On Tue, Feb 10, 2026 at 11:16:24AM +0100, Dion Bosschieter wrote:
This series aims to implement nftables as a backend driver for the nwfilter feature. The idea is that eventually it will replace the ebiptables driver and provide an easy way for users to switch from one driver to another.
The first 2 patches are moving of functions and renames, meant to decouple nwfilter from the currently only existing ebiptables driver.
I've pushed these first 2 patches with my suggested changes on the 2nd patch, since they don't need to be held up.
The 3rd patch introduces the new nwfilter driver. After which nwfilter allows users to choose it in the 4th patch.
The last patch introduces unit testing of the new nftables driver.
So how are you testing the nwfilter driver operation ? I'm using the 'clean-traffic' filter on a test VM, and it is still failing for the same reasons I reported against v2: 2026-02-12 11:43:22.544+0000: 2396575: debug : virCommandRun:2499 : Result fatal signal 1, stdout: '' stderr: 'Error: conflicting statements add rule bridge libvirt_nwfilter_ethernet n-vnet1-rarp-out ether saddr == 52:54:00:36:96:f0 ether daddr == ff:ff:ff:ff:ff:ff ether type 0x8035 arp operation 3 arp saddr ip 0.0.0.0/32 arp daddr ip 0.0.0.0/32 arp saddr ether 52:54:00:36:96:f0 arp daddr ether 52:54:00:36:96:f0 accept comment "priority=500" the ether address matches are repeated twice with inconsistent matches and different syntax eg ether saddr == 52:54:00:36:96:f0 ether daddr == ff:ff:ff:ff:ff:ff vs saddr ether 52:54:00:36:96:f0 daddr ether 52:54:00:36:96:f0 the 'daddr' different is presumably what it does not list With regards, Daniel -- |: https://berrange.com ~~ https://hachyderm.io/@berrange :| |: https://libvirt.org ~~ https://entangle-photo.org :| |: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :|