1. Patchew
  2. Libvirt
  3. [PATCH v4 00/30] [PATCH v3 00/27] native support for nftables in virtual network driver
  4. View patch

[PATCH v4 29/30] network: rename chains used by network driver nftables backend

Laine Stump posted 30 patches 1 year, 7 months ago
There is a newer version of this series
[PATCH v4 29/30] network: rename chains used by network driver nftables backend
Posted by Laine Stump 1 year, 7 months ago 
Because the chains added by the network driver nftables backend will
go into a table used only by libvirt, we don't need to have "libvirt"
in the chain names. Instead, we can make them more descriptive and
less abrasive (by using lower case, and using full words rather than
abbreviations).

Also (again because nobody else is using the private "libvirt_network"
table) we can directly put our rules into the input ("guest_to_host"),
output ("host_to_guest"), and postrouting ("guest_nat") chains rather
than creating a subordinate chain as done in the iptables backend.

Signed-off-by: Laine Stump <laine@redhat.com>
---
 src/network/network_nftables.c                | 30 ++++-----
 .../nat-default-linux.nftables                | 36 +++++-----
 .../nat-ipv6-linux.nftables                   | 58 ++++++++--------
 .../nat-ipv6-masquerade-linux.nftables        | 66 +++++++++----------
 .../nat-many-ips-linux.nftables               | 64 +++++++++---------
 .../nat-no-dhcp-linux.nftables                | 58 ++++++++--------
 .../nat-tftp-linux.nftables                   | 40 +++++------
 .../route-default-linux.nftables              | 26 ++++----
 8 files changed, 188 insertions(+), 190 deletions(-)

diff --git a/src/network/network_nftables.c b/src/network/network_nftables.c
index ec9194a8b8..fd0d0f82dc 100644
--- a/src/network/network_nftables.c
+++ b/src/network/network_nftables.c
@@ -40,12 +40,13 @@ VIR_LOG_INIT("network.nftables");
 
 #define VIR_FROM_THIS VIR_FROM_NONE
 
-#define VIR_NFTABLES_INPUT_CHAIN "LIBVIRT_INP"
-#define VIR_NFTABLES_OUTPUT_CHAIN "LIBVIRT_OUT"
-#define VIR_NFTABLES_FWD_IN_CHAIN "LIBVIRT_FWI"
-#define VIR_NFTABLES_FWD_OUT_CHAIN "LIBVIRT_FWO"
-#define VIR_NFTABLES_FWD_X_CHAIN "LIBVIRT_FWX"
-#define VIR_NFTABLES_NAT_POSTROUTE_CHAIN "LIBVIRT_PRT"
+#define VIR_NFTABLES_INPUT_CHAIN "guest_to_host"
+#define VIR_NFTABLES_OUTPUT_CHAIN "host_to_guest"
+#define VIR_NFTABLES_FORWARD_CHAIN "forward"
+#define VIR_NFTABLES_FWD_IN_CHAIN "guest_input"
+#define VIR_NFTABLES_FWD_OUT_CHAIN "guest_output"
+#define VIR_NFTABLES_FWD_X_CHAIN "guest_cross"
+#define VIR_NFTABLES_NAT_POSTROUTE_CHAIN "guest_nat"
 
 /* we must avoid using the standard "filter" table as used by
  * iptables, as any subsequent attempts to use iptables commands will
@@ -87,18 +88,15 @@ typedef struct {
 
 nftablesGlobalChain nftablesChains[] = {
     /* chains for filter rules */
-    {NULL, "INPUT", "{ type filter hook input priority 0; policy accept; }"},
-    {NULL, "FORWARD", "{ type filter hook forward priority 0; policy accept; }"},
-    {NULL, "OUTPUT", "{ type filter hook output priority 0; policy accept; }"},
-    {"INPUT", VIR_NFTABLES_INPUT_CHAIN, NULL},
-    {"OUTPUT", VIR_NFTABLES_OUTPUT_CHAIN, NULL},
-    {"FORWARD", VIR_NFTABLES_FWD_OUT_CHAIN, NULL},
-    {"FORWARD", VIR_NFTABLES_FWD_IN_CHAIN, NULL},
-    {"FORWARD", VIR_NFTABLES_FWD_X_CHAIN, NULL},
+    {NULL, VIR_NFTABLES_INPUT_CHAIN, "{ type filter hook input priority 0; policy accept; }"},
+    {NULL, VIR_NFTABLES_FORWARD_CHAIN, "{ type filter hook forward priority 0; policy accept; }"},
+    {NULL, VIR_NFTABLES_OUTPUT_CHAIN, "{ type filter hook output priority 0; policy accept; }"},
+    {"forward", VIR_NFTABLES_FWD_OUT_CHAIN, NULL},
+    {"forward", VIR_NFTABLES_FWD_IN_CHAIN, NULL},
+    {"forward", VIR_NFTABLES_FWD_X_CHAIN, NULL},
 
