On Fri, Apr 03, 2026 at 07:31:27PM +0200, Dion Bosschieter via Devel wrote:
On 4/2/26 06:38, Laine Stump wrote:
(One hopefully useful comment about GARP wembedded down there. Not enough brain cells still firing to actually look at the code :-))
On 4/1/26 3:34 AM, Dion Bosschieter wrote:
+/* + * nftablesCreateSameIPSet creates libvirts same-ip-set, + * this nft set is used in nftablesHandleGarp + * in order to see if 'arp saddr ip == arp daddr ip' + * + * In nftables 'nft' we can't match 2 fields to eachother.
I asked Phil Sutter about this and he suggested that
'arp saddr ip ^ arp daddr == 0.0.0.0'
could work? Again, haven't tried it myself since it's after midnight, but I wanted to relay what I'd heard :-)
Thank you for reaching out to Phil
It will work with the patch that Phil submitted yesterday: https://lore.kernel.org/netfilter-devel/20260402184320.14862-1-phil@nwl.cc/T...
I wonder what the best course of action for GARP is:
- check version of nft / kernel, to see if we can "arp saddr ip ^ arp daddr ip == 0.0.0.0" - otherwise fallback to current ugly solution - or otherwise throw a warning and skip defining the GARP rule - keep ugly workaround with a TODO for now until newer versions of kernel and nft tooling are widespread - try "arp saddr ip ^ arp daddr ip == 0.0.0.0" and ignore the error and throw a warning
Any other suggestions are also welcome ofcourse :)
We've defaulted to nftables for the virtual network driver for a while now. My wish is that we can enable nftables for the nwfilter driver in exactly the same scenarios we've enabled nftables for the virtual network driver. The implication is that we shouldn't depend new brand new nftables features, unless we dynamically probe for them and have fallback in some manner. I'd also really like to get this nftables driver code merged asap, and then iterate on any possible improvements in a subseequent patches. So my preference is for ugly hacks in the short term if they get something working with kernel as-is. With regards, Daniel -- |: https://berrange.com ~~ https://hachyderm.io/@berrange :| |: https://libvirt.org ~~ https://entangle-photo.org :| |: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :|