From nobody Fri Dec 19 19:16:05 2025 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 171450095456385.6231852324662; Tue, 30 Apr 2024 11:15:54 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 5701111A; Tue, 30 Apr 2024 14:15:53 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id A27C82487; Tue, 30 Apr 2024 13:46:06 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id C427C2398; Tue, 30 Apr 2024 13:44:35 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 61C6C2216 for ; Tue, 30 Apr 2024 13:44:26 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-202-E6l1rhg8N1elOOh-6lYv-g-1; Tue, 30 Apr 2024 13:44:24 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 1FBA08001B2 for ; Tue, 30 Apr 2024 17:44:24 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.16.229]) by smtp.corp.redhat.com (Postfix) with ESMTP id 0968D581C8 for ; Tue, 30 Apr 2024 17:44:24 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: E6l1rhg8N1elOOh-6lYv-g-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v4 26/30] network: prefer the nftables backend over iptables Date: Tue, 30 Apr 2024 13:44:15 -0400 Message-ID: <20240430174420.371179-27-laine@redhat.com> In-Reply-To: <20240430174420.371179-1-laine@redhat.com> References: <20240430174420.371179-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.1 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: 2HOPRID3SUW3PAKMFEI3HLG57S2V6PLB X-Message-ID-Hash: 2HOPRID3SUW3PAKMFEI3HLG57S2V6PLB X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8"; x-default="true" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1714500956183100001 The patch that added the nftables backend for virtual networks left iptables as the default backend when both nftables and iptables are installed. The only functional difference between the two backends is that the nftables backend doesn't add any rules to fix up the checksum of DHCP packets, which will cause failures on guests with very old OSes (e.g. RHEL5) that have a virtio-net network interface using vhost packet processing (the default), connected to a libvirt virtual network, and configured to acquire the interface IP using DHCP. Since RHEL5 has been out of support for several years already, we might as well start off nftables support right by making it the default. Distros that aren't quite ready to default to nftables (e.g. maybe they're rebasing libvirt within a release and don't want to surprise anyone with an automatic switch from iptables to nftables) can simply run meson with "-Dfirewall_backend=3Diptables" during their official package build. In the extremely unlikely case that this causes a problem for a user, they can work around the failure by adding " to the guest element. Signed-off-by: Laine Stump --- meson_options.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meson_options.txt b/meson_options.txt index 367629f5dc..b68bd52477 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -98,7 +98,7 @@ option('chrdev_lock_files', type: 'string', value: '', de= scription: 'location fo option('dtrace', type: 'feature', value: 'auto', description: 'use dtrace = for static probing') option('firewalld', type: 'feature', value: 'auto', description: 'firewall= d support') option('firewalld_zone', type: 'feature', value: 'auto', description: 'whe= ther to install firewalld libvirt zone') -option('firewall_backend', type: 'string', value: 'iptables', description:= 'which firewall backend to use by default when none is specified') +option('firewall_backend', type: 'string', value: 'nftables', description:= 'which firewall backend to use by default when none is specified') option('host_validate', type: 'feature', value: 'auto', description: 'buil= d virt-host-validate') option('init_script', type: 'combo', choices: ['systemd', 'openrc', 'check= ', 'none'], value: 'check', description: 'Style of init script to install') option('loader_nvram', type: 'string', value: '', description: 'Pass list = of pairs of : paths. Both pairs and list items are separated= by a colon.') --=20 2.44.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org