Re: [libvirt PATCH 00/28] native support for nftables in virtual network driver

On Wed, Jun 12, 2024 at 07:31:51PM -0400, Laine Stump wrote: > On 6/12/24 2:32 PM, Roman Bogorodskiy wrote: > > > > Unfortunately, I don't have access to that setup anymore and I haven't > > re-created it yet. IIRC, it could probably show some warnings about > > missing iptables, but it didn't affect anything for me. > > I'm surprised that there wasn't a fatal error while starting the network > though. Having actually looked at the code again, the answer is amuzingly/depressingly obvious.... we already implemented a NULL firewall driver, which is used on non-Linux, many years ago: See bridge_driver_platform.c, which does: #if defined(__linux__) # include "bridge_driver_linux.c" #else # include "bridge_driver_nop.c" #endif The bridge_driver_nop.c simply does nothing and returns success for everything. So all the different virtual network modes "work" in so much as libvirt can start them, but they don't work in the sense that we're never creating the firewall rules to implement NAT, etc. So the root cause here is that our "firewall_backend" config logic completely forgot that the 'nop' driver already existed, and offers no way to configure it. This is quite simple to address.