On Tue, Apr 30, 2024 at 01:44:19PM -0400, Laine Stump wrote:
The iptables backend (which was used as the model for the nftables backend) used the same "filter" and "nat" tables used by other services on the system (e.g. firewalld or any other host firewall management application), so it was possible that one of those other services would be blocking DNS, DHCP, or TFTP from guests to the host; we added our own rules at the beginning of the chain to allow this traffic no matter if someone else rejected it later.
But with nftables, each service uses their own table, and all traffic must be acepted by all tables no matter what - it's not possible for us to just insert a higher priority/earlier rule that will override some reject rule put in by, e.g., firewalld. Instead the firewalld (or other) table must be setup by that service to allow the traffic. That, along with the fact that our table is already "accept by default", makes it possible to eliminate the individual accept rules for DHCP, DNS, and TFTP. And once those rules are eliminated, there is no longer any need for the guest_to_host or host_to_guest tables.
Signed-off-by: Laine Stump <laine@redhat.com> ---
I've just #ifdef'ed out the code that adds these rules so that it remains there as an example if someone wants to add in some different guest<->host rules in the future. I could instead completely remove all the now-uncompiled code, and just leave a comment referencing the upstream commit ID of the last commit that still contained all of that code. I'm fine either way.
I'm fine with an #if for a while. We can purge it later if we see no signs of really needing it.
src/network/network_nftables.c | 36 +++- .../nat-default-linux.nftables | 104 ---------- .../nat-ipv6-linux.nftables | 182 ------------------ .../nat-ipv6-masquerade-linux.nftables | 182 ------------------ .../nat-many-ips-linux.nftables | 104 ---------- .../nat-no-dhcp-linux.nftables | 182 ------------------ .../nat-tftp-linux.nftables | 130 ------------- .../route-default-linux.nftables | 104 ---------- 8 files changed, 33 insertions(+), 991 deletions(-)
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|