Re: [libvirt PATCH 00/28] native support for nftables in virtual network driver

Laine Stump wrote: > This patch series enables libvirt to use nftables rules rather than > iptables *when setting up virtual networks* (it does *not* add > nftables support to the nwfilter driver). It accomplishes this by > abstracting several iptables functions (from viriptables.[ch] called > by the virtual network driver into a rudimentary "virNetfilter API" > (in virnetfilter.[ch], having the virtual network driver call the > virNetFilter API rather than calling the existing iptables functions > directly, and then finally adding an equivalent virNftables backend > that can be used instead of iptables (selected manually via a > network.conf setting, or automatically if iptables isn't found on the > host). [resend to a proper list] Hi, Apparently, I'm late to the discussion. I noticed that now I cannot use the bridge driver on FreeBSD as it's failing to initialize both iptables and nftables backends (which is expect). What would be a good way to address that? I see at least two options: 1. Add a Noop firewall driver 2. Implement a "real" FreeBSD driver based either on pf or ipfw (that's been on my TODO list forever, but I somehow got stuck on the very first step on choosing between pf and ipfw). This obviously will take much more time.