Re: [PATCH v2] network: introduce a "none" firewall backend type

On Fri, Jun 14, 2024 at 03:43:53PM GMT, Daniel P. Berrangé wrote: > meson.build | 26 +++++++++++++++++++------- > meson_options.txt | 2 +- > src/network/bridge_driver_conf.c | 19 ++++++++++++++----- > src/network/bridge_driver_linux.c | 10 ++++++++++ > src/network/bridge_driver_nop.c | 15 ++++++++++++++- > src/util/virfirewall.c | 6 ++++++ > src/util/virfirewall.h | 1 + > 7 files changed, 65 insertions(+), 14 deletions(-) The test suite no longer passes after applying this. At the very least, you need to squash in the diff at the bottom of this message. > firewall_backend_priority = get_option('firewall_backend_priority') > - if (not firewall_backend_priority.contains('nftables') or > - not firewall_backend_priority.contains('iptables') or > - firewall_backend_priority.length() != 2) > - error('invalid value for firewall_backend_priority option') > + if firewall_backend_priority.length() == 0 > + if host_machine.system() == 'linux' > + firewall_backend_priority = ['nftables', 'iptables'] > + else > + # No firewall impl on non-Linux so far, so force 'none' > + # as placeholder > + firewall_backend_priority = ['none'] > + endif > + else > + if host_machine.system() != 'linux' > + error('firewall backend priority only supported on linux hosts') > + endif > endif This implementation allows things such as -Dfirewall_backend_priority=nftables and -Dfirewall_backend_priority=iptables,iptables At least -Dfirewall_backend_priority=iptables,nftables,iptables will be blocked, but only because it results in a compilation error: meson will happily accept it. Are we okay with that? It's IMO inferior to the much stricter checking that's performed today.