On Mon, Jun 10, 2024 at 09:10:08PM +0200, Roman Bogorodskiy wrote:
Laine Stump wrote:
This patch series enables libvirt to use nftables rules rather than iptables *when setting up virtual networks* (it does *not* add nftables support to the nwfilter driver). It accomplishes this by abstracting several iptables functions (from viriptables.[ch] called by the virtual network driver into a rudimentary "virNetfilter API" (in virnetfilter.[ch], having the virtual network driver call the virNetFilter API rather than calling the existing iptables functions directly, and then finally adding an equivalent virNftables backend that can be used instead of iptables (selected manually via a network.conf setting, or automatically if iptables isn't found on the host).
[resend to a proper list]
Hi,
Apparently, I'm late to the discussion.
I noticed that now I cannot use the bridge driver on FreeBSD as it's failing to initialize both iptables and nftables backends (which is expect).
What would be a good way to address that? I see at least two options:
1. Add a Noop firewall driver 2. Implement a "real" FreeBSD driver based either on pf or ipfw (that's been on my TODO list forever, but I somehow got stuck on the very first step on choosing between pf and ipfw). This obviously will take much more time.
How about both :-) There will always be platforms for which no suitable FW driver exists, so a no-op driver that just returns errors for everything will be beneficial for many cases. Then you can worry about a real freebsd driver at your leisure. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|