Re: [PATCH v2] network: introduce a "none" firewall backend type

17 Jun 2024

      On Fri, Jun 14, 2024 at 12:22:50PM -0400, Andrea Bolognani wrote:
...
On Fri, Jun 14, 2024 at 03:43:53PM GMT, Daniel P. Berrangé wrote:
...
meson.build                       | 26 +++++++++++++++++++-------
 meson_options.txt                 |  2 +-
 src/network/bridge_driver_conf.c  | 19 ++++++++++++++-----
 src/network/bridge_driver_linux.c | 10 ++++++++++
 src/network/bridge_driver_nop.c   | 15 ++++++++++++++-
 src/util/virfirewall.c            |  6 ++++++
 src/util/virfirewall.h            |  1 +
 7 files changed, 65 insertions(+), 14 deletions(-)
The test suite no longer passes after applying this. At the very
least, you need to squash in the diff at the bottom of this message.
...
firewall_backend_priority = get_option('firewall_backend_priority')
-  if (not firewall_backend_priority.contains('nftables') or
-      not firewall_backend_priority.contains('iptables') or
-      firewall_backend_priority.length() != 2)
-    error('invalid value for firewall_backend_priority option')
+  if firewall_backend_priority.length() == 0
+      if host_machine.system() == 'linux'
+          firewall_backend_priority = ['nftables', 'iptables']
+      else
+          # No firewall impl on non-Linux so far, so force 'none'
+          # as placeholder
+          firewall_backend_priority = ['none']
+      endif
+  else
+      if host_machine.system() != 'linux'
+          error('firewall backend priority only supported on linux hosts')
+      endif
   endif
This implementation allows things such as
-Dfirewall_backend_priority=nftables
and
-Dfirewall_backend_priority=iptables,iptables
At least
-Dfirewall_backend_priority=iptables,nftables,iptables
will be blocked, but only because it results in a compilation error:
meson will happily accept it.
Are we okay with that? It's IMO inferior to the much stricter
checking that's performed today.
I found that if you try this with meson you'll see this

DEPRECATION: Duplicated values in array option is deprecated. This will become a hard error in the future.

I think we're fine to delegate this to Meson, given its intent to turn
this into a hard error eventually, since duplication is harmless for
us in the short term.

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|