     /* chains for NAT rules */
-    {NULL, "POSTROUTING", "{ type nat hook postrouting priority 100; policy accept; }"},
-    {"POSTROUTING",  VIR_NFTABLES_NAT_POSTROUTE_CHAIN, NULL},
+    {NULL, "guest_nat", "{ type nat hook postrouting priority 100; policy accept; }"},
 };
 
 
diff --git a/tests/networkxml2firewalldata/nat-default-linux.nftables b/tests/networkxml2firewalldata/nat-default-linux.nftables
index 92b3dd7fc0..8b6e0ba406 100644
--- a/tests/networkxml2firewalldata/nat-default-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-default-linux.nftables
@@ -3,7 +3,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -16,7 +16,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -29,7 +29,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -42,7 +42,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -55,7 +55,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -68,7 +68,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -81,7 +81,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -94,7 +94,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -107,7 +107,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 iifname \
 virbr0 \
 counter \
@@ -117,7 +117,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 counter \
@@ -127,7 +127,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
 iifname \
 virbr0 \
 oifname \
@@ -139,7 +139,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -152,7 +152,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 ip \
@@ -168,7 +168,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -183,7 +183,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 udp \
@@ -203,7 +203,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 tcp \
@@ -223,7 +223,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -237,7 +237,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
index f8317415cf..03fb7397cd 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
@@ -3,7 +3,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -16,7 +16,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -29,7 +29,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -42,7 +42,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -55,7 +55,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -68,7 +68,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -81,7 +81,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -94,7 +94,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -107,7 +107,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 iifname \
 virbr0 \
 counter \
@@ -117,7 +117,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 counter \
@@ -127,7 +127,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
 iifname \
 virbr0 \
 oifname \
@@ -139,7 +139,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 iifname \
 virbr0 \
 counter \
@@ -149,7 +149,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 counter \
@@ -159,7 +159,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
 iifname \
 virbr0 \
 oifname \
@@ -171,7 +171,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -184,7 +184,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -197,7 +197,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -210,7 +210,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -223,7 +223,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -236,7 +236,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -249,7 +249,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -262,7 +262,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 ip \
@@ -278,7 +278,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -293,7 +293,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 udp \
@@ -313,7 +313,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 tcp \
@@ -333,7 +333,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -347,7 +347,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -361,7 +361,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 ip6 \
 saddr \
 2001:db8:ca2:2::/64 \
@@ -374,7 +374,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 ip6 \
 daddr \
 2001:db8:ca2:2::/64 \
diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
index a15b38478b..012a3d5d47 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
@@ -3,7 +3,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -16,7 +16,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -29,7 +29,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -42,7 +42,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -55,7 +55,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -68,7 +68,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -81,7 +81,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -94,7 +94,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -107,7 +107,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 iifname \
 virbr0 \
 counter \
@@ -117,7 +117,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 counter \
@@ -127,7 +127,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
 iifname \
 virbr0 \
 oifname \
@@ -139,7 +139,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 iifname \
 virbr0 \
 counter \
@@ -149,7 +149,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 counter \
@@ -159,7 +159,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
 iifname \
 virbr0 \
 oifname \
@@ -171,7 +171,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -184,7 +184,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -197,7 +197,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -210,7 +210,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -223,7 +223,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -236,7 +236,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -249,7 +249,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -262,7 +262,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 ip \
@@ -278,7 +278,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -293,7 +293,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 udp \
@@ -313,7 +313,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 tcp \
@@ -333,7 +333,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -347,7 +347,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -361,7 +361,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 ip6 \
 saddr \
 2001:db8:ca2:2::/64 \
@@ -374,7 +374,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 ip6 \
