1. Patchew
  2. Libvirt
  3. [PATCH v2 00/27] native support for nftables in virtual network driver
  4. View patch

[PATCH v2 26/27] network: prefer the nftables backend over iptables

Laine Stump posted 27 patches 1 year, 9 months ago
There is a newer version of this series
[PATCH v2 26/27] network: prefer the nftables backend over iptables
Posted by Laine Stump 1 year, 9 months ago 
The initial patches to support nftables for virtual networks left
iptables as the default backend.

The only functional difference between the two backends is that the
nftables backend doesn't add any rules to fix up the checksum of DHCP
packets, which will cause failures on guests with very old OSes
(e.g. RHEL5) that have a virtio-net network interface using vhost
packet processing (the default), connected to a libvirt virtual
network, and configured to acquire the interface IP using DHCP. Since
RHEL5 has been out of support for several years already, we might as
well start off nftables support right by making it the default.

In the extremely unlikely case that this causes a problem for anyone,
they can work around the failure by adding "<driver name='qemu'/> to
the guest <interface> element.

Signed-off-by: Laine Stump <laine@redhat.com>
---
 src/network/bridge_driver_conf.c         | 6 +++---
 src/network/network.conf                 | 9 ++++++---
 src/network/test_libvirtd_network.aug.in | 2 +-
 3 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/src/network/bridge_driver_conf.c b/src/network/bridge_driver_conf.c
index f1159ed245..0139ece5ad 100644
--- a/src/network/bridge_driver_conf.c
+++ b/src/network/bridge_driver_conf.c
@@ -106,10 +106,10 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_GNUC_UNUSED,
          * which allows absolute paths, and verifies that
          * the file is executable.
         */
-        if ((iptablesInPath = virFindFileInPath(IPTABLES)))
-            cfg->firewallBackend = VIR_FIREWALL_BACKEND_IPTABLES;
-        else if ((nftInPath = virFindFileInPath(NFT)))
+        if ((nftInPath = virFindFileInPath(NFT)))
             cfg->firewallBackend = VIR_FIREWALL_BACKEND_NFTABLES;
+        else if ((iptablesInPath = virFindFileInPath(IPTABLES)))
+            cfg->firewallBackend = VIR_FIREWALL_BACKEND_IPTABLES;
 
         if (cfg->firewallBackend == VIR_FIREWALL_BACKEND_UNSET)
             VIR_INFO("firewall_backend not set, and no usable backend auto-detected");
diff --git a/src/network/network.conf b/src/network/network.conf
index 630c4387a1..31723bccd5 100644
--- a/src/network/network.conf
+++ b/src/network/network.conf
@@ -12,8 +12,11 @@
 #     iptables - use iptables commands to construct the firewall
 #     nftables - use nft commands to construct the firewall
 #
-#   For backward compatibility, and to reduce surprises, the
-#   default setting is "iptables".
+#   If firewall_backend isn't explicitly specified here, libvirt
+#   will default to using nftables if the "nft" command is available
+#   on the host, otherwise it will use iptables if the "iptables"
+#   command is available. If neither is available, then libvirt
+#   will log an error the first time any network is started.
 #
 #   (NB: switching from one backend to another while there are active
 #   virtual networks *is* supported. The change will take place the
@@ -21,4 +24,4 @@
 #   virtual networks will have their old firewalls removed, and then
 #   reloaded using the new backend.)
 #
-#firewall_backend = "iptables"
+#firewall_backend = "nftables"
diff --git a/src/network/test_libvirtd_network.aug.in b/src/network/test_libvirtd_network.aug.in
index 3aa7b4cc22..81a6256919 100644
--- a/src/network/test_libvirtd_network.aug.in
+++ b/src/network/test_libvirtd_network.aug.in
@@ -2,4 +2,4 @@ module Test_libvirtd_network =
   @CONFIG@
 
   test Libvirtd_network.lns get conf =
-{ "firewall_backend" = "iptables" }
+{ "firewall_backend" = "nftables" }
-- 
2.44.0
_______________________________________________
Devel mailing list -- devel@lists.libvirt.org
To unsubscribe send an email to devel-leave@lists.libvirt.org
Re: [PATCH v2 26/27] network: prefer the nftables backend over iptables
Posted by Daniel P. Berrangé 1 year, 9 months ago 
On Sun, Apr 21, 2024 at 10:53:34PM -0400, Laine Stump wrote:
> The initial patches to support nftables for virtual networks left
> iptables as the default backend.
> 
> The only functional difference between the two backends is that the
> nftables backend doesn't add any rules to fix up the checksum of DHCP
> packets, which will cause failures on guests with very old OSes
> (e.g. RHEL5) that have a virtio-net network interface using vhost
> packet processing (the default), connected to a libvirt virtual
> network, and configured to acquire the interface IP using DHCP. Since
> RHEL5 has been out of support for several years already, we might as
> well start off nftables support right by making it the default.
> 
> In the extremely unlikely case that this causes a problem for anyone,
> they can work around the failure by adding "<driver name='qemu'/> to
> the guest <interface> element.
> 
> Signed-off-by: Laine Stump <laine@redhat.com>
> ---
>  src/network/bridge_driver_conf.c         | 6 +++---
>  src/network/network.conf                 | 9 ++++++---
>  src/network/test_libvirtd_network.aug.in | 2 +-
>  3 files changed, 10 insertions(+), 7 deletions(-)

