V4: https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/HX3RDEIQYJ6IOS2TDQANFKCKAXJMKCJN/#HX3RDEIQYJ6IOS2TDQANFKCKAXJMKCJN
V3: https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/HOCDIMI3SHS6UFFZJUAXUE6VLXE6SVHV/
V2: https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/5RTZ6PC3N3CO6X353QUHLVOL43SWQ4JD/
This patch series enables libvirt to use nftables rules rather than
iptables *when setting up virtual networks* (it does *not* add
nftables support to the nwfilter driver).
Changes from V4:
* changed the way that default firewall backends are specified in
meson_options.txt/on the meson commandline - instead of using a
#defined constant string, there are now one of these for each
backend that should be tried when none is specified:
#define FIREWALL_BACKEND_DEFAULT_n VIR_FIREWALL_BACKEND_xyzzy
The "n" will be 1-[number of backends], and the code will try each
in ascending order to see if it is usable.
* properly handle the case where network.conf doesn't exist (from
Patch 12/30 in V3)
* In RPM specfile, Require: nftables for Fedora >= 41 /RHEL >= 10,
while continuining to Require: iptables for anything else
(specifically older RHEL/Fedora)
* use VIR_NFTABLES_FORWARD_CHAIN instead of hardcoded "forward" in
array of chains needed for the nftable backend.
The patches that haven't yet gotten an R-B (and/or were changed enough
from V3 to warrant removing the R-B):
12 - network: support setting firewallBackend from network.conf
17 - util: add name attribute to virFirewall (so that the
element in the status XML is appropriately identifiable)
18 - util: new function virFirewallNewFromRollback()
19 - util: new functions virFirewallParseXML() and virFirewallFormat()
24 - network: add an nftables backend for network driver's firewall construction
26: network: prefer the nftables backend over iptables
(I didn't remove the R-B for patch 27 ("require nftables rather than
iptables for newer RHEl/Fedora") for example, because the change is
very small, and was exactly copy-pasted from Daniel's suggestion).
Changes from V3:
* Fixed a bug (newly added in V3) that resulted in the firewall name
attribute not being added to the XML.
* renamed the table to "libvirt_network"
* renamed the chains to be more descriptive, and lower case rather
than all caps.
* eliminated all the guest->host and host->guest rules since they are
redundant in nftables.
Laine Stump (30):
util/network: move viriptables.[ch] from util to network directory
network: move all functions manipulating iptables rules into
network_iptables.c
network: make all iptables functions used only in network_iptables.c
static
util: #define the names used for private packet filter chains
util: change name of virFirewallRule to virFirewallCmd
util: rename virNetFilterAction to iptablesAction, and add
VIR_ENUM_DECL/IMPL
util: check for 0 args when applying iptables rule
util: add -w/--concurrent when applying a FirewallCmd rather than when
building it
util: determine ignoreErrors value when creating virFirewallCmd, not
when applying
util/network: new virFirewallBackend enum
network: add (empty) network.conf file to distribution files
network: support setting firewallBackend from network.conf
network: framework to call backend-specific function to init private
filter chains
util: new functions to support adding individual firewall rollback
commands
util: implement rollback rule autocreation for iptables commands
network: turn on auto-rollback for the rules added for virtual
networks
util: add name attribute to virFirewall
util: new function virFirewallNewFromRollback()
util: new functions virFirewallParseXML() and virFirewallFormat()
conf: add a virFirewall object to virNetworkObj
network: use previously saved list of firewall removal commands
network: save network status when firewall rules are reloaded
meson: stop looking for iptables/ip6tables/ebtables at build time
network: add an nftables backend for network driver's firewall
construction
tests: test cases for nftables backend
network: prefer the nftables backend over iptables
spec: require nftables rather than iptables for newer RHEL/Fedora
network: name the nftables table "libvirt_network" rather than
"libvirt"
network: rename chains used by network driver nftables backend
network: eliminate pointless host input/output rules from nftables
backend
libvirt.spec.in | 9 +-
meson.build | 12 +-
meson_options.txt | 2 +
po/POTFILES | 3 +-
src/conf/virnetworkobj.c | 41 +
src/conf/virnetworkobj.h | 8 +
src/libvirt_private.syms | 58 +-
src/network/bridge_driver.c | 39 +-
src/network/bridge_driver_conf.c | 86 +-
src/network/bridge_driver_conf.h | 3 +
src/network/bridge_driver_linux.c | 630 +------
src/network/bridge_driver_nop.c | 6 +-
src/network/bridge_driver_platform.h | 6 +-
src/network/libvirtd_network.aug | 39 +
src/network/meson.build | 36 +
src/network/network.conf.in | 28 +
src/network/network_iptables.c | 1677 +++++++++++++++++
src/network/network_iptables.h | 30 +
src/network/network_nftables.c | 968 ++++++++++
src/network/network_nftables.h | 28 +
src/network/test_libvirtd_network.aug.in | 5 +
src/nwfilter/nwfilter_ebiptables_driver.c | 1004 +++++-----
src/util/meson.build | 1 -
src/util/virebtables.c | 36 +-
src/util/virfirewall.c | 820 ++++++--
src/util/virfirewall.h | 87 +-
src/util/viriptables.c | 1072 -----------
src/util/viriptables.h | 155 --
.../{base.args => base.iptables} | 0
tests/networkxml2firewalldata/base.nftables | 256 +++
...-linux.args => nat-default-linux.iptables} | 0
.../nat-default-linux.nftables | 144 ++
...pv6-linux.args => nat-ipv6-linux.iptables} | 0
.../nat-ipv6-linux.nftables | 202 ++
...rgs => nat-ipv6-masquerade-linux.iptables} | 0
.../nat-ipv6-masquerade-linux.nftables | 274 +++
...linux.args => nat-many-ips-linux.iptables} | 0
.../nat-many-ips-linux.nftables | 368 ++++
...-linux.args => nat-no-dhcp-linux.iptables} | 0
.../nat-no-dhcp-linux.nftables | 202 ++
...ftp-linux.args => nat-tftp-linux.iptables} | 0
.../nat-tftp-linux.nftables | 144 ++
...inux.args => route-default-linux.iptables} | 0
.../route-default-linux.nftables | 58 +
tests/networkxml2firewalltest.c | 56 +-
tests/virfirewalltest.c | 424 ++---
46 files changed, 6258 insertions(+), 2759 deletions(-)
create mode 100644 src/network/libvirtd_network.aug
create mode 100644 src/network/network.conf.in
create mode 100644 src/network/network_iptables.c
create mode 100644 src/network/network_iptables.h
create mode 100644 src/network/network_nftables.c
create mode 100644 src/network/network_nftables.h
create mode 100644 src/network/test_libvirtd_network.aug.in
delete mode 100644 src/util/viriptables.c
delete mode 100644 src/util/viriptables.h
rename tests/networkxml2firewalldata/{base.args => base.iptables} (100%)
create mode 100644 tests/networkxml2firewalldata/base.nftables
rename tests/networkxml2firewalldata/{nat-default-linux.args => nat-default-linux.iptables} (100%)
create mode 100644 tests/networkxml2firewalldata/nat-default-linux.nftables
rename tests/networkxml2firewalldata/{nat-ipv6-linux.args => nat-ipv6-linux.iptables} (100%)
create mode 100644 tests/networkxml2firewalldata/nat-ipv6-linux.nftables
rename tests/networkxml2firewalldata/{nat-ipv6-masquerade-linux.args => nat-ipv6-masquerade-linux.iptables} (100%)
create mode 100644 tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
rename tests/networkxml2firewalldata/{nat-many-ips-linux.args => nat-many-ips-linux.iptables} (100%)
create mode 100644 tests/networkxml2firewalldata/nat-many-ips-linux.nftables
rename tests/networkxml2firewalldata/{nat-no-dhcp-linux.args => nat-no-dhcp-linux.iptables} (100%)
create mode 100644 tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
rename tests/networkxml2firewalldata/{nat-tftp-linux.args => nat-tftp-linux.iptables} (100%)
create mode 100644 tests/networkxml2firewalldata/nat-tftp-linux.nftables
rename tests/networkxml2firewalldata/{route-default-linux.args => route-default-linux.iptables} (100%)
create mode 100644 tests/networkxml2firewalldata/route-default-linux.nftables
--
2.45.0