Re: network: firewalld: native support for NAT/routed

On 6/15/23 11:53 AM, Hervé Werner wrote: Yeah, at the time that was the only way to get libvirt's iptables rules and firewalld's nftables-based backend working "together" on the same system (and firewalld didn't have support for filtering forwarded traffic, so using only firewalld wasn't an option); the commit log goes into excruciating detail of the why, so I won't bother rehashing it here. I have patches that replace libvirt's iptables usage (for virtual networks, but not for nwfilter) with nftables by adding a selectable nftables backend to the virtual network driver: https://listman.redhat.com/archives/libvir-list/2023-May/239720.html and have planned to rebase Eric's series on top of that and make it into a third selectable backend; several issues were pointed out with my patches when I posted them though, and I haven't gotten back to revising them yet. I'd prefer to not push Eric's patches before mine, because that will increase the complexity of the refactor that's needed (and also his patches don't allow for selecting firewalld vs. iptables backend, they just always use the firewalld backend if firewalld is active). I think danpb had also discovered that the firewalld backend behaved differently from the existing iptables backend in some cases involving multiple virtual networks. Anyway, I have two other things I need to get done, and then I'll be back to revising my nftables patches, and incorporating Eric's firewalld patches on top of that. If I can remember, If you want, I can Cc you when I post new patches so you can try them out if you like.