On Tue, Feb 10, 2026 at 11:16:24AM +0100, Dion Bosschieter wrote:
> This series aims to implement nftables as a backend driver for
> the nwfilter feature. The idea is that eventually it will replace
> the ebiptables driver and provide an easy way for users to switch
> from one driver to another.
>
> The first 2 patches are moving of functions and renames, meant to decouple
> nwfilter from the currently only existing ebiptables driver.
I've pushed these first 2 patches with my suggested changes on
the 2nd patch, since they don't need to be held up.
> The 3rd patch introduces the new nwfilter driver. After which nwfilter allows
> users to choose it in the 4th patch.
>
> The last patch introduces unit testing of the new nftables driver.
So how are you testing the nwfilter driver operation ?
I'm using the 'clean-traffic' filter on a test VM, and it is
still failing for the same reasons I reported against v2:
2026-02-12 11:43:22.544+0000: 2396575: debug : virCommandRun:2499 : Result
fatal signal 1, stdout: '' stderr: 'Error: conflicting statements
add rule bridge libvirt_nwfilter_ethernet n-vnet1-rarp-out ether saddr ==
52:54:00:36:96:f0 ether daddr == ff:ff:ff:ff:ff:ff ether type 0x8035 arp
operation 3 arp saddr ip 0.0.0.0/32 arp daddr ip 0.0.0.0/32 arp saddr ether
52:54:00:36:96:f0 arp daddr ether 52:54:00:36:96:f0 accept comment
"priority=500"
the ether address matches are repeated twice with inconsistent
matches and different syntax eg
ether saddr == 52:54:00:36:96:f0
ether daddr == ff:ff:ff:ff:ff:ff
vs
saddr ether 52:54:00:36:96:f0
daddr ether 52:54:00:36:96:f0
the 'daddr' different is presumably what it does not list
With regards,
Daniel
--
|: https://berrange.com ~~ https://hachyderm.io/@berrange :|
|: https://libvirt.org ~~ https://entangle-photo.org :|
|: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :|
