From nobody Tue Feb 10 04:03:36 2026 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1713756035565601.2768219490202; Sun, 21 Apr 2024 20:20:35 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 772761B10; Sun, 21 Apr 2024 23:20:34 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id B53F11EC3; Sun, 21 Apr 2024 22:55:09 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 91DC31E70; Sun, 21 Apr 2024 22:53:52 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id C2EA91E01 for ; Sun, 21 Apr 2024 22:53:41 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-349-P1hTSnKIMGK-6cF8soTY2A-1; Sun, 21 Apr 2024 22:53:40 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id F0BBE1C07F20 for ; Mon, 22 Apr 2024 02:53:39 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id D8B051121306 for ; Mon, 22 Apr 2024 02:53:39 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: P1hTSnKIMGK-6cF8soTY2A-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v2 26/27] network: prefer the nftables backend over iptables Date: Sun, 21 Apr 2024 22:53:34 -0400 Message-ID: <20240422025335.923272-27-laine@redhat.com> In-Reply-To: <20240422025335.923272-1-laine@redhat.com> References: <20240422025335.923272-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: DZRL632R5LR2D4HN6W5G6NDJLJCMITIT X-Message-ID-Hash: DZRL632R5LR2D4HN6W5G6NDJLJCMITIT X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8"; x-default="true" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1713756036562100001 The initial patches to support nftables for virtual networks left iptables as the default backend. The only functional difference between the two backends is that the nftables backend doesn't add any rules to fix up the checksum of DHCP packets, which will cause failures on guests with very old OSes (e.g. RHEL5) that have a virtio-net network interface using vhost packet processing (the default), connected to a libvirt virtual network, and configured to acquire the interface IP using DHCP. Since RHEL5 has been out of support for several years already, we might as well start off nftables support right by making it the default. In the extremely unlikely case that this causes a problem for anyone, they can work around the failure by adding " to the guest element. Signed-off-by: Laine Stump --- src/network/bridge_driver_conf.c | 6 +++--- src/network/network.conf | 9 ++++++--- src/network/test_libvirtd_network.aug.in | 2 +- 3 files changed, 10 insertions(+), 7 deletions(-) diff --git a/src/network/bridge_driver_conf.c b/src/network/bridge_driver_c= onf.c index f1159ed245..0139ece5ad 100644 --- a/src/network/bridge_driver_conf.c +++ b/src/network/bridge_driver_conf.c @@ -106,10 +106,10 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cf= g G_GNUC_UNUSED, * which allows absolute paths, and verifies that * the file is executable. */ - if ((iptablesInPath =3D virFindFileInPath(IPTABLES))) - cfg->firewallBackend =3D VIR_FIREWALL_BACKEND_IPTABLES; - else if ((nftInPath =3D virFindFileInPath(NFT))) + if ((nftInPath =3D virFindFileInPath(NFT))) cfg->firewallBackend =3D VIR_FIREWALL_BACKEND_NFTABLES; + else if ((iptablesInPath =3D virFindFileInPath(IPTABLES))) + cfg->firewallBackend =3D VIR_FIREWALL_BACKEND_IPTABLES; =20 if (cfg->firewallBackend =3D=3D VIR_FIREWALL_BACKEND_UNSET) VIR_INFO("firewall_backend not set, and no usable backend auto= -detected"); diff --git a/src/network/network.conf b/src/network/network.conf index 630c4387a1..31723bccd5 100644 --- a/src/network/network.conf +++ b/src/network/network.conf @@ -12,8 +12,11 @@ # iptables - use iptables commands to construct the firewall # nftables - use nft commands to construct the firewall # -# For backward compatibility, and to reduce surprises, the -# default setting is "iptables". +# If firewall_backend isn't explicitly specified here, libvirt +# will default to using nftables if the "nft" command is available +# on the host, otherwise it will use iptables if the "iptables" +# command is available. If neither is available, then libvirt +# will log an error the first time any network is started. # # (NB: switching from one backend to another while there are active # virtual networks *is* supported. The change will take place the @@ -21,4 +24,4 @@ # virtual networks will have their old firewalls removed, and then # reloaded using the new backend.) # -#firewall_backend =3D "iptables" +#firewall_backend =3D "nftables" diff --git a/src/network/test_libvirtd_network.aug.in b/src/network/test_li= bvirtd_network.aug.in index 3aa7b4cc22..81a6256919 100644 --- a/src/network/test_libvirtd_network.aug.in +++ b/src/network/test_libvirtd_network.aug.in @@ -2,4 +2,4 @@ module Test_libvirtd_network =3D @CONFIG@ =20 test Libvirtd_network.lns get conf =3D -{ "firewall_backend" =3D "iptables" } +{ "firewall_backend" =3D "nftables" } --=20 2.44.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org