On Thu, Apr 02, 2026 at 12:29:43AM -0400, Laine Stump via Devel wrote:
On 4/1/26 3:34 AM, Dion Bosschieter wrote:
Change the nwfilter driver loading mechanism to read from nwfilter.conf. By default, it will use the nftables driver, which follows the firewall_backend bridge driver config logic.
I think it should initially default to the iptables driver, just so nobody gets a surprise when they upgrade if there is any incompatibility at all - this is what we did when the nftables backend was added to the virtual network driver, and there are some distros that still keep their default set to iptables (due to interoperability problems with, e.g. docker using iptables rule with a default action of "reject" (or was it "deny"))
I was rather wanting/hoping the pre-existing "firewall_backend_priority" setting to/would affect both virtual networks and nftables concurrently. Ideally we would have converted both at the same time, but we didn't. Still in terms of enablement, IMHO it makes sense to have both nftables, or both iptables. Mixing feels dubious, even if we accept the possibility that this new nftables code may (will) have bugs for nwfilter. Perhaps we could allow a safety-net 'nwfilter_backend_priority' that defaults to the value of 'firewall_backend_priority' when unset. I think the main interoperability problems come from the virtual network driver, not the nwfilter driver, as the former is impacting global network state, while the latter is targetted at individual tap devices.
BTW, this reminds me of the topic of "what happens when someone restarts nwfilterd after switching the setting of firewall_backend?" I could just build the patches, install, and find out for myself, but it's after midnight so I'll do the lazy thing and ask :-). It's important to keep track somewhere of whether the *previous* run of the daemon had loaded iptables or nftables rules. (for the network driver I did it in the status XML of each network).
The existing rules will get left lieing around if anyone switches backend. Tracking state and tearing down old rules on switching backends is a big job :-( With regards, Daniel -- |: https://berrange.com ~~ https://hachyderm.io/@berrange :| |: https://libvirt.org ~~ https://entangle-photo.org :| |: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :|