[PATCH v3 00/27] [PATCH v3 00/27] native support for nftables in virtual network driver

Thursday, 25 April 2024

V2:
https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/5R...

This patch series enables libvirt to use nftables rules rather than
iptables *when setting up virtual networks* (it does *not* add
nftables support to the nwfilter driver).

I've added the Reviewed-by's from Daniel where given in V2 (as long as
I haven't made any non-trivial changes). That includes patches 1-9,
11-13, 16, 20, and 22.

Changes from V2 - mainly I've addressed the issues that Dan pointed
out in his reviews (details in each patch). Functionally the main changes are:

1) You can now choose whether iptables or nftables should be the
   default backend with the new meson option "firewall_backend" (which
   is set to "nftables" by default).

2) rpm spec now requires iptables or nftables (rather than
   recommending both)

3) The <firewall> element in the network status XML now has a
   "name='fwRemoval'" attribute, just in case we ever add another
   <firewall> element to keep track of all the commands that were run
   to create the firewall as well as the commands needed to remove it.

4) Failure to find the binary needed for any firewall backend now
   results in an error log and termination of the daemon.

Laine Stump (27):
  util/network: move viriptables.[ch] from util to network directory
  network: move all functions manipulating iptables rules into
    network_iptables.c
  network: make all iptables functions used only in network_iptables.c
    static
  util: #define the names used for private packet filter chains
  util: change name of virFirewallRule to virFirewallCmd
  util: rename virNetFilterAction to iptablesAction, and add
    VIR_ENUM_DECL/IMPL
  util: check for 0 args when applying iptables rule
  util: add -w/--concurrent when applying a FirewallCmd rather than when
    building it
  util: determine ignoreErrors value when creating virFirewallCmd, not
    when applying
  util/network: new virFirewallBackend enum
  network: add (empty) network.conf file to distribution files
  network: support setting firewallBackend from network.conf
  network: framework to call backend-specific function to init private
    filter chains
  util: new functions to support adding individual firewall rollback
    commands
  util: implement rollback rule autocreation for iptables commands
  network: turn on auto-rollback for the rules added for virtual
    networks
  util: add name attribute to virFirewall
  util: new function virFirewallNewFromRollback()
  util: new functions virFirewallParseXML() and virFirewallFormat()
  conf: add a virFirewall object to virNetworkObj
  network: use previously saved list of firewall removal commands
  network: save network status when firewall rules are reloaded
  meson: stop looking for iptables/ip6tables/ebtables at build time
  network: add an nftables backend for network driver's firewall
    construction
  tests: test cases for nftables backend
  network: prefer the nftables backend over iptables
  spec: require either iptables or nftables if network driver is
    installed

 libvirt.spec.in                               |    7 +-
 meson.build                                   |   10 +-
 meson_options.txt                             |    1 +
 po/POTFILES                                   |    3 +-
 src/conf/virnetworkobj.c                      |   47 +
 src/conf/virnetworkobj.h                      |   11 +
 src/libvirt_private.syms                      |   59 +-
 src/network/bridge_driver.c                   |   35 +-
 src/network/bridge_driver_conf.c              |   64 +
 src/network/bridge_driver_conf.h              |    3 +
 src/network/bridge_driver_linux.c             |  630 +------
 src/network/bridge_driver_nop.c               |    6 +-
 src/network/bridge_driver_platform.h          |    6 +-
 src/network/libvirtd_network.aug              |   39 +
 src/network/meson.build                       |   36 +
 src/network/network.conf.in                   |   28 +
 src/network/network_iptables.c                | 1677 +++++++++++++++++
 src/network/network_iptables.h                |   30 +
 src/network/network_nftables.c                |  940 +++++++++
 src/network/network_nftables.h                |   28 +
 src/network/test_libvirtd_network.aug.in      |    5 +
 src/nwfilter/nwfilter_ebiptables_driver.c     | 1004 +++++-----
 src/util/meson.build                          |    1 -
 src/util/virebtables.c                        |   36 +-
 src/util/virfirewall.c                        |  820 ++++++--
 src/util/virfirewall.h                        |   87 +-
 src/util/viriptables.c                        | 1072 -----------
 src/util/viriptables.h                        |  155 --
 .../{base.args => base.iptables}              |    0
 tests/networkxml2firewalldata/base.nftables   |  256 +++
 ...-linux.args => nat-default-linux.iptables} |    0
 .../nat-default-linux.nftables                |  248 +++
 ...pv6-linux.args => nat-ipv6-linux.iptables} |    0
 .../nat-ipv6-linux.nftables                   |  384 ++++
 ...rgs => nat-ipv6-masquerade-linux.iptables} |    0
 .../nat-ipv6-masquerade-linux.nftables        |  456 +++++
 ...linux.args => nat-many-ips-linux.iptables} |    0
 .../nat-many-ips-linux.nftables               |  472 +++++
 ...-linux.args => nat-no-dhcp-linux.iptables} |    0
 .../nat-no-dhcp-linux.nftables                |  384 ++++
 ...ftp-linux.args => nat-tftp-linux.iptables} |    0
 .../nat-tftp-linux.nftables                   |  274 +++
 ...inux.args => route-default-linux.iptables} |    0
 .../route-default-linux.nftables              |  162 ++
 tests/networkxml2firewalltest.c               |   56 +-
 tests/virfirewalltest.c                       |  424 ++---
 46 files changed, 7205 insertions(+), 2751 deletions(-)
 create mode 100644 src/network/libvirtd_network.aug
 create mode 100644 src/network/network.conf.in
 create mode 100644 src/network/network_iptables.c
 create mode 100644 src/network/network_iptables.h
 create mode 100644 src/network/network_nftables.c
 create mode 100644 src/network/network_nftables.h
 create mode 100644 src/network/test_libvirtd_network.aug.in
 delete mode 100644 src/util/viriptables.c
 delete mode 100644 src/util/viriptables.h
 rename tests/networkxml2firewalldata/{base.args => base.iptables} (100%)
 create mode 100644 tests/networkxml2firewalldata/base.nftables
 rename tests/networkxml2firewalldata/{nat-default-linux.args =>
nat-default-linux.iptables} (100%)
 create mode 100644 tests/networkxml2firewalldata/nat-default-linux.nftables
 rename tests/networkxml2firewalldata/{nat-ipv6-linux.args => nat-ipv6-linux.iptables}
(100%)
 create mode 100644 tests/networkxml2firewalldata/nat-ipv6-linux.nftables
 rename tests/networkxml2firewalldata/{nat-ipv6-masquerade-linux.args =>
nat-ipv6-masquerade-linux.iptables} (100%)
 create mode 100644 tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
 rename tests/networkxml2firewalldata/{nat-many-ips-linux.args =>
nat-many-ips-linux.iptables} (100%)
 create mode 100644 tests/networkxml2firewalldata/nat-many-ips-linux.nftables
 rename tests/networkxml2firewalldata/{nat-no-dhcp-linux.args =>
nat-no-dhcp-linux.iptables} (100%)
 create mode 100644 tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
 rename tests/networkxml2firewalldata/{nat-tftp-linux.args => nat-tftp-linux.iptables}
(100%)
 create mode 100644 tests/networkxml2firewalldata/nat-tftp-linux.nftables
 rename tests/networkxml2firewalldata/{route-default-linux.args =>
route-default-linux.iptables} (100%)
 create mode 100644 tests/networkxml2firewalldata/route-default-linux.nftables

-- 
2.44.0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

[PATCH v3 00/27] [PATCH v3 00/27] native support for nftables in virtual network driver