[PATCH v4 00/30] [PATCH v3 00/27] native support for nftables in virtual network driver

Tuesday, 30 April 2024

V3:
https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/HO...
V2:
https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/5R...

This patch series enables libvirt to use nftables rules rather than
iptables *when setting up virtual networks* (it does *not* add
nftables support to the nwfilter driver).

Changes from V3:

* Fixed a bug (newly added in V3) that resulted in the firewall name
  attribute not being added to the XML.

* renamed the table to "libvirt_network" (new patch 28)

* renamed the chains to be more descriptive, and lower case rather
  than all caps. (new patch 29)

* eliminated all the guest->host and host->guest rules since they are
  redundant in nftables. (new patch 30)

Laine Stump (30):
  util/network: move viriptables.[ch] from util to network directory
  network: move all functions manipulating iptables rules into
    network_iptables.c
  network: make all iptables functions used only in network_iptables.c
    static
  util: #define the names used for private packet filter chains
  util: change name of virFirewallRule to virFirewallCmd
  util: rename virNetFilterAction to iptablesAction, and add
    VIR_ENUM_DECL/IMPL
  util: check for 0 args when applying iptables rule
  util: add -w/--concurrent when applying a FirewallCmd rather than when
    building it
  util: determine ignoreErrors value when creating virFirewallCmd, not
    when applying
  util/network: new virFirewallBackend enum
  network: add (empty) network.conf file to distribution files
  network: support setting firewallBackend from network.conf
  network: framework to call backend-specific function to init private
    filter chains
  util: new functions to support adding individual firewall rollback
    commands
  util: implement rollback rule autocreation for iptables commands
  network: turn on auto-rollback for the rules added for virtual
    networks
  util: add name attribute to virFirewall
  util: new function virFirewallNewFromRollback()
  util: new functions virFirewallParseXML() and virFirewallFormat()
  conf: add a virFirewall object to virNetworkObj
  network: use previously saved list of firewall removal commands
  network: save network status when firewall rules are reloaded
  meson: stop looking for iptables/ip6tables/ebtables at build time
  network: add an nftables backend for network driver's firewall
    construction
  tests: test cases for nftables backend
  network: prefer the nftables backend over iptables
  spec: require either iptables or nftables if network driver is
    installed
  network: name the nftables table "libvirt_network" rather than
    "libvirt"
  network: rename chains used by network driver nftables backend
  network: eliminate pointless host input/output rules from nftables
    backend

 libvirt.spec.in                               |    7 +-
 meson.build                                   |   10 +-
 meson_options.txt                             |    1 +
 po/POTFILES                                   |    3 +-
 src/conf/virnetworkobj.c                      |   41 +
 src/conf/virnetworkobj.h                      |    8 +
 src/libvirt_private.syms                      |   58 +-
 src/network/bridge_driver.c                   |   39 +-
 src/network/bridge_driver_conf.c              |   64 +
 src/network/bridge_driver_conf.h              |    3 +
 src/network/bridge_driver_linux.c             |  630 +------
 src/network/bridge_driver_nop.c               |    6 +-
 src/network/bridge_driver_platform.h          |    6 +-
 src/network/libvirtd_network.aug              |   39 +
 src/network/meson.build                       |   36 +
 src/network/network.conf.in                   |   28 +
 src/network/network_iptables.c                | 1677 +++++++++++++++++
 src/network/network_iptables.h                |   30 +
 src/network/network_nftables.c                |  968 ++++++++++
 src/network/network_nftables.h                |   28 +
 src/network/test_libvirtd_network.aug.in      |    5 +
 src/nwfilter/nwfilter_ebiptables_driver.c     | 1004 +++++-----
 src/util/meson.build                          |    1 -
 src/util/virebtables.c                        |   36 +-
 src/util/virfirewall.c                        |  820 ++++++--
 src/util/virfirewall.h                        |   87 +-
 src/util/viriptables.c                        | 1072 -----------
 src/util/viriptables.h                        |  155 --
 .../{base.args => base.iptables}              |    0
 tests/networkxml2firewalldata/base.nftables   |  256 +++
 ...-linux.args => nat-default-linux.iptables} |    0
 .../nat-default-linux.nftables                |  144 ++
 ...pv6-linux.args => nat-ipv6-linux.iptables} |    0
 .../nat-ipv6-linux.nftables                   |  202 ++
 ...rgs => nat-ipv6-masquerade-linux.iptables} |    0
 .../nat-ipv6-masquerade-linux.nftables        |  274 +++
 ...linux.args => nat-many-ips-linux.iptables} |    0
 .../nat-many-ips-linux.nftables               |  368 ++++
 ...-linux.args => nat-no-dhcp-linux.iptables} |    0
 .../nat-no-dhcp-linux.nftables                |  202 ++
 ...ftp-linux.args => nat-tftp-linux.iptables} |    0
 .../nat-tftp-linux.nftables                   |  144 ++
 ...inux.args => route-default-linux.iptables} |    0
 .../route-default-linux.nftables              |   58 +
 tests/networkxml2firewalltest.c               |   56 +-
 tests/virfirewalltest.c                       |  424 ++---
 46 files changed, 6239 insertions(+), 2751 deletions(-)
 create mode 100644 src/network/libvirtd_network.aug
 create mode 100644 src/network/network.conf.in
 create mode 100644 src/network/network_iptables.c
 create mode 100644 src/network/network_iptables.h
 create mode 100644 src/network/network_nftables.c
 create mode 100644 src/network/network_nftables.h
 create mode 100644 src/network/test_libvirtd_network.aug.in
 delete mode 100644 src/util/viriptables.c
 delete mode 100644 src/util/viriptables.h
 rename tests/networkxml2firewalldata/{base.args => base.iptables} (100%)
 create mode 100644 tests/networkxml2firewalldata/base.nftables
 rename tests/networkxml2firewalldata/{nat-default-linux.args =>
nat-default-linux.iptables} (100%)
 create mode 100644 tests/networkxml2firewalldata/nat-default-linux.nftables
 rename tests/networkxml2firewalldata/{nat-ipv6-linux.args => nat-ipv6-linux.iptables}
(100%)
 create mode 100644 tests/networkxml2firewalldata/nat-ipv6-linux.nftables
 rename tests/networkxml2firewalldata/{nat-ipv6-masquerade-linux.args =>
nat-ipv6-masquerade-linux.iptables} (100%)
 create mode 100644 tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
 rename tests/networkxml2firewalldata/{nat-many-ips-linux.args =>
nat-many-ips-linux.iptables} (100%)
 create mode 100644 tests/networkxml2firewalldata/nat-many-ips-linux.nftables
 rename tests/networkxml2firewalldata/{nat-no-dhcp-linux.args =>
nat-no-dhcp-linux.iptables} (100%)
 create mode 100644 tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
 rename tests/networkxml2firewalldata/{nat-tftp-linux.args => nat-tftp-linux.iptables}
(100%)
 create mode 100644 tests/networkxml2firewalldata/nat-tftp-linux.nftables
 rename tests/networkxml2firewalldata/{route-default-linux.args =>
route-default-linux.iptables} (100%)
 create mode 100644 tests/networkxml2firewalldata/route-default-linux.nftables

-- 
2.44.0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

[PATCH v4 00/30] [PATCH v3 00/27] native support for nftables in virtual network driver