Re: [PATCH v2 26/27] network: prefer the nftables backend over iptables

The initial patches to support nftables for virtual networks left iptables as the default backend. The only functional difference between the two backends is that the nftables backend doesn't add any rules to fix up the checksum of DHCP packets, which will cause failures on guests with very old OSes (e.g. RHEL5) that have a virtio-net network interface using vhost packet processing (the default), connected to a libvirt virtual network, and configured to acquire the interface IP using DHCP. Since RHEL5 has been out of support for several years already, we might as well start off nftables support right by making it the default. In the extremely unlikely case that this causes a problem for anyone, they can work around the failure by adding "<driver name='qemu'/> to the guest <interface> element. Signed-off-by: Laine Stump <laine(a)redhat.com&gt; --- src/network/bridge_driver_conf.c | 6 +++--- src/network/network.conf | 9 ++++++--- src/network/test_libvirtd_network.aug.in | 2 +- 3 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/src/network/bridge_driver_conf.c b/src/network/bridge_driver_conf.c index f1159ed245..0139ece5ad 100644 --- a/src/network/bridge_driver_conf.c +++ b/src/network/bridge_driver_conf.c @@ -106,10 +106,10 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_GNUC_UNUSED, * which allows absolute paths, and verifies that * the file is executable. */ - if ((iptablesInPath = virFindFileInPath(IPTABLES))) - cfg->firewallBackend = VIR_FIREWALL_BACKEND_IPTABLES; - else if ((nftInPath = virFindFileInPath(NFT))) + if ((nftInPath = virFindFileInPath(NFT))) cfg->firewallBackend = VIR_FIREWALL_BACKEND_NFTABLES; + else if ((iptablesInPath = virFindFileInPath(IPTABLES))) + cfg->firewallBackend = VIR_FIREWALL_BACKEND_IPTABLES; if (cfg->firewallBackend == VIR_FIREWALL_BACKEND_UNSET) VIR_INFO("firewall_backend not set, and no usable backend auto-detected"); diff --git a/src/network/network.conf b/src/network/network.conf index 630c4387a1..31723bccd5 100644 --- a/src/network/network.conf +++ b/src/network/network.conf @@ -12,8 +12,11 @@ # iptables - use iptables commands to construct the firewall # nftables - use nft commands to construct the firewall # -# For backward compatibility, and to reduce surprises, the -# default setting is "iptables". +# If firewall_backend isn't explicitly specified here, libvirt +# will default to using nftables if the "nft" command is available +# on the host, otherwise it will use iptables if the "iptables" +# command is available. If neither is available, then libvirt +# will log an error the first time any network is started. # # (NB: switching from one backend to another while there are active # virtual networks *is* supported. The change will take place the @@ -21,4 +24,4 @@ # virtual networks will have their old firewalls removed, and then # reloaded using the new backend.) # -#firewall_backend = "iptables" +#firewall_backend = "nftables" diff --git a/src/network/test_libvirtd_network.aug.in b/src/network/test_libvirtd_network.aug.in index 3aa7b4cc22..81a6256919 100644 --- a/src/network/test_libvirtd_network.aug.in +++ b/src/network/test_libvirtd_network.aug.in @@ -2,4 +2,4 @@ module Test_libvirtd_network = @CONFIG@ test Libvirtd_network.lns get conf = -{ "firewall_backend" = "iptables" } +{ "firewall_backend" = "nftables" } -- 2.44.0 _______________________________________________ Devel mailing list -- devel(a)lists.libvirt.org To unsubscribe send an email to devel-leave(a)lists.libvirt.org