On Thu, Dec 11, 2025 at 03:00:53PM +0100, Dion Bosschieter wrote:
Change the nwfilter driver loading mechanism to read from nwfilter.conf. By default, it will use the nftables driver, which follows the firewall_backend bridge driver config logic.
Added nftables to *filter_tech_drivers as an available driver option for users to choose from.
Signed-off-by: Dion Bosschieter <dionbosschieter@gmail.com> --- po/POTFILES | 1 + src/conf/virnwfilterobj.h | 20 -- src/nwfilter/libvirtd_nwfilter.aug | 37 ++++ src/nwfilter/meson.build | 37 ++++ src/nwfilter/nwfilter.conf.in | 26 +++ src/nwfilter/nwfilter_driver.c | 66 +++---- src/nwfilter/nwfilter_driver_conf.c | 210 +++++++++++++++++++++ src/nwfilter/nwfilter_driver_conf.h | 66 +++++++ src/nwfilter/nwfilter_ebiptables_driver.h | 2 +- src/nwfilter/nwfilter_gentech_driver.c | 63 +++---- src/nwfilter/nwfilter_gentech_driver.h | 5 +- src/nwfilter/nwfilter_tech_driver.c | 1 - src/nwfilter/nwfilter_tech_driver.h | 1 + src/nwfilter/test_libvirtd_nwfilter.aug.in | 5 +
The two augeas files and nwfilter.conf also need adding to the libvirt.spec.in %files list. Take a look at where its done for the network driver and mirror that.
diff --git a/src/nwfilter/nwfilter.conf.in b/src/nwfilter/nwfilter.conf.in new file mode 100644 index 0000000000..8ed5cbaa53 --- /dev/null +++ b/src/nwfilter/nwfilter.conf.in @@ -0,0 +1,26 @@ +# Master configuration file for the nwfilter driver. +# All settings described here are optional - if omitted, sensible +# defaults are used. + +# nwfilter_driver: +# +# determines which driver to use to setup nwfilter firewall rules +# +# Supported settings: +# +# iptables - use ebtables and iptables commands to construct the user +# defined firewall +# nftables - use nft commands to construct the user defined firewall +# +# If nwfilter_driver isn't configured, libvirt will choose the +# first available backend from the following list: +# +# [@FIREWALL_BACKEND_PRIORITY@] +# +# (NB: switching from one backend to another while there are active +# virtual networks *isn't* supported. The change will take place the +# next time that libvirtd/virtnetworkd is restarted - all existing +# firewalls remain, and have to be cleaned up manually +# reloaded using the new backend.) +# +#nwfilter_driver = "@FIREWALL_BACKEND@"
This entire config file is about nwfilter, so parameters should not include 'nwfilter' in their name. Lets call this 'firewall_backend' to match network.conf exactly. Renaming it will als need update to the augeas files & source code.
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.h b/src/nwfilter/nwfilter_ebiptables_driver.h index cb146f9f97..dfaea5af3d 100644 --- a/src/nwfilter/nwfilter_ebiptables_driver.h +++ b/src/nwfilter/nwfilter_ebiptables_driver.h @@ -27,6 +27,6 @@
extern virNWFilterTechDriver ebiptables_driver;
-#define EBIPTABLES_DRIVER_ID "ebiptables" +#define EBIPTABLES_DRIVER_ID "iptables"
I was gonig to suggest we called the config param 'ebiptables', but that would mean a new meson_options.txt entry and diverge from the network driver. In retrospect we probably should have called it 'xtables', but we can live with 'iptables' so that's OK. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|