1. Patchew
  2. Libvirt
  3. View series

[PATCH v3 00/27] [PATCH v3 00/27] native support for nftables in virtual network driver

Laine Stump posted 27 patches 1 week, 2 days ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20240425053833.1066517-1-laine@redhat.com
There is a newer version of this series
libvirt.spec.in                               |    7 +-
meson.build                                   |   10 +-
meson_options.txt                             |    1 +
po/POTFILES                                   |    3 +-
src/conf/virnetworkobj.c                      |   47 +
src/conf/virnetworkobj.h                      |   11 +
src/libvirt_private.syms                      |   59 +-
src/network/bridge_driver.c                   |   35 +-
src/network/bridge_driver_conf.c              |   64 +
src/network/bridge_driver_conf.h              |    3 +
src/network/bridge_driver_linux.c             |  630 +------
src/network/bridge_driver_nop.c               |    6 +-
src/network/bridge_driver_platform.h          |    6 +-
src/network/libvirtd_network.aug              |   39 +
src/network/meson.build                       |   36 +
src/network/network.conf.in                   |   28 +
src/network/network_iptables.c                | 1677 +++++++++++++++++
src/network/network_iptables.h                |   30 +
src/network/network_nftables.c                |  940 +++++++++
src/network/network_nftables.h                |   28 +
src/network/test_libvirtd_network.aug.in      |    5 +
src/nwfilter/nwfilter_ebiptables_driver.c     | 1004 +++++-----
src/util/meson.build                          |    1 -
src/util/virebtables.c                        |   36 +-
src/util/virfirewall.c                        |  820 ++++++--
src/util/virfirewall.h                        |   87 +-
src/util/viriptables.c                        | 1072 -----------
src/util/viriptables.h                        |  155 --
.../{base.args => base.iptables}              |    0
tests/networkxml2firewalldata/base.nftables   |  256 +++
...-linux.args => nat-default-linux.iptables} |    0
.../nat-default-linux.nftables                |  248 +++
...pv6-linux.args => nat-ipv6-linux.iptables} |    0
.../nat-ipv6-linux.nftables                   |  384 ++++
...rgs => nat-ipv6-masquerade-linux.iptables} |    0
.../nat-ipv6-masquerade-linux.nftables        |  456 +++++
...linux.args => nat-many-ips-linux.iptables} |    0
.../nat-many-ips-linux.nftables               |  472 +++++
...-linux.args => nat-no-dhcp-linux.iptables} |    0
.../nat-no-dhcp-linux.nftables                |  384 ++++
...ftp-linux.args => nat-tftp-linux.iptables} |    0
.../nat-tftp-linux.nftables                   |  274 +++
...inux.args => route-default-linux.iptables} |    0
.../route-default-linux.nftables              |  162 ++
tests/networkxml2firewalltest.c               |   56 +-
tests/virfirewalltest.c                       |  424 ++---
46 files changed, 7205 insertions(+), 2751 deletions(-)
create mode 100644 src/network/libvirtd_network.aug
create mode 100644 src/network/network.conf.in
create mode 100644 src/network/network_iptables.c
create mode 100644 src/network/network_iptables.h
create mode 100644 src/network/network_nftables.c
create mode 100644 src/network/network_nftables.h
create mode 100644 src/network/test_libvirtd_network.aug.in
delete mode 100644 src/util/viriptables.c
delete mode 100644 src/util/viriptables.h
rename tests/networkxml2firewalldata/{base.args => base.iptables} (100%)
create mode 100644 tests/networkxml2firewalldata/base.nftables
rename tests/networkxml2firewalldata/{nat-default-linux.args => nat-default-linux.iptables} (100%)
create mode 100644 tests/networkxml2firewalldata/nat-default-linux.nftables
rename tests/networkxml2firewalldata/{nat-ipv6-linux.args => nat-ipv6-linux.iptables} (100%)
create mode 100644 tests/networkxml2firewalldata/nat-ipv6-linux.nftables
rename tests/networkxml2firewalldata/{nat-ipv6-masquerade-linux.args => nat-ipv6-masquerade-linux.iptables} (100%)
create mode 100644 tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
rename tests/networkxml2firewalldata/{nat-many-ips-linux.args => nat-many-ips-linux.iptables} (100%)
create mode 100644 tests/networkxml2firewalldata/nat-many-ips-linux.nftables
rename tests/networkxml2firewalldata/{nat-no-dhcp-linux.args => nat-no-dhcp-linux.iptables} (100%)
create mode 100644 tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
rename tests/networkxml2firewalldata/{nat-tftp-linux.args => nat-tftp-linux.iptables} (100%)
create mode 100644 tests/networkxml2firewalldata/nat-tftp-linux.nftables
rename tests/networkxml2firewalldata/{route-default-linux.args => route-default-linux.iptables} (100%)
create mode 100644 tests/networkxml2firewalldata/route-default-linux.nftables
[PATCH v3 00/27] [PATCH v3 00/27] native support for nftables in virtual network driver
Posted by Laine Stump 1 week, 2 days ago 
V2: https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/5RTZ6PC3N3CO6X353QUHLVOL43SWQ4JD/

This patch series enables libvirt to use nftables rules rather than
iptables *when setting up virtual networks* (it does *not* add
nftables support to the nwfilter driver).

I've added the Reviewed-by's from Daniel where given in V2 (as long as
I haven't made any non-trivial changes). That includes patches 1-9,
11-13, 16, 20, and 22.

Changes from V2 - mainly I've addressed the issues that Dan pointed
out in his reviews (details in each patch). Functionally the main changes are:

1) You can now choose whether iptables or nftables should be the
   default backend with the new meson option "firewall_backend" (which
   is set to "nftables" by default).

2) rpm spec now requires iptables or nftables (rather than
   recommending both)

3) The <firewall> element in the network status XML now has a
   "name='fwRemoval'" attribute, just in case we ever add another
   <firewall> element to keep track of all the commands that were run
   to create the firewall as well as the commands needed to remove it.

4) Failure to find the binary needed for any firewall backend now
   results in an error log and termination of the daemon.

Laine Stump (27):
  util/network: move viriptables.[ch] from util to network directory
  network: move all functions manipulating iptables rules into
    network_iptables.c
  network: make all iptables functions used only in network_iptables.c
    static
  util: #define the names used for private packet filter chains
  util: change name of virFirewallRule to virFirewallCmd
  util: rename virNetFilterAction to iptablesAction, and add
    VIR_ENUM_DECL/IMPL
  util: check for 0 args when applying iptables rule
  util: add -w/--concurrent when applying a FirewallCmd rather than when
    building it
  util: determine ignoreErrors value when creating virFirewallCmd, not
    when applying
  util/network: new virFirewallBackend enum
  network: add (empty) network.conf file to distribution files
  network: support setting firewallBackend from network.conf
  network: framework to call backend-specific function to init private
    filter chains
  util: new functions to support adding individual firewall rollback
    commands
  util: implement rollback rule autocreation for iptables commands
  network: turn on auto-rollback for the rules added for virtual
    networks
  util: add name attribute to virFirewall
  util: new function virFirewallNewFromRollback()
  util: new functions virFirewallParseXML() and virFirewallFormat()
  conf: add a virFirewall object to virNetworkObj
  network: use previously saved list of firewall removal commands
  network: save network status when firewall rules are reloaded
  meson: stop looking for iptables/ip6tables/ebtables at build time
  network: add an nftables backend for network driver's firewall
    construction
  tests: test cases for nftables backend
  network: prefer the nftables backend over iptables
  spec: require either iptables or nftables if network driver is
    installed

 libvirt.spec.in                               |    7 +-
 meson.build                                   |   10 +-
 meson_options.txt                             |    1 +
 po/POTFILES                                   |    3 +-
 src/conf/virnetworkobj.c                      |   47 +
 src/conf/virnetworkobj.h                      |   11 +
 src/libvirt_private.syms                      |   59 +-
 src/network/bridge_driver.c                   |   35 +-
 src/network/bridge_driver_conf.c              |   64 +
 src/network/bridge_driver_conf.h              |    3 +
 src/network/bridge_driver_linux.c             |  630 +------
 src/network/bridge_driver_nop.c               |    6 +-
 src/network/bridge_driver_platform.h          |    6 +-
 src/network/libvirtd_network.aug              |   39 +
 src/network/meson.build                       |   36 +
 src/network/network.conf.in                   |   28 +
 src/network/network_iptables.c                | 1677 +++++++++++++++++
 src/network/network_iptables.h                |   30 +
 src/network/network_nftables.c                |  940 +++++++++
 src/network/network_nftables.h                |   28 +
 src/network/test_libvirtd_network.aug.in      |    5 +
 src/nwfilter/nwfilter_ebiptables_driver.c     | 1004 +++++-----
 src/util/meson.build                          |    1 -
 src/util/virebtables.c                        |   36 +-
 src/util/virfirewall.c                        |  820 ++++++--
 src/util/virfirewall.h                        |   87 +-
 src/util/viriptables.c                        | 1072 -----------
 src/util/viriptables.h                        |  155 --
 .../{base.args => base.iptables}              |    0
 tests/networkxml2firewalldata/base.nftables   |  256 +++
 ...-linux.args => nat-default-linux.iptables} |    0
 .../nat-default-linux.nftables                |  248 +++
 ...pv6-linux.args => nat-ipv6-linux.iptables} |    0
 .../nat-ipv6-linux.nftables                   |  384 ++++
 ...rgs => nat-ipv6-masquerade-linux.iptables} |    0
 .../nat-ipv6-masquerade-linux.nftables        |  456 +++++
 ...linux.args => nat-many-ips-linux.iptables} |    0
 .../nat-many-ips-linux.nftables               |  472 +++++
 ...-linux.args => nat-no-dhcp-linux.iptables} |    0
 .../nat-no-dhcp-linux.nftables                |  384 ++++
 ...ftp-linux.args => nat-tftp-linux.iptables} |    0
 .../nat-tftp-linux.nftables                   |  274 +++
 ...inux.args => route-default-linux.iptables} |    0
 .../route-default-linux.nftables              |  162 ++
 tests/networkxml2firewalltest.c               |   56 +-
 tests/virfirewalltest.c                       |  424 ++---
 46 files changed, 7205 insertions(+), 2751 deletions(-)
 create mode 100644 src/network/libvirtd_network.aug
 create mode 100644 src/network/network.conf.in
 create mode 100644 src/network/network_iptables.c
 create mode 100644 src/network/network_iptables.h
 create mode 100644 src/network/network_nftables.c
 create mode 100644 src/network/network_nftables.h
 create mode 100644 src/network/test_libvirtd_network.aug.in
 delete mode 100644 src/util/viriptables.c
 delete mode 100644 src/util/viriptables.h
 rename tests/networkxml2firewalldata/{base.args => base.iptables} (100%)
 create mode 100644 tests/networkxml2firewalldata/base.nftables
 rename tests/networkxml2firewalldata/{nat-default-linux.args => nat-default-linux.iptables} (100%)
 create mode 100644 tests/networkxml2firewalldata/nat-default-linux.nftables
 rename tests/networkxml2firewalldata/{nat-ipv6-linux.args => nat-ipv6-linux.iptables} (100%)
 create mode 100644 tests/networkxml2firewalldata/nat-ipv6-linux.nftables
 rename tests/networkxml2firewalldata/{nat-ipv6-masquerade-linux.args => nat-ipv6-masquerade-linux.iptables} (100%)
 create mode 100644 tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
 rename tests/networkxml2firewalldata/{nat-many-ips-linux.args => nat-many-ips-linux.iptables} (100%)
 create mode 100644 tests/networkxml2firewalldata/nat-many-ips-linux.nftables
 rename tests/networkxml2firewalldata/{nat-no-dhcp-linux.args => nat-no-dhcp-linux.iptables} (100%)
 create mode 100644 tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
 rename tests/networkxml2firewalldata/{nat-tftp-linux.args => nat-tftp-linux.iptables} (100%)
 create mode 100644 tests/networkxml2firewalldata/nat-tftp-linux.nftables
 rename tests/networkxml2firewalldata/{route-default-linux.args => route-default-linux.iptables} (100%)
 create mode 100644 tests/networkxml2firewalldata/route-default-linux.nftables

-- 
2.44.0
_______________________________________________
Devel mailing list -- devel@lists.libvirt.org
To unsubscribe send an email to devel-leave@lists.libvirt.org
Re: [PATCH v3 00/27] [PATCH v3 00/27] native support for nftables in virtual network driver
Posted by Laine Stump 1 week, 1 day ago 
*sigh*. After posting these last night, I checked on my CI pipeline and 
found that everything had failed due to

  #if defined(FIREWALL_BACKEND_DEFAULT_IPTABLES)
   [...]
  #elif defined (FIREWALL_BACKEND_DEFAULT_IPTABLES)
  [...]
  #else
  #error blah blah
  #endif

I've pushed fixed patches to gitlab, where you can find them at:

   https://gitlab.com/lainestump/libvirt/tree/nftrereboot-7

or alternately, just change the 2nd "IPTABLES" above to "NFTABLES" in 
patch 24/27.
w
On 4/25/24 1:38 AM, Laine Stump wrote:
> V2: https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/5RTZ6PC3N3CO6X353QUHLVOL43SWQ4JD/
> 
> This patch series enables libvirt to use nftables rules rather than
> iptables *when setting up virtual networks* (it does *not* add
> nftables support to the nwfilter driver).
> 
> I've added the Reviewed-by's from Daniel where given in V2 (as long as
> I haven't made any non-trivial changes). That includes patches 1-9,
> 11-13, 16, 20, and 22.
> 
> Changes from V2 - mainly I've addressed the issues that Dan pointed
> out in his reviews (details in each patch). Functionally the main changes are:
> 
> 1) You can now choose whether iptables or nftables should be the
>     default backend with the new meson option "firewall_backend" (which
>     is set to "nftables" by default).
> 
> 2) rpm spec now requires iptables or nftables (rather than
>     recommending both)
> 
> 3) The <firewall> element in the network status XML now has a
>     "name='fwRemoval'" attribute, just in case we ever add another
>     <firewall> element to keep track of all the commands that were run
>     to create the firewall as well as the commands needed to remove it.
> 
> 4) Failure to find the binary needed for any firewall backend now
>     results in an error log and termination of the daemon.
> 
> Laine Stump (27):
>    util/network: move viriptables.[ch] from util to network directory
>    network: move all functions manipulating iptables rules into
>      network_iptables.c
>    network: make all iptables functions used only in network_iptables.c
>      static
>    util: #define the names used for private packet filter chains
>    util: change name of virFirewallRule to virFirewallCmd
>    util: rename virNetFilterAction to iptablesAction, and add
>      VIR_ENUM_DECL/IMPL
>    util: check for 0 args when applying iptables rule
>    util: add -w/--concurrent when applying a FirewallCmd rather than when
>      building it
>    util: determine ignoreErrors value when creating virFirewallCmd, not
>      when applying
>    util/network: new virFirewallBackend enum
>    network: add (empty) network.conf file to distribution files
>    network: support setting firewallBackend from network.conf
>    network: framework to call backend-specific function to init private
>      filter chains
>    util: new functions to support adding individual firewall rollback
>      commands
>    util: implement rollback rule autocreation for iptables commands
>    network: turn on auto-rollback for the rules added for virtual
>      networks
>    util: add name attribute to virFirewall
>    util: new function virFirewallNewFromRollback()
>    util: new functions virFirewallParseXML() and virFirewallFormat()
>    conf: add a virFirewall object to virNetworkObj
>    network: use previously saved list of firewall removal commands
>    network: save network status when firewall rules are reloaded
>    meson: stop looking for iptables/ip6tables/ebtables at build time
>    network: add an nftables backend for network driver's firewall
>      construction
>    tests: test cases for nftables backend
>    network: prefer the nftables backend over iptables
>    spec: require either iptables or nftables if network driver is
>      installed
> 
>   libvirt.spec.in                               |    7 +-
>   meson.build                                   |   10 +-
>   meson_options.txt                             |    1 +
>   po/POTFILES                                   |    3 +-
>   src/conf/virnetworkobj.c                      |   47 +
>   src/conf/virnetworkobj.h                      |   11 +
>   src/libvirt_private.syms                      |   59 +-
>   src/network/bridge_driver.c                   |   35 +-
>   src/network/bridge_driver_conf.c              |   64 +
>   src/network/bridge_driver_conf.h              |    3 +
>   src/network/bridge_driver_linux.c             |  630 +------
>   src/network/bridge_driver_nop.c               |    6 +-
>   src/network/bridge_driver_platform.h          |    6 +-
>   src/network/libvirtd_network.aug              |   39 +
>   src/network/meson.build                       |   36 +
>   src/network/network.conf.in                   |   28 +
>   src/network/network_iptables.c                | 1677 +++++++++++++++++
>   src/network/network_iptables.h                |   30 +
>   src/network/network_nftables.c                |  940 +++++++++
>   src/network/network_nftables.h                |   28 +
>   src/network/test_libvirtd_network.aug.in      |    5 +
>   src/nwfilter/nwfilter_ebiptables_driver.c     | 1004 +++++-----
>   src/util/meson.build                          |    1 -
>   src/util/virebtables.c                        |   36 +-
>   src/util/virfirewall.c                        |  820 ++++++--
>   src/util/virfirewall.h                        |   87 +-
>   src/util/viriptables.c                        | 1072 -----------
>   src/util/viriptables.h                        |  155 --
>   .../{base.args => base.iptables}              |    0
>   tests/networkxml2firewalldata/base.nftables   |  256 +++
>   ...-linux.args => nat-default-linux.iptables} |    0
>   .../nat-default-linux.nftables                |  248 +++
>   ...pv6-linux.args => nat-ipv6-linux.iptables} |    0
>   .../nat-ipv6-linux.nftables                   |  384 ++++
>   ...rgs => nat-ipv6-masquerade-linux.iptables} |    0
>   .../nat-ipv6-masquerade-linux.nftables        |  456 +++++
>   ...linux.args => nat-many-ips-linux.iptables} |    0
>   .../nat-many-ips-linux.nftables               |  472 +++++
>   ...-linux.args => nat-no-dhcp-linux.iptables} |    0
>   .../nat-no-dhcp-linux.nftables                |  384 ++++
>   ...ftp-linux.args => nat-tftp-linux.iptables} |    0
>   .../nat-tftp-linux.nftables                   |  274 +++
>   ...inux.args => route-default-linux.iptables} |    0
>   .../route-default-linux.nftables              |  162 ++
>   tests/networkxml2firewalltest.c               |   56 +-
>   tests/virfirewalltest.c                       |  424 ++---
>   46 files changed, 7205 insertions(+), 2751 deletions(-)
>   create mode 100644 src/network/libvirtd_network.aug
>   create mode 100644 src/network/network.conf.in
>   create mode 100644 src/network/network_iptables.c
>   create mode 100644 src/network/network_iptables.h
>   create mode 100644 src/network/network_nftables.c
>   create mode 100644 src/network/network_nftables.h
>   create mode 100644 src/network/test_libvirtd_network.aug.in
>   delete mode 100644 src/util/viriptables.c
>   delete mode 100644 src/util/viriptables.h
>   rename tests/networkxml2firewalldata/{base.args => base.iptables} (100%)
>   create mode 100644 tests/networkxml2firewalldata/base.nftables
>   rename tests/networkxml2firewalldata/{nat-default-linux.args => nat-default-linux.iptables} (100%)
>   create mode 100644 tests/networkxml2firewalldata/nat-default-linux.nftables
>   rename tests/networkxml2firewalldata/{nat-ipv6-linux.args => nat-ipv6-linux.iptables} (100%)
>   create mode 100644 tests/networkxml2firewalldata/nat-ipv6-linux.nftables
>   rename tests/networkxml2firewalldata/{nat-ipv6-masquerade-linux.args => nat-ipv6-masquerade-linux.iptables} (100%)
>   create mode 100644 tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
>   rename tests/networkxml2firewalldata/{nat-many-ips-linux.args => nat-many-ips-linux.iptables} (100%)
>   create mode 100644 tests/networkxml2firewalldata/nat-many-ips-linux.nftables
>   rename tests/networkxml2firewalldata/{nat-no-dhcp-linux.args => nat-no-dhcp-linux.iptables} (100%)
>   create mode 100644 tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
>   rename tests/networkxml2firewalldata/{nat-tftp-linux.args => nat-tftp-linux.iptables} (100%)
>   create mode 100644 tests/networkxml2firewalldata/nat-tftp-linux.nftables
>   rename tests/networkxml2firewalldata/{route-default-linux.args => route-default-linux.iptables} (100%)
>   create mode 100644 tests/networkxml2firewalldata/route-default-linux.nftables
> 
_______________________________________________
Devel mailing list -- devel@lists.libvirt.org
To unsubscribe send an email to devel-leave@lists.libvirt.org
Re: [PATCH v3 00/27] [PATCH v3 00/27] native support for nftables in virtual network driver
Posted by Daniel P. Berrangé 1 week, 1 day ago 
On Thu, Apr 25, 2024 at 01:38:06AM -0400, Laine Stump wrote:
> V2: https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/5RTZ6PC3N3CO6X353QUHLVOL43SWQ4JD/
> 
> This patch series enables libvirt to use nftables rules rather than
> iptables *when setting up virtual networks* (it does *not* add
> nftables support to the nwfilter driver).

I deployed on my machine and restarted virtnetworkd, with nft backend
active. I have 2 networks running, and got the following result

table ip libvirt {
        chain INPUT {
                type filter hook input priority filter; policy accept;
                counter packets 363 bytes 30801 jump LIBVIRT_INP
        }

        chain FORWARD {
                type filter hook forward priority filter; policy accept;
                counter packets 1 bytes 76 jump LIBVIRT_FWX
                counter packets 1 bytes 76 jump LIBVIRT_FWI
                counter packets 1 bytes 76 jump LIBVIRT_FWO
        }

        chain OUTPUT {
                type filter hook output priority filter; policy accept;
                counter packets 286 bytes 107221 jump LIBVIRT_OUT
        }

        chain LIBVIRT_INP {
                iifname "virbr0" udp dport 53 counter packets 0 bytes 0 accept
                iifname "virbr0" tcp dport 53 counter packets 0 bytes 0 accept
                iifname "virbr0" udp dport 67 counter packets 1 bytes 320 accept
                iifname "virbr0" tcp dport 67 counter packets 0 bytes 0 accept
                iifname "virbr1" udp dport 53 counter packets 0 bytes 0 accept
                iifname "virbr1" tcp dport 53 counter packets 0 bytes 0 accept
                iifname "virbr1" udp dport 67 counter packets 0 bytes 0 accept
                iifname "virbr1" tcp dport 67 counter packets 0 bytes 0 accept
        }

        chain LIBVIRT_OUT {
                oifname "virbr0" udp dport 53 counter packets 0 bytes 0 accept
                oifname "virbr0" tcp dport 53 counter packets 0 bytes 0 accept
                oifname "virbr0" udp dport 68 counter packets 1 bytes 336 accept
                oifname "virbr0" tcp dport 68 counter packets 0 bytes 0 accept
                oifname "virbr1" udp dport 53 counter packets 0 bytes 0 accept
                oifname "virbr1" tcp dport 53 counter packets 0 bytes 0 accept
                oifname "virbr1" udp dport 68 counter packets 0 bytes 0 accept
                oifname "virbr1" tcp dport 68 counter packets 0 bytes 0 accept
        }

        chain LIBVIRT_FWO {
                ip saddr 192.168.122.0/24 iifname "virbr0" counter packets 1 bytes 76 accept
                iifname "virbr0" counter packets 0 bytes 0 reject
                ip saddr 192.168.100.0/24 iifname "virbr1" counter packets 0 bytes 0 accept
                iifname "virbr1" counter packets 0 bytes 0 reject
        }

        chain LIBVIRT_FWI {
                oifname "virbr0" ip daddr 192.168.122.0/24 ct state established,related counter packets 0 bytes 0 accept
                oifname "virbr0" counter packets 0 bytes 0 reject
                oifname "virbr1" ip daddr 192.168.100.0/24 ct state established,related counter packets 0 bytes 0 accept
                oifname "virbr1" counter packets 0 bytes 0 reject
        }

        chain LIBVIRT_FWX {
                iifname "virbr0" oifname "virbr0" counter packets 0 bytes 0 accept
                iifname "virbr1" oifname "virbr1" counter packets 0 bytes 0 accept
        }

        chain POSTROUTING {
                type nat hook postrouting priority srcnat; policy accept;
                counter packets 2 bytes 136 jump LIBVIRT_PRT
        }

        chain LIBVIRT_PRT {
                ip saddr 192.168.122.0/24 ip daddr 224.0.0.0/24 counter packets 0 bytes 0 return
                ip saddr 192.168.122.0/24 ip daddr 255.255.255.255 counter packets 0 bytes 0 return
                meta l4proto tcp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade to :1024-65535
                meta l4proto udp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 1 bytes 76 masquerade to :1024-65535
                ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade
                ip saddr 192.168.100.0/24 ip daddr 224.0.0.0/24 counter packets 0 bytes 0 return
                ip saddr 192.168.100.0/24 ip daddr 255.255.255.255 counter packets 0 bytes 0 return
                meta l4proto tcp ip saddr 192.168.100.0/24 ip daddr != 192.168.100.0/24 counter packets 0 bytes 0 masquerade to :1024-65535
                meta l4proto udp ip saddr 192.168.100.0/24 ip daddr != 192.168.100.0/24 counter packets 0 bytes 0 masquerade to :1024-65535
                ip saddr 192.168.100.0/24 ip daddr != 192.168.100.0/24 counter packets 0 bytes 0 masquerade
        }
}


I also got some 'ip6' rules, but I'll omit that, since my points will
be identical for both.

I compared these rules, against the nft rules created by the iptables
compat shim. They were identical, aside from the expected difference
with checksum rules, so that's good.

The main thought I have is around the chain structure and naming.

We have

   INPUT -> LIBVIRT_INP
   OUTPUT -> LIBVIRT_OUT
   FORWARD -> LIBVIRT_FWX
           -> LIBVIRT_FWI
           -> LIBVIRT_FWO
   POSTROUTING -> LIBVIRT_PRT

we introduced the top level "LIBVIRT_nnn" chains in the iptables
world to cleanly separate ourselves from other users of the top
level chains.

In the nft world though, this use case is already handled, because
we are namespaced in the 'libvirt' table instead. So aside from
the FORWARD case, our extra LIBVIRT_nn chains are redundant, and
the naming prefix is redundant too.

Second observation is that we're not limited to short chain names
in the nft world, and uppercase is not a common convention, just
a hangover from iptables world.

If we consider what each chain is used for

 * LIBVIRT_INPUT - incoming dnsmasq DHCP/DNS to the host
 * LIBVIRT_OUTPUT - outgoing dnsmasq DHCP/DNS from the host
 * LIBVIRT_FWX - crossing traffic between guests on a network 
 * LIBVIRT_FWI - incoming traffic to guests
 * LIBVIRT_FWO - outgoing traffic from guests
 * LIBVIRT_PRT - outgoing NAT from guest

Then I think we can change names thus:

   input -> host_input
   output -> host_output
   forward -> guest_cross
           -> guest_input
           -> guest_output
   postrouting -> guest_nat

so the names better reflect the purpose of each chain.

In theory we could eliminate the 'input', 'output' and 'postrouting' top
level chains, since they only have 1 rule in them. We can't eliminate the
'forward' chain though, as we need explicit ordernig of traversal for the
3 chains it links to. So on balance, its OK to keep them all I guess.

So in the end i'm only really asking for some chain renaming.

Oh, actually one final thing. We called the tables 'libvirt'.

We have 2 possible users of nft - virtnetworkd and virnwfilterd.
I see no reason for them to use the same table. Cleanly separating
them would be nice, given they're totally indepedent daemons.

IOW, change the table names from 'libvirt' to 'libvirt_network'.

Thus in future we can also have 'libvirt_nwfilter' tables.

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
_______________________________________________
Devel mailing list -- devel@lists.libvirt.org
To unsubscribe send an email to devel-leave@lists.libvirt.org
Re: [PATCH v3 00/27] [PATCH v3 00/27] native support for nftables in virtual network driver
Posted by Laine Stump 1 week ago 
On 4/25/24 1:22 PM, Daniel P. Berrangé wrote:
> On Thu, Apr 25, 2024 at 01:38:06AM -0400, Laine Stump wrote:
>> V2: https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/5RTZ6PC3N3CO6X353QUHLVOL43SWQ4JD/
>>
>> This patch series enables libvirt to use nftables rules rather than
>> iptables *when setting up virtual networks* (it does *not* add
>> nftables support to the nwfilter driver).
> 
> I deployed on my machine and restarted virtnetworkd, with nft backend
> active. I have 2 networks running, and got the following result

 > [...]

> I compared these rules, against the nft rules created by the iptables
> compat shim. They were identical, aside from the expected difference
> with checksum rules, so that's good.

It's good to know that the result is reproducible, and that I apparently 
didn't miss anything.

> 
> The main thought I have is around the chain structure and naming.
> 
> [...]
> 
> If we consider what each chain is used for
> 
>   * LIBVIRT_INPUT - incoming dnsmasq DHCP/DNS to the host
>   * LIBVIRT_OUTPUT - outgoing dnsmasq DHCP/DNS from the host
>   * LIBVIRT_FWX - crossing traffic between guests on a network
>   * LIBVIRT_FWI - incoming traffic to guests
>   * LIBVIRT_FWO - outgoing traffic from guests
>   * LIBVIRT_PRT - outgoing NAT from guest
> 
> Then I think we can change names thus:
> 
>     input -> host_input
>     output -> host_output
>     forward -> guest_cross
>             -> guest_input
>             -> guest_output
>     postrouting -> guest_nat
> 
> so the names better reflect the purpose of each chain.
> 
> In theory we could eliminate the 'input', 'output' and 'postrouting' top
> level chains, since they only have 1 rule in them. We can't eliminate the
> 'forward' chain though, as we need explicit ordernig of traversal for the
> 3 chains it links to. So on balance, its OK to keep them all I guess.
> 
> So in the end i'm only really asking for some chain renaming.

Sure - readability always gets extra points, and now that we've 
established a working baseline that's identical to previous we can 
modify with abandon :-)

> Oh, actually one final thing. We called the tables 'libvirt'.
> 
> We have 2 possible users of nft - virtnetworkd and virnwfilterd.
> I see no reason for them to use the same table. Cleanly separating
> them would be nice, given they're totally indepedent daemons.
> 
> IOW, change the table names from 'libvirt' to 'libvirt_network'.
> 
> Thus in future we can also have 'libvirt_nwfilter' tables.

I hadn't thought of that, but it makes sense. I'm trying to think of a 
way where it would be an advantage to have both use the same table, and 
(without some serious active cooperation between the two drivers) I 
can't come up with anything.

(and anyway, if we later decide that we want both to be in the same 
table we can easily change it, and reloading virtnetworkd will create 
the new table, remove the rules from the old table, and add them in the 
new table (ie. it will be completely painless for the user)

I think I'll do this (and the change to remove the DNS/DHCP rules) as 
separate patches rather than squasing them into the initial patch for 
the nft backend. That way it will be obvious from git history what's 
different in the rules, and will be easier to revert in case we later 
find some reason that requires that (seems doubtful, but just in case)
_______________________________________________
Devel mailing list -- devel@lists.libvirt.org
To unsubscribe send an email to devel-leave@lists.libvirt.org
Re: [PATCH v3 00/27] [PATCH v3 00/27] native support for nftables in virtual network driver
Posted by Daniel P. Berrangé 1 week, 1 day ago 
On Thu, Apr 25, 2024 at 06:22:33PM +0100, Daniel P. Berrangé wrote:
> On Thu, Apr 25, 2024 at 01:38:06AM -0400, Laine Stump wrote:
> > V2: https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/5RTZ6PC3N3CO6X353QUHLVOL43SWQ4JD/
> > 
> > This patch series enables libvirt to use nftables rules rather than
> > iptables *when setting up virtual networks* (it does *not* add
> > nftables support to the nwfilter driver).
> 
> I deployed on my machine and restarted virtnetworkd, with nft backend
> active. I have 2 networks running, and got the following result
> 
> table ip libvirt {
>         chain INPUT {
>                 type filter hook input priority filter; policy accept;
>                 counter packets 363 bytes 30801 jump LIBVIRT_INP
>         }
> 
>         chain FORWARD {
>                 type filter hook forward priority filter; policy accept;
>                 counter packets 1 bytes 76 jump LIBVIRT_FWX
>                 counter packets 1 bytes 76 jump LIBVIRT_FWI
>                 counter packets 1 bytes 76 jump LIBVIRT_FWO
>         }
> 
>         chain OUTPUT {
>                 type filter hook output priority filter; policy accept;
>                 counter packets 286 bytes 107221 jump LIBVIRT_OUT
>         }
> 
>         chain LIBVIRT_INP {
>                 iifname "virbr0" udp dport 53 counter packets 0 bytes 0 accept
>                 iifname "virbr0" tcp dport 53 counter packets 0 bytes 0 accept
>                 iifname "virbr0" udp dport 67 counter packets 1 bytes 320 accept
>                 iifname "virbr0" tcp dport 67 counter packets 0 bytes 0 accept
>                 iifname "virbr1" udp dport 53 counter packets 0 bytes 0 accept
>                 iifname "virbr1" tcp dport 53 counter packets 0 bytes 0 accept
>                 iifname "virbr1" udp dport 67 counter packets 0 bytes 0 accept
>                 iifname "virbr1" tcp dport 67 counter packets 0 bytes 0 accept
>         }
> 
>         chain LIBVIRT_OUT {
>                 oifname "virbr0" udp dport 53 counter packets 0 bytes 0 accept
>                 oifname "virbr0" tcp dport 53 counter packets 0 bytes 0 accept
>                 oifname "virbr0" udp dport 68 counter packets 1 bytes 336 accept
>                 oifname "virbr0" tcp dport 68 counter packets 0 bytes 0 accept
>                 oifname "virbr1" udp dport 53 counter packets 0 bytes 0 accept
>                 oifname "virbr1" tcp dport 53 counter packets 0 bytes 0 accept
>                 oifname "virbr1" udp dport 68 counter packets 0 bytes 0 accept
>                 oifname "virbr1" tcp dport 68 counter packets 0 bytes 0 accept
>         }

I'm wondering if these DHCP and DNS rules are in fact pointless.

In iptables, there's 1 set of global tables, and other firewall
tools or sysadmin might have put a DENY/REJECT that catches
DHCP/DNS. We inserted libvirt rules at the head of the tables,
so we can then explicitly ACCEPT DHCP/DNS, even if later rules
would deny them. So the LIBVIRT_INP/LIBVIRT_OUT rules are useful
in the context of iptables.

In nftables, there are arbitrary many tables, and a packet needs
to be allowed by *all* the tables, to continue its flow.

If a non-libvirt tables has put in a DENY/REJECT that catches
DHCP/DNS, then no matter what rules we put in the 'libvirt'
tables, we can never undo that DENY/REJECT.

So these LIBVIRT_INP/LIBVIRT_OUT rules are entirely pointless
unless the 'libvirt' table had later rules that could be
DENY/REJECTing DHCP/DNS. We don't today.

The only way I see these DHCP/DNS rules being useful, is if
the LIBVIRT_INP chain had a default 'deny' rule for 'virbr0',
to block the guest from all access to the host. That would
to some extent overlap with a general host firewall tool,
but there might not be one.

Currently our "isolated" config still allows guests to access
the host, just won't route off host. I guess any of the forward
modes could conceptually have a "deny host" access rule.

Still, even if we implemented this "deny host" concept, we
still don't need to add these DHCP/DNS rules to LIBVIRT_INP
and LIBVIRT_OUT, unless 'deny host' is actually active.

IOW, I think we should delete (or comment out) all the DHCP/DNS
rules from your nftables impl currently.


> 
>         chain LIBVIRT_FWO {
>                 ip saddr 192.168.122.0/24 iifname "virbr0" counter packets 1 bytes 76 accept
>                 iifname "virbr0" counter packets 0 bytes 0 reject
>                 ip saddr 192.168.100.0/24 iifname "virbr1" counter packets 0 bytes 0 accept
>                 iifname "virbr1" counter packets 0 bytes 0 reject
>         }
> 
>         chain LIBVIRT_FWI {
>                 oifname "virbr0" ip daddr 192.168.122.0/24 ct state established,related counter packets 0 bytes 0 accept
>                 oifname "virbr0" counter packets 0 bytes 0 reject
>                 oifname "virbr1" ip daddr 192.168.100.0/24 ct state established,related counter packets 0 bytes 0 accept
>                 oifname "virbr1" counter packets 0 bytes 0 reject
>         }
> 
>         chain LIBVIRT_FWX {
>                 iifname "virbr0" oifname "virbr0" counter packets 0 bytes 0 accept
>                 iifname "virbr1" oifname "virbr1" counter packets 0 bytes 0 accept
>         }
> 
>         chain POSTROUTING {
>                 type nat hook postrouting priority srcnat; policy accept;
>                 counter packets 2 bytes 136 jump LIBVIRT_PRT
>         }
> 
>         chain LIBVIRT_PRT {
>                 ip saddr 192.168.122.0/24 ip daddr 224.0.0.0/24 counter packets 0 bytes 0 return
>                 ip saddr 192.168.122.0/24 ip daddr 255.255.255.255 counter packets 0 bytes 0 return
>                 meta l4proto tcp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade to :1024-65535
>                 meta l4proto udp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 1 bytes 76 masquerade to :1024-65535
>                 ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade
>                 ip saddr 192.168.100.0/24 ip daddr 224.0.0.0/24 counter packets 0 bytes 0 return
>                 ip saddr 192.168.100.0/24 ip daddr 255.255.255.255 counter packets 0 bytes 0 return
>                 meta l4proto tcp ip saddr 192.168.100.0/24 ip daddr != 192.168.100.0/24 counter packets 0 bytes 0 masquerade to :1024-65535
>                 meta l4proto udp ip saddr 192.168.100.0/24 ip daddr != 192.168.100.0/24 counter packets 0 bytes 0 masquerade to :1024-65535
>                 ip saddr 192.168.100.0/24 ip daddr != 192.168.100.0/24 counter packets 0 bytes 0 masquerade
>         }
> }
> 