@@ -390,7 +390,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip6 \
 saddr \
 2001:db8:ca2:2::/64 \
@@ -405,7 +405,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 udp \
@@ -425,7 +425,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 tcp \
@@ -445,7 +445,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip6 \
 saddr \
 2001:db8:ca2:2::/64 \
diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
index bd88ec9d83..029274ea06 100644
--- a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
@@ -3,7 +3,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -16,7 +16,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -29,7 +29,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -42,7 +42,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -55,7 +55,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -68,7 +68,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -81,7 +81,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -94,7 +94,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -107,7 +107,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 iifname \
 virbr0 \
 counter \
@@ -117,7 +117,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 counter \
@@ -127,7 +127,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
 iifname \
 virbr0 \
 oifname \
@@ -139,7 +139,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -152,7 +152,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 ip \
@@ -168,7 +168,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -183,7 +183,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 udp \
@@ -203,7 +203,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 tcp \
@@ -223,7 +223,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -237,7 +237,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -251,7 +251,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 ip \
 saddr \
 192.168.128.0/24 \
@@ -264,7 +264,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 ip \
@@ -280,7 +280,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.128.0/24 \
@@ -295,7 +295,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 udp \
@@ -315,7 +315,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 tcp \
@@ -335,7 +335,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.128.0/24 \
@@ -349,7 +349,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.128.0/24 \
@@ -363,7 +363,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 ip \
 saddr \
 192.168.150.0/24 \
@@ -376,7 +376,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 ip \
@@ -392,7 +392,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.150.0/24 \
@@ -407,7 +407,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 udp \
@@ -427,7 +427,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 tcp \
@@ -447,7 +447,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.150.0/24 \
@@ -461,7 +461,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.150.0/24 \
diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
index f8317415cf..03fb7397cd 100644
--- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
@@ -3,7 +3,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -16,7 +16,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -29,7 +29,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -42,7 +42,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -55,7 +55,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -68,7 +68,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -81,7 +81,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -94,7 +94,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -107,7 +107,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 iifname \
 virbr0 \
 counter \
@@ -117,7 +117,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 counter \
@@ -127,7 +127,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
 iifname \
 virbr0 \
 oifname \
@@ -139,7 +139,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 iifname \
 virbr0 \
 counter \
@@ -149,7 +149,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 counter \
@@ -159,7 +159,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
 iifname \
 virbr0 \
 oifname \
@@ -171,7 +171,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -184,7 +184,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -197,7 +197,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -210,7 +210,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -223,7 +223,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -236,7 +236,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -249,7 +249,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -262,7 +262,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 ip \
@@ -278,7 +278,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -293,7 +293,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 udp \
@@ -313,7 +313,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 tcp \
@@ -333,7 +333,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -347,7 +347,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -361,7 +361,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 ip6 \
 saddr \
 2001:db8:ca2:2::/64 \
@@ -374,7 +374,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 ip6 \
 daddr \
 2001:db8:ca2:2::/64 \
diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.nftables b/tests/networkxml2firewalldata/nat-tftp-linux.nftables
index a25935b831..dd84468ad6 100644
--- a/tests/networkxml2firewalldata/nat-tftp-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-tftp-linux.nftables
@@ -3,7 +3,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -16,7 +16,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -29,7 +29,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -42,7 +42,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -55,7 +55,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -68,7 +68,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -81,7 +81,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -94,7 +94,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -107,7 +107,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -120,7 +120,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -133,7 +133,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 iifname \
 virbr0 \
 counter \
@@ -143,7 +143,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 counter \
@@ -153,7 +153,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
 iifname \
 virbr0 \
 oifname \
@@ -165,7 +165,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -178,7 +178,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 ip \
@@ -194,7 +194,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -209,7 +209,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 udp \
@@ -229,7 +229,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 tcp \
@@ -249,7 +249,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -263,7 +263,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
diff --git a/tests/networkxml2firewalldata/route-default-linux.nftables b/tests/networkxml2firewalldata/route-default-linux.nftables
index 2337d50baf..c1cc8f05b1 100644
--- a/tests/networkxml2firewalldata/route-default-linux.nftables
+++ b/tests/networkxml2firewalldata/route-default-linux.nftables
@@ -3,7 +3,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -16,7 +16,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -29,7 +29,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -42,7 +42,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -55,7 +55,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -68,7 +68,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -81,7 +81,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -94,7 +94,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -107,7 +107,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 iifname \
 virbr0 \
 counter \
@@ -117,7 +117,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 counter \
@@ -127,7 +127,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
 iifname \
 virbr0 \
 oifname \
@@ -139,7 +139,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -152,7 +152,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 ip \
 daddr \
 192.168.122.0/24 \
-- 
2.44.0
_______________________________________________
Devel mailing list -- devel@lists.libvirt.org
To unsubscribe send an email to devel-leave@lists.libvirt.org
Re: [PATCH v4 29/30] network: rename chains used by network driver nftables backend
Posted by Daniel P. Berrangé 1 year, 7 months ago 
On Tue, Apr 30, 2024 at 01:44:18PM -0400, Laine Stump wrote:
> Because the chains added by the network driver nftables backend will
> go into a table used only by libvirt, we don't need to have "libvirt"
> in the chain names. Instead, we can make them more descriptive and
> less abrasive (by using lower case, and using full words rather than
> abbreviations).
> 
> Also (again because nobody else is using the private "libvirt_network"
> table) we can directly put our rules into the input ("guest_to_host"),
> output ("host_to_guest"), and postrouting ("guest_nat") chains rather
> than creating a subordinate chain as done in the iptables backend.
> 
> Signed-off-by: Laine Stump <laine@redhat.com>
> ---
>  src/network/network_nftables.c                | 30 ++++-----
>  .../nat-default-linux.nftables                | 36 +++++-----
>  .../nat-ipv6-linux.nftables                   | 58 ++++++++--------
>  .../nat-ipv6-masquerade-linux.nftables        | 66 +++++++++----------
>  .../nat-many-ips-linux.nftables               | 64 +++++++++---------
>  .../nat-no-dhcp-linux.nftables                | 58 ++++++++--------
>  .../nat-tftp-linux.nftables                   | 40 +++++------
>  .../route-default-linux.nftables              | 26 ++++----
>  8 files changed, 188 insertions(+), 190 deletions(-)
> 
> diff --git a/src/network/network_nftables.c b/src/network/network_nftables.c
> index ec9194a8b8..fd0d0f82dc 100644
> --- a/src/network/network_nftables.c
> +++ b/src/network/network_nftables.c
> @@ -40,12 +40,13 @@ VIR_LOG_INIT("network.nftables");
>  
>  #define VIR_FROM_THIS VIR_FROM_NONE
>  
> -#define VIR_NFTABLES_INPUT_CHAIN "LIBVIRT_INP"
> -#define VIR_NFTABLES_OUTPUT_CHAIN "LIBVIRT_OUT"
> -#define VIR_NFTABLES_FWD_IN_CHAIN "LIBVIRT_FWI"
> -#define VIR_NFTABLES_FWD_OUT_CHAIN "LIBVIRT_FWO"
> -#define VIR_NFTABLES_FWD_X_CHAIN "LIBVIRT_FWX"
> -#define VIR_NFTABLES_NAT_POSTROUTE_CHAIN "LIBVIRT_PRT"
> +#define VIR_NFTABLES_INPUT_CHAIN "guest_to_host"
> +#define VIR_NFTABLES_OUTPUT_CHAIN "host_to_guest"
> +#define VIR_NFTABLES_FORWARD_CHAIN "forward"
> +#define VIR_NFTABLES_FWD_IN_CHAIN "guest_input"
> +#define VIR_NFTABLES_FWD_OUT_CHAIN "guest_output"
> +#define VIR_NFTABLES_FWD_X_CHAIN "guest_cross"
> +#define VIR_NFTABLES_NAT_POSTROUTE_CHAIN "guest_nat"
>  
>  /* we must avoid using the standard "filter" table as used by
>   * iptables, as any subsequent attempts to use iptables commands will
> @@ -87,18 +88,15 @@ typedef struct {
>  
>  nftablesGlobalChain nftablesChains[] = {
>      /* chains for filter rules */
> -    {NULL, "INPUT", "{ type filter hook input priority 0; policy accept; }"},
> -    {NULL, "FORWARD", "{ type filter hook forward priority 0; policy accept; }"},
> -    {NULL, "OUTPUT", "{ type filter hook output priority 0; policy accept; }"},
> -    {"INPUT", VIR_NFTABLES_INPUT_CHAIN, NULL},
> -    {"OUTPUT", VIR_NFTABLES_OUTPUT_CHAIN, NULL},
> -    {"FORWARD", VIR_NFTABLES_FWD_OUT_CHAIN, NULL},
> -    {"FORWARD", VIR_NFTABLES_FWD_IN_CHAIN, NULL},
> -    {"FORWARD", VIR_NFTABLES_FWD_X_CHAIN, NULL},
> +    {NULL, VIR_NFTABLES_INPUT_CHAIN, "{ type filter hook input priority 0; policy accept; }"},
> +    {NULL, VIR_NFTABLES_FORWARD_CHAIN, "{ type filter hook forward priority 0; policy accept; }"},
> +    {NULL, VIR_NFTABLES_OUTPUT_CHAIN, "{ type filter hook output priority 0; policy accept; }"},
> +    {"forward", VIR_NFTABLES_FWD_OUT_CHAIN, NULL},
> +    {"forward", VIR_NFTABLES_FWD_IN_CHAIN, NULL},
> +    {"forward", VIR_NFTABLES_FWD_X_CHAIN, NULL},

The first arg should use the constant VIR_NFTABLES_FORWARD_CHAIN in these
three lines

>  
>      /* chains for NAT rules */
> -    {NULL, "POSTROUTING", "{ type nat hook postrouting priority 100; policy accept; }"},
> -    {"POSTROUTING",  VIR_NFTABLES_NAT_POSTROUTE_CHAIN, NULL},
> +    {NULL, "guest_nat", "{ type nat hook postrouting priority 100; policy accept; }"},


The second line shoyuld use the constant VIR_NFTABLES_NAT_POSTROUTE_CHAIN


With those changed

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
_______________________________________________
Devel mailing list -- devel@lists.libvirt.org
To unsubscribe send an email to devel-leave@lists.libvirt.org

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.