Re: [PATCH v2 1/1] network: introduce Packet Filter firewall backend

22 Jul 2025


      On Sun, Jul 13, 2025 at 01:57:03PM +0200, Roman Bogorodskiy wrote:
...
Implement NAT networking support based on the Packet Filter (pf)
firewall in FreeBSD. At this point, the implementation is very basic.
It creates:
- Essential NAT translation rules
 - Basic forwarding rules
Implementation uses pf's anchor feature to group rules. All rules live
in the "libvirt" anchor and every libvirt's network has its own
sub-anchor.
Currently there are some assumptions and limitations:
- We assume that a user has created the "libvirt" (nat-)anchors. As
   they cannot be created on fly, it's better not to touch global pf
   configuration and let the user do the changes. If the user doesn't
   have these anchors configured, the rules will still be created in
   sub-anchors, but will not be effective until these anchors are
   activated. Should we check if these anchors are not active to
   give some runtime warning?
- Currently, rule reloading is not smart: it always deletes rules,
   flushes rules and re-creates that. It would be better to do that
   more gracefully.
- IPv6 configurations are currently not supported
- For NAT, pf requires explicit IP address or an interface to NAT to.
   We try to obtain that from the network XML definition, and if it's
   not specified, we try to determine interface corresponding to the
   default route.
Signed-off-by: Roman Bogorodskiy <bogorodskiy@gmail.com>
---
 meson.build                       |   2 +
 po/POTFILES                       |   1 +
 src/network/bridge_driver_conf.c  |   4 +
 src/network/bridge_driver_linux.c |   2 +
 src/network/meson.build           |   4 +
 src/network/network_pf.c          | 326 ++++++++++++++++++++++++++++++
 src/network/network_pf.h          |  26 +++
 src/util/virfirewall.c            |   4 +-
 src/util/virfirewall.h            |   2 +
 9 files changed, 370 insertions(+), 1 deletion(-)
 create mode 100644 src/network/network_pf.c
 create mode 100644 src/network/network_pf.h
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|