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
_______________________________________________
Devel mailing list -- devel@lists.libvirt.org
To unsubscribe send an email to devel-leave@lists.libvirt.org
Re: [PATCH v3 00/27] [PATCH v3 00/27] native support for nftables in virtual network driver
Posted by Laine Stump 1 week ago 
On 4/26/24 6:24 AM, Daniel P. Berrangé wrote:
> On Thu, Apr 25, 2024 at 06:22:33PM +0100, Daniel P. Berrangé wrote:
>> On Thu, Apr 25, 2024 at 01:38:06AM -0400, Laine Stump wrote:
>>> V2: https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/5RTZ6PC3N3CO6X353QUHLVOL43SWQ4JD/
>>>
>>> This patch series enables libvirt to use nftables rules rather than
>>> iptables *when setting up virtual networks* (it does *not* add
>>> nftables support to the nwfilter driver).
>>
>> I deployed on my machine and restarted virtnetworkd, with nft backend
>> active. I have 2 networks running, and got the following result
>>
>> table ip libvirt {
>>          chain INPUT {
>>                  type filter hook input priority filter; policy accept;
>>                  counter packets 363 bytes 30801 jump LIBVIRT_INP
>>          }
>>
>>          chain FORWARD {
>>                  type filter hook forward priority filter; policy accept;
>>                  counter packets 1 bytes 76 jump LIBVIRT_FWX
>>                  counter packets 1 bytes 76 jump LIBVIRT_FWI
>>                  counter packets 1 bytes 76 jump LIBVIRT_FWO
>>          }
>>
>>          chain OUTPUT {
>>                  type filter hook output priority filter; policy accept;
>>                  counter packets 286 bytes 107221 jump LIBVIRT_OUT
>>          }
>>
>>          chain LIBVIRT_INP {
>>                  iifname "virbr0" udp dport 53 counter packets 0 bytes 0 accept
>>                  iifname "virbr0" tcp dport 53 counter packets 0 bytes 0 accept
>>                  iifname "virbr0" udp dport 67 counter packets 1 bytes 320 accept
>>                  iifname "virbr0" tcp dport 67 counter packets 0 bytes 0 accept
>>                  iifname "virbr1" udp dport 53 counter packets 0 bytes 0 accept
>>                  iifname "virbr1" tcp dport 53 counter packets 0 bytes 0 accept
>>                  iifname "virbr1" udp dport 67 counter packets 0 bytes 0 accept
>>                  iifname "virbr1" tcp dport 67 counter packets 0 bytes 0 accept
>>          }
>>
>>          chain LIBVIRT_OUT {
>>                  oifname "virbr0" udp dport 53 counter packets 0 bytes 0 accept
>>                  oifname "virbr0" tcp dport 53 counter packets 0 bytes 0 accept
>>                  oifname "virbr0" udp dport 68 counter packets 1 bytes 336 accept
>>                  oifname "virbr0" tcp dport 68 counter packets 0 bytes 0 accept
>>                  oifname "virbr1" udp dport 53 counter packets 0 bytes 0 accept
>>                  oifname "virbr1" tcp dport 53 counter packets 0 bytes 0 accept
>>                  oifname "virbr1" udp dport 68 counter packets 0 bytes 0 accept
>>                  oifname "virbr1" tcp dport 68 counter packets 0 bytes 0 accept
>>          }
> 
> I'm wondering if these DHCP and DNS rules are in fact pointless.
> 
> In iptables, there's 1 set of global tables, and other firewall
> tools or sysadmin might have put a DENY/REJECT that catches
> DHCP/DNS. We inserted libvirt rules at the head of the tables,
> so we can then explicitly ACCEPT DHCP/DNS, even if later rules
> would deny them. So the LIBVIRT_INP/LIBVIRT_OUT rules are useful
> in the context of iptables.
> 
> In nftables, there are arbitrary many tables, and a packet needs
> to be allowed by *all* the tables, to continue its flow.
> 
> If a non-libvirt tables has put in a DENY/REJECT that catches
> DHCP/DNS, then no matter what rules we put in the 'libvirt'
> tables, we can never undo that DENY/REJECT.
> 
> So these LIBVIRT_INP/LIBVIRT_OUT rules are entirely pointless
> unless the 'libvirt' table had later rules that could be
> DENY/REJECTing DHCP/DNS. We don't today.
> 
> The only way I see these DHCP/DNS rules being useful, is if
> the LIBVIRT_INP chain had a default 'deny' rule for 'virbr0',
> to block the guest from all access to the host. That would
> to some extent overlap with a general host firewall tool,
> but there might not be one.
> 
> Currently our "isolated" config still allows guests to access
> the host, just won't route off host. I guess any of the forward
> modes could conceptually have a "deny host" access rule.
> 
> Still, even if we implemented this "deny host" concept, we
> still don't need to add these DHCP/DNS rules to LIBVIRT_INP
> and LIBVIRT_OUT, unless 'deny host' is actually active.
> 
> IOW, I think we should delete (or comment out) all the DHCP/DNS
> rules from your nftables impl currently.

This all makes sense. I'll try it out early next week along with the 
changes to table/chain naming you suggested yesterday. (I would say 
"this weekend", but it's springtime, which means "end of year" parties 
are happening everywhere, and we have 3 of them we have to go to just 
this weekend :-/)
_______________________________________________
Devel mailing list -- devel@lists.libvirt.org
To unsubscribe send an email to devel-leave@lists.libvirt.org

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.