On Mon, Feb 16, 2026 at 11:42:36AM +0100, Dion Bosschieter wrote:
Unsupported nwfilter features (for now): - STP filtering - Gratuitous ARP filtering - IPSets (potential future support via nft sets) - Reject due to filtering in pre/postrouting, using drop instead of reject, copying logic from existing ebiptables ebtables actions
What are your thoughts on these gaps ? The Gratuituous ARP gap triggers a warning in libvirt-tck tests. I don't think we need to block for these, as the new driver is already functional enough to be useful.
Future improvements: - Use `nft -f` for atomic rule application. - Optional single-table mode via nwfilter.conf. - Optimize boot phase with chain hash comparison.
With regards, Daniel -- |: https://berrange.com ~~ https://hachyderm.io/@berrange :| |: https://libvirt.org ~~ https://entangle-photo.org :| |: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :|