Re: [libvirt PATCH 00/28] native support for nftables in virtual network driver

Ján Tomko Wed, 03 May 2023 02:19:13 -0700

On a Sunday in 2023, Laine Stump wrote:

This patch series enables libvirt to use nftables rules rather than
iptables *when setting up virtual networks* (it does *not* add
nftables support to the nwfilter driver). It accomplishes this by
 getting these patches in.


[... 150 lines delted ...]


Laine Stump (28):
 util: add -w/--concurrent when applying the rule rather than when
   building it
 util: new virFirewallRuleGet*() APIs
 util: determine ignoreErrors value when creating rule, not when
   applying
 util: rename iptables helpers that will become the frontend for
   ip&nftables
 util: move backend-agnostic virNetfilter*() functions to their own
   file
 util: make netfilter action a proper typedefed (virFirewall) enum
 util: #define the names used for private packet filter chains
 util: move/rename virFirewallApplyRuleDirect to
   virIptablesApplyFirewallRule
 util/network: reintroduce virFirewallBackend, but different
 network: add (empty) network.conf file to distribution files
 network: allow setting firewallBackend from network.conf
 network: do not add DHCP checksum mangle rule unless using iptables
 network: call backend agnostic function to init private filter chains
 util: setup functions in virnetfilter which will call appropriate
   backend
 build: add nft to the list of binaries we attempt to locate
 util: add nftables backend to virnetfilter API used by network driver
 tests: test cases for nftables backend
 util: new functions to support adding individual rollback rules
 util: check for 0 args when applying iptables rule
 util: implement rollback rule autosave for iptables backend
 util: implement rollback rule autosave for nftables backend
 network: turn on auto-rollback for the rules added for virtual
   networks
 util: new function virFirewallNewFromRollback()
 util: new functions virFirewallParseXML() and virFirewallFormat()
 conf: add a virFirewall object to virNetworkObj
 network: use previously saved list of firewall rules when removing
 network: save network status when firewall rules are reloaded
 network: improve log message when reloading virtual network firewall
   rules

libvirt.spec.in                               |   5 +
meson.build                                   |   1 +
po/POTFILES                                   |   2 +
src/conf/virnetworkobj.c                      |  40 +
src/conf/virnetworkobj.h                      |  11 +
src/libvirt_private.syms                      |  68 +-
src/network/bridge_driver.c                   |  40 +-
src/network/bridge_driver_conf.c              |  44 +
src/network/bridge_driver_conf.h              |   3 +
src/network/bridge_driver_linux.c             | 241 +++--
src/network/bridge_driver_nop.c               |   6 +-
src/network/bridge_driver_platform.h          |   6 +-
src/network/libvirtd_network.aug              |  39 +
src/network/meson.build                       |  11 +
src/network/network.conf                      |  24 +
src/network/test_libvirtd_network.aug.in      |   5 +
src/nwfilter/nwfilter_ebiptables_driver.c     |  16 +-
src/util/meson.build                          |   2 +
src/util/virebtables.c                        |   4 +-
src/util/virfirewall.c                        | 490 ++++++++--
src/util/virfirewall.h                        |  51 +-
src/util/viriptables.c                        | 762 ++++-----------
src/util/viriptables.h                        | 222 ++---
src/util/virnetfilter.c                       | 892 ++++++++++++++++++
src/util/virnetfilter.h                       | 159 ++++
src/util/virnftables.c                        | 698 ++++++++++++++
src/util/virnftables.h                        | 118 +++
.../{base.args => base.iptables}              |   0
tests/networkxml2firewalldata/base.nftables   | 256 +++++
...-linux.args => nat-default-linux.iptables} |   0
.../nat-default-linux.nftables                | 248 +++++
...pv6-linux.args => nat-ipv6-linux.iptables} |   0
.../nat-ipv6-linux.nftables                   | 384 ++++++++
...rgs => nat-ipv6-masquerade-linux.iptables} |   0
.../nat-ipv6-masquerade-linux.nftables        | 456 +++++++++
...linux.args => nat-many-ips-linux.iptables} |   0
.../nat-many-ips-linux.nftables               | 472 +++++++++
...-linux.args => nat-no-dhcp-linux.iptables} |   0
.../nat-no-dhcp-linux.nftables                | 384 ++++++++
...ftp-linux.args => nat-tftp-linux.iptables} |   0
.../nat-tftp-linux.nftables                   | 274 ++++++
...inux.args => route-default-linux.iptables} |   0
.../route-default-linux.nftables              | 162 ++++
tests/networkxml2firewalltest.c               |  56 +-
tests/virfirewalltest.c                       |  20 +-
45 files changed, 5718 insertions(+), 954 deletions(-)


Reviewed-by: Ján Tomko <jto...@redhat.com>

Jano

signature.asc
Description: PGP signature

Re: [libvirt PATCH 00/28] native support for nftables in virtual network driver

Reply via email to