I wonder if we shouldn't make the default firewall backend be
a meson_options.txt parameter.

If a distro rebases libvirt in their existing release, they
probably don't want the firewall backend silently changing
as a side effect. A meson option would let them turn on the
new behaviour for only new releases. We could make the meson
option default to 'nft' though.

> diff --git a/src/network/bridge_driver_conf.c b/src/network/bridge_driver_conf.c
> index f1159ed245..0139ece5ad 100644
> --- a/src/network/bridge_driver_conf.c
> +++ b/src/network/bridge_driver_conf.c
> @@ -106,10 +106,10 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_GNUC_UNUSED,
>           * which allows absolute paths, and verifies that
>           * the file is executable.
>          */
> -        if ((iptablesInPath = virFindFileInPath(IPTABLES)))
> -            cfg->firewallBackend = VIR_FIREWALL_BACKEND_IPTABLES;
> -        else if ((nftInPath = virFindFileInPath(NFT)))
> +        if ((nftInPath = virFindFileInPath(NFT)))
>              cfg->firewallBackend = VIR_FIREWALL_BACKEND_NFTABLES;
> +        else if ((iptablesInPath = virFindFileInPath(IPTABLES)))
> +            cfg->firewallBackend = VIR_FIREWALL_BACKEND_IPTABLES;
>  
>          if (cfg->firewallBackend == VIR_FIREWALL_BACKEND_UNSET)
>              VIR_INFO("firewall_backend not set, and no usable backend auto-detected");
> diff --git a/src/network/network.conf b/src/network/network.conf
> index 630c4387a1..31723bccd5 100644
> --- a/src/network/network.conf
> +++ b/src/network/network.conf
> @@ -12,8 +12,11 @@
>  #     iptables - use iptables commands to construct the firewall
>  #     nftables - use nft commands to construct the firewall
>  #
> -#   For backward compatibility, and to reduce surprises, the
> -#   default setting is "iptables".
> +#   If firewall_backend isn't explicitly specified here, libvirt
> +#   will default to using nftables if the "nft" command is available
> +#   on the host, otherwise it will use iptables if the "iptables"
> +#   command is available. If neither is available, then libvirt
> +#   will log an error the first time any network is started.
>  #
>  #   (NB: switching from one backend to another while there are active
>  #   virtual networks *is* supported. The change will take place the
> @@ -21,4 +24,4 @@
>  #   virtual networks will have their old firewalls removed, and then
>  #   reloaded using the new backend.)
>  #
> -#firewall_backend = "iptables"
> +#firewall_backend = "nftables"
> diff --git a/src/network/test_libvirtd_network.aug.in b/src/network/test_libvirtd_network.aug.in
> index 3aa7b4cc22..81a6256919 100644
> --- a/src/network/test_libvirtd_network.aug.in
> +++ b/src/network/test_libvirtd_network.aug.in
> @@ -2,4 +2,4 @@ module Test_libvirtd_network =
>    @CONFIG@
>  
>    test Libvirtd_network.lns get conf =
> -{ "firewall_backend" = "iptables" }
> +{ "firewall_backend" = "nftables" }
> -- 
> 2.44.0
> _______________________________________________
> Devel mailing list -- devel@lists.libvirt.org
> To unsubscribe send an email to devel-leave@lists.libvirt.org

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
_______________________________________________
Devel mailing list -- devel@lists.libvirt.org
To unsubscribe send an email to devel-leave@lists.libvirt.org
Re: [PATCH v2 26/27] network: prefer the nftables backend over iptables
Posted by Laine Stump 1 year, 9 months ago 
On 4/23/24 6:40 AM, Daniel P. Berrangé wrote:
> 
> I wonder if we shouldn't make the default firewall backend be
> a meson_options.txt parameter.

Good idea!

> 
> If a distro rebases libvirt in their existing release, they
> probably don't want the firewall backend silently changing
> as a side effect. A meson option would let them turn on the
> new behaviour for only new releases. We could make the meson
> option default to 'nft' though.
_______________________________________________
Devel mailing list -- devel@lists.libvirt.org
To unsubscribe send an email to devel-leave@lists.libvirt.org

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.