/src/network/bridge_driver_platform.c
> @@ -25,6 +25,8 @@
>
> #if defined(__linux__)
> # include "bridge_driver_linux.c"
> +#elif defined(__FreeBSD__)
> +# include "bridge_driver_bsd.c"
> #else
> # include "bridge_driver_nop.c"
> #endif
Reviewed-by: Michal Privoznik <mpriv...@redhat.com>
Michal
