On Thu, Dec 11, 2025 at 03:00:53PM +0100, Dion Bosschieter wrote: > Change the nwfilter driver loading mechanism to read from nwfilter.conf. > By default, it will use the nftables driver, which follows the > firewall_backend bridge driver config logic. > > Added nftables to *filter_tech_drivers as an available driver option > for users to choose from. > > Signed-off-by: Dion Bosschieter <[email protected]> > --- > po/POTFILES | 1 + > src/conf/virnwfilterobj.h | 20 -- > src/nwfilter/libvirtd_nwfilter.aug | 37 ++++ > src/nwfilter/meson.build | 37 ++++ > src/nwfilter/nwfilter.conf.in | 26 +++ > src/nwfilter/nwfilter_driver.c | 66 +++---- > src/nwfilter/nwfilter_driver_conf.c | 210 +++++++++++++++++++++ > src/nwfilter/nwfilter_driver_conf.h | 66 +++++++ > src/nwfilter/nwfilter_ebiptables_driver.h | 2 +- > src/nwfilter/nwfilter_gentech_driver.c | 63 +++---- > src/nwfilter/nwfilter_gentech_driver.h | 5 +- > src/nwfilter/nwfilter_tech_driver.c | 1 - > src/nwfilter/nwfilter_tech_driver.h | 1 + > src/nwfilter/test_libvirtd_nwfilter.aug.in | 5 +
The two augeas files and nwfilter.conf also need adding to the libvirt.spec.in %files list. Take a look at where its done for the network driver and mirror that. > diff --git a/src/nwfilter/nwfilter.conf.in b/src/nwfilter/nwfilter.conf.in > new file mode 100644 > index 0000000000..8ed5cbaa53 > --- /dev/null > +++ b/src/nwfilter/nwfilter.conf.in > @@ -0,0 +1,26 @@ > +# Master configuration file for the nwfilter driver. > +# All settings described here are optional - if omitted, sensible > +# defaults are used. > + > +# nwfilter_driver: > +# > +# determines which driver to use to setup nwfilter firewall rules > +# > +# Supported settings: > +# > +# iptables - use ebtables and iptables commands to construct the user > +# defined firewall > +# nftables - use nft commands to construct the user defined firewall > +# > +# If nwfilter_driver isn't configured, libvirt will choose the > +# first available backend from the following list: > +# > +# [@FIREWALL_BACKEND_PRIORITY@] > +# > +# (NB: switching from one backend to another while there are active > +# virtual networks *isn't* supported. The change will take place the > +# next time that libvirtd/virtnetworkd is restarted - all existing > +# firewalls remain, and have to be cleaned up manually > +# reloaded using the new backend.) > +# > +#nwfilter_driver = "@FIREWALL_BACKEND@" This entire config file is about nwfilter, so parameters should not include 'nwfilter' in their name. Lets call this 'firewall_backend' to match network.conf exactly. Renaming it will als need update to the augeas files & source code. > diff --git a/src/nwfilter/nwfilter_ebiptables_driver.h > b/src/nwfilter/nwfilter_ebiptables_driver.h > index cb146f9f97..dfaea5af3d 100644 > --- a/src/nwfilter/nwfilter_ebiptables_driver.h > +++ b/src/nwfilter/nwfilter_ebiptables_driver.h > @@ -27,6 +27,6 @@ > > extern virNWFilterTechDriver ebiptables_driver; > > -#define EBIPTABLES_DRIVER_ID "ebiptables" > +#define EBIPTABLES_DRIVER_ID "iptables" I was gonig to suggest we called the config param 'ebiptables', but that would mean a new meson_options.txt entry and diverge from the network driver. In retrospect we probably should have called it 'xtables', but we can live with 'iptables' so that's OK. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
