On Tue, Jun 11, 2024 at 08:49:42AM -0700, Andrea Bolognani wrote:
On Tue, Jun 11, 2024 at 02:38:58AM GMT, Andrea Bolognani wrote:
> On Mon, Jun 10, 2024 at 09:10:08PM GMT, Roman Bogorodskiy wrote:
> > Laine Stump wrote:
> >
> > > This patch series enables libvirt to use nftables rules rather than
> > > iptables *when setting up virtual networks* (it does *not* add
> > > nftables support to the nwfilter driver). It accomplishes this by
> > > abstracting several iptables functions (from viriptables.[ch] called
> > > by the virtual network driver into a rudimentary "virNetfilter
API"
> > > (in virnetfilter.[ch], having the virtual network driver call the
> > > virNetFilter API rather than calling the existing iptables functions
> > > directly, and then finally adding an equivalent virNftables backend
> > > that can be used instead of iptables (selected manually via a
> > > network.conf setting, or automatically if iptables isn't found on the
> > > host).
> >
> > [resend to a proper list]
> >
> > Hi,
> >
> > Apparently, I'm late to the discussion.
> >
> > I noticed that now I cannot use the bridge driver on FreeBSD as it's
> > failing to initialize both iptables and nftables backends (which is
> > expect).
> >
> > What would be a good way to address that? I see at least two options:
> >
> > 1. Add a Noop firewall driver
> > 2. Implement a "real" FreeBSD driver based either on pf or ipfw
(that's
> > been on my TODO list forever, but I somehow got stuck on the very first
> > step on choosing between pf and ipfw). This obviously will take much
> > more time.
> >
> > Maybe there are other options I'm missing.
> >
> > What do you think?
>
> If I understand correctly, the new behavior might cause problems on
> macOS too, see [1]. I wouldn't be surprised if the other BSDs were
> similarly affected.
>
> I wonder how things could work before if the iptables backend is not
> functional. Is it possible that we used to ignore failures to
> initialize the backend, but now we consider them fatal instead?
>
> A proper platform-specific backend would obviously be the right
> approach in the long run, but the priority should be restoring the
> previous status quo. A noop backend might be the answer, but honestly
> I just don't understand enough about networking to know for sure. I
> thought that these firewall rules were necessary in order to give
> network access to VMs, but if FreeBSD has been doing fine without
> iptables so far clearly that's not the case?
One additional issue with this:
$ PATH=/usr/bin /usr/sbin/libvirtd
error : virNetworkLoadDriverConfig:146 : internal error: could not
find a usable firewall backend
error : virStateInitialize:672 : Initialization of bridge state
driver failed: internal error: could not find a usable firewall
backend
error : daemonRunStateInit:617 : Driver state initialization failed
This happens because nft and iptables are both in /usr/sbin, so if
the user's $PATH doesn't include that directory they won't be found
and the driver will fail to initialize.
Not a big deal on Fedora, where /usr/sbin is part of the default
$PATH for users, but that's not the case on Debian, where
qemu:///session is just completely broken right now.
I was testing out a patch that addressed the situation by switching
backend detection to virFindFileInPathFull(), but then I realized
that it's fairly pointless to look for nft/iptables when a regular
user can't run them anyway.
So what I think we need to do is, make the failure to detect a
working backend non-fatal, unless the user has explicitly asked for a
specific backend to be used. That should bring us back to the
previous situation.
This is probably another reason to have a "no op" backend that merely
raises errors for every operation - see my Roman's mail about FreeBSD
With regards,
Daniel
--
|:
https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|:
https://libvirt.org -o-
https://fstop138.berrange.com :|
|:
https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|