On Sun, Apr 21, 2024 at 10:53:10PM -0400, Laine Stump wrote:
Although initially we will add exactly the same rules for the nftables backend, the two may (hopefully) soon diverge as we take advantage of nftables features that weren't available in iptables. When we do that, there will need to be a different version of these functions (currently in bridge_driver_linux.c) for each backend:
networkAddFirewallRules() networkRemoveFirewallRules() networkSetupPrivateChains()
Although it will mean duplicating some amount of code (with just the function names changed) for the nftables backend, this patch moves all of the rule-related code in the above three functions into iptables*() functions in network_iptables.c, and changes the functions in bridge_driver_linux.c to call the iptables*() functions. When we make a different backend, it will only need to make equivalents of those 3 functions publicly available to the upper layer.
Signed-off-by: Laine Stump <laine@redhat.com> --- src/network/bridge_driver_linux.c | 556 +---------------------------- src/network/network_iptables.c | 562 +++++++++++++++++++++++++++++- src/network/network_iptables.h | 7 +- 3 files changed, 574 insertions(+), 551 deletions(-)
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|