On Thu, Feb 12, 2026 at 02:40:10PM +0100, Dion Bosschieter wrote:
On 2/12/26 13:54, Daniel P. Berrangé wrote:
On Tue, Feb 10, 2026 at 11:16:24AM +0100, Dion Bosschieter wrote:
This series aims to implement nftables as a backend driver for the nwfilter feature. The idea is that eventually it will replace the ebiptables driver and provide an easy way for users to switch from one driver to another.
The first 2 patches are moving of functions and renames, meant to decouple nwfilter from the currently only existing ebiptables driver.
I've pushed these first 2 patches with my suggested changes on the 2nd patch, since they don't need to be held up.
The 3rd patch introduces the new nwfilter driver. After which nwfilter allows users to choose it in the 4th patch.
The last patch introduces unit testing of the new nftables driver.
So how are you testing the nwfilter driver operation ?
I'm using the 'clean-traffic' filter on a test VM, and it is still failing for the same reasons I reported against v2:
Im using the clean-traffic filter from the repo.
2026-02-12 11:43:22.544+0000: 2396575: debug : virCommandRun:2499 : Result fatal signal 1, stdout: '' stderr: 'Error: conflicting statements add rule bridge libvirt_nwfilter_ethernet n-vnet1-rarp-out ether saddr == 52:54:00:36:96:f0 ether daddr == ff:ff:ff:ff:ff:ff ether type 0x8035 arp operation 3 arp saddr ip 0.0.0.0/32 arp daddr ip 0.0.0.0/32 arp saddr ether 52:54:00:36:96:f0 arp daddr ether 52:54:00:36:96:f0 accept comment "priority=500"
If I run this command locally on an already existing chain, without the comment part, it runs without throwing that error.
the ether address matches are repeated twice with inconsistent matches and different syntax eg
ether saddr == 52:54:00:36:96:f0 ether daddr == ff:ff:ff:ff:ff:ff
vs
saddr ether 52:54:00:36:96:f0 daddr ether 52:54:00:36:96:f0
the 'daddr' different is presumably what it does not list
They are not the same, in the way that the 2nd ether filter arguments are prefixed with "arp"
arp saddr ether 52:54:00:36:96:f0 arp daddr ether 52:54:00:36:96:f0
Would it be possible to send the full command output, so I can replay that and find out which command is throwing that error?
It is running this: 2026-02-12 11:43:22.534+0000: 2396575: debug : virCommandRunAsync:2653 : About to run nft add rule bridge libvirt_nwfilter_ethernet n-vnet1-rarp-out ether saddr == 52:54:00:36:96:f0 ether daddr == ff:ff:ff:ff:ff:ff ether type 0x8035 arp operation 3 arp saddr ip 0.0.0.0/32 arp daddr ip 0.0.0.0/32 arp saddr ether 52:54:00:36:96:f0 arp daddr ether 52:54:00:36:96:f0 accept comment '"priority=500"'
Maybe it could be that we are running different nft command versions.
kernel 6.17.8-300.fc43.x86_64 and nftables-1.1.3-6.fc43.x86_64 With regards, Daniel -- |: https://berrange.com ~~ https://hachyderm.io/@berrange :| |: https://libvirt.org ~~ https://entangle-photo.org :| |: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :|