From nobody Thu Sep 19 00:54:17 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1715968902901571.15154312298; Fri, 17 May 2024 11:01:42 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id C20DB1A86; Fri, 17 May 2024 14:01:41 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id E49B71E10; Fri, 17 May 2024 13:31:56 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id E681C1A1E; Fri, 17 May 2024 13:30:21 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 99C7C1A1E for ; Fri, 17 May 2024 13:30:13 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-82-lxm33JcgNFS2KOgqexZO2w-1; Fri, 17 May 2024 13:30:11 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 8DC4B18485E2 for ; Fri, 17 May 2024 17:30:11 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.16.223]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7830740C6EB7 for ; Fri, 17 May 2024 17:30:11 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.5 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1715967013; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ljGxvcpZC77alF+JBA3rr0VZ4NoMp9WjFtJmmTzdlBQ=; b=h0idIEGC6EPSHCHTj/Qw9luBYlA8Qj5t9aCqjmueeBJMiId+kGdslH8pcfxv0JKIFFxhkx 2XPVLGDzXE0q4aIn22G+zWgRLj10+X8F1cl2egczoHEIAlmqfja3Pocfg6nKISClIqVeoy PhjPNJalcsf2N5plw2fiTzKZ6BoqYGw= X-MC-Unique: lxm33JcgNFS2KOgqexZO2w-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v5 26/30] network: prefer the nftables backend over iptables Date: Fri, 17 May 2024 13:30:03 -0400 Message-ID: <20240517173007.8125-27-laine@redhat.com> In-Reply-To: <20240517173007.8125-1-laine@redhat.com> References: <20240517173007.8125-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.2 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: 5KUZU7IDAYPZJWSK2HBOD5U5HE3DPAC2 X-Message-ID-Hash: 5KUZU7IDAYPZJWSK2HBOD5U5HE3DPAC2 X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1715968903449100001 Content-Type: text/plain; charset="utf-8"; x-default="true" The patch that added the nftables backend for virtual networks left iptables as the default backend when both nftables and iptables are installed. The only functional difference between the two backends is that the nftables backend doesn't add any rules to fix up the checksum of DHCP packets, which will cause failures on guests with very old OSes (e.g. RHEL5) that have a virtio-net network interface using vhost packet processing (the default), connected to a libvirt virtual network, and configured to acquire the interface IP using DHCP. Since RHEL5 has been out of support for several years already, we might as well start off nftables support right by making it the default. Distros that aren't quite ready to default to nftables (e.g. maybe they're rebasing libvirt within a release and don't want to surprise anyone with an automatic switch from iptables to nftables) can simply run meson with "-Dfirewall_backend=3Diptables" during their official package build. In the extremely unlikely case that this causes a problem for a user, they can work around the failure by adding " to the guest element. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrang=C3=A9 --- meson_options.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meson_options.txt b/meson_options.txt index cd2b9acc79..ad354a8668 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -115,8 +115,8 @@ option('dtrace', type: 'feature', value: 'auto', descri= ption: 'use dtrace for st option('firewalld', type: 'feature', value: 'auto', description: 'firewall= d support') # dep:firewalld option('firewalld_zone', type: 'feature', value: 'auto', description: 'whe= ther to install firewalld libvirt zone') -option('firewall_backend_default_1', type: 'string', value: 'iptables', de= scription: 'first firewall backend to try when none is specified') -option('firewall_backend_default_2', type: 'string', value: 'nftables', de= scription: 'second firewall backend to try when none is specified (and firs= t is unavailable)') +option('firewall_backend_default_1', type: 'string', value: 'nftables', de= scription: 'first firewall backend to try when none is specified') +option('firewall_backend_default_2', type: 'string', value: 'iptables', de= scription: 'second firewall backend to try when none is specified (and firs= t is unavailable)') option('host_validate', type: 'feature', value: 'auto', description: 'buil= d virt-host-validate') option('init_script', type: 'combo', choices: ['systemd', 'openrc', 'check= ', 'none'], value: 'check', description: 'Style of init script to install') option('loader_nvram', type: 'string', value: '', description: 'Pass list = of pairs of : paths. Both pairs and list items are separated= by a colon.') --=20 2.45.0