noon
Add BSD-specific platform flavor of the bridge driver which will be used
as a base for Packet Filter (pf) based NAT networking implementation.
Signed-off-by: Roman Bogorodskiy <bogorodskiy(a)gmail.com>
---
po/POTFILES | 1 +
src/network/bridge_driver_bsd.c | 114 +++++++++++++++++++++++++++
src/network/bridge_driver_conf.c | 4 +
src/network/bridge_driver_platform.c | 2 +
4 files changed, 121 insertions(+)
create mode 100644 src/network/bridge_driver_bsd.c
diff --git a/po/POTFILES b/po/POTFILES
index 084f60ba00..dc7293d0cd 100644
--- a/po/POTFILES
+++ b/po/POTFILES
@@ -145,6 +145,7 @@ src/lxc/lxc_hostdev.c
src/lxc/lxc_native.c
src/lxc/lxc_process.c
src/network/bridge_driver.c
+src/network/bridge_driver_bsd.c
src/network/bridge_driver_conf.c
src/network/bridge_driver_linux.c
src/network/bridge_driver_nop.c
diff --git a/src/network/bridge_driver_bsd.c b/src/network/bridge_driver_bsd.c
new file mode 100644
index 0000000000..5914300763
--- /dev/null
+++ b/src/network/bridge_driver_bsd.c
@@ -0,0 +1,114 @@
+/*
+ * Copyright (C) 2025 FreeBSD Foundation
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see
+ * <http://www.gnu.org/licenses/>;.
+ */
+
+#include <config.h>
+
+#include "virlog.h"
+#include "network_pf.h"
+
+#define VIR_FROM_THIS VIR_FROM_NONE
+
+VIR_LOG_INIT("network.bridge_driver_bsd");
+
+static virErrorPtr errInitV4;
+static virErrorPtr errInitV6;
+
+void networkPreReloadFirewallRules(virNetworkDriverState *driver G_GNUC_UNUSED,
+ bool startup G_GNUC_UNUSED,
+ bool force G_GNUC_UNUSED)
+{
+}
+
+
+void networkPostReloadFirewallRules(bool startup G_GNUC_UNUSED)
+{
+}
+
+
+int networkCheckRouteCollision(virNetworkDef *def G_GNUC_UNUSED)
+{
+ return 0;
+}
+
+int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED,
+ virFirewallBackend firewallBackend,
+ virFirewall **fwRemoval G_GNUC_UNUSED)
+{
+ if (def->bridgeZone) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("zone %1$s requested for network %2$s but firewalld is not
supported on BSD"),
+ def->bridgeZone, def->name);
+ return -1;
+ }
+
+ if (def->forward.type == VIR_NETWORK_FORWARD_OPEN) {
+ VIR_DEBUG("No firewall rules to add for mode='open' network
'%s'", def->name);
+ } else {
+ VIR_DEBUG("Adding firewall rules for mode='%s' network '%s'
using %s",
+ virNetworkForwardTypeToString(def->forward.type),
+ def->name,
+ virFirewallBackendTypeToString(firewallBackend));
+
+ if (errInitV4 &&
+ (virNetworkDefGetIPByIndex(def, AF_INET, 0) ||
+ virNetworkDefGetRouteByIndex(def, AF_INET, 0))) {
+ virSetError(errInitV4);
+ return -1;
+ }
+
+ if (errInitV6 &&
+ (virNetworkDefGetIPByIndex(def, AF_INET6, 0) ||
+ virNetworkDefGetRouteByIndex(def, AF_INET6, 0) ||
+ def->ipv6nogw)) {
+ virSetError(errInitV6);
+ return -1;
+ }
+
+ /* now actually add the rules */
+ switch (firewallBackend) {
+ case VIR_FIREWALL_BACKEND_NONE:
+ virReportError(VIR_ERR_NO_SUPPORT, "%s",
+ _("No firewall backend is available"));
+ return -1;
+
+ case VIR_FIREWALL_BACKEND_PF:
+ return pfAddFirewallRules(def);
+
+ case VIR_FIREWALL_BACKEND_IPTABLES:
+ case VIR_FIREWALL_BACKEND_NFTABLES:
+ case VIR_FIREWALL_BACKEND_LAST:
+ virReportEnumRangeError(virFirewallBackend, firewallBackend);
+ return -1;
+ }
+ }
+ return 0;
+}
+
+void
+networkRemoveFirewallRules(virNetworkObj *obj,
+ bool unsetZone G_GNUC_UNUSED)
+{
+ virNetworkDef *def = virNetworkObjGetDef(obj);
+ if (def->forward.type == VIR_NETWORK_FORWARD_OPEN) {
+ VIR_DEBUG("No firewall rules to remove for mode='open' network
'%s'",
+ def->name);
+ return;
+ }
+
+ pfRemoveFirewallRules(def);
+}
diff --git a/src/network/bridge_driver_conf.c b/src/network/bridge_driver_conf.c
index 309d64fa84..280c0f9c4f 100644
--- a/src/network/bridge_driver_conf.c
+++ b/src/network/bridge_driver_conf.c
@@ -130,6 +130,10 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg
G_GNUC_UNUSED,
}
case VIR_FIREWALL_BACKEND_PF: {
+ g_autofree char *pfctlInPath = virFindFileInPath(PFCTL);
+
+ if (pfctlInPath)
+ fwBackendSelected = true;
break;
}
diff --git a/src/network/bridge_driver_platform.c b/src/network/bridge_driver_platform.c
index 9ddcb71063..42fbcdbc0b 100644
--- a/src/network/bridge_driver_platform.c
+++ b/src/network/bridge_driver_platform.c
@@ -25,6 +25,8 @@
#if defined(__linux__)
# include "bridge_driver_linux.c"
+#elif defined(__FreeBSD__)
+# include "bridge_driver_bsd.c"
#else
# include "bridge_driver_nop.c"
#endif
--
2.49.0
noon
New subject: [PATCH 2/2] docs: add network driver documentation
Currently documents only FreeBSD/pf specific configuration.
Signed-off-by: Roman Bogorodskiy <bogorodskiy(a)gmail.com>
---
docs/drivers.rst | 1 +
docs/drvnetwork.rst | 28 ++++++++++++++++++++++++++++
docs/meson.build | 1 +
3 files changed, 30 insertions(+)
create mode 100644 docs/drvnetwork.rst
diff --git a/docs/drivers.rst b/docs/drivers.rst
index b9dccdf5d2..f0d9e9ca34 100644
--- a/docs/drivers.rst
+++ b/docs/drivers.rst
@@ -6,6 +6,7 @@ Internal drivers
- `Storage drivers <storage.html>`__
- `Node device driver <drvnodedev.html>`__
- `Secret driver <drvsecret.html>`__
+- `Network driver <drvnetwork.html>`__
The libvirt public API delegates its implementation to one or more internal
drivers, depending on the `connection URI <uri.html>`__ passed when initializing
diff --git a/docs/drvnetwork.rst b/docs/drvnetwork.rst
new file mode 100644
index 0000000000..23082310ba
--- /dev/null
+++ b/docs/drvnetwork.rst
@@ -0,0 +1,28 @@
+==============
+Network driver
+==============
+
+.. contents::
+
+Platform-specific notes
+=======================
+
+FreeBSD
+-------
+
+FreeBSD netowork driver uses the pf firewall. Libvirt managed pf rules
+are created within anchors. Anchors need to be configured manually by
+the user. Sample ``/etc/pf.conf`` might look like:
+
+::
+
+ scrub all
+
+ nat-anchor "libvirt\*"
+ anchor "libvirt\*"
+
+ pass all
+
+
+Users are not expected to manually modify rules in the ``"libvirt\*"``
+subanchors because the changes will be lost on restart.
diff --git a/docs/meson.build b/docs/meson.build
index 4f8982ee90..2c7c23271b 100644
--- a/docs/meson.build
+++ b/docs/meson.build
@@ -49,6 +49,7 @@ docs_rst_files = [
'drvesx',
'drvhyperv',
'drvlxc',
+ 'drvnetwork',
'drvnodedev',
'drvopenvz',
'drvqemu',
--
2.49.0
9:26 a.m.
New subject: [PATCH 2/2] docs: add network driver documentation
On 8/13/25 19:00, Roman Bogorodskiy wrote:
Currently documents only FreeBSD/pf specific configuration.
Signed-off-by: Roman Bogorodskiy <bogorodskiy(a)gmail.com>
---
docs/drivers.rst | 1 +
docs/drvnetwork.rst | 28 ++++++++++++++++++++++++++++
docs/meson.build | 1 +
3 files changed, 30 insertions(+)
create mode 100644 docs/drvnetwork.rst
Reviewed-by: Michal Privoznik <mprivozn(a)redhat.com>
Michal
9:26 a.m.
On 8/13/25 19:00, Roman Bogorodskiy wrote:
Add BSD-specific platform flavor of the bridge driver which will be
used
as a base for Packet Filter (pf) based NAT networking implementation.
Signed-off-by: Roman Bogorodskiy <bogorodskiy(a)gmail.com>
---
po/POTFILES | 1 +
src/network/bridge_driver_bsd.c | 114 +++++++++++++++++++++++++++
src/network/bridge_driver_conf.c | 4 +
src/network/bridge_driver_platform.c | 2 +
4 files changed, 121 insertions(+)
create mode 100644 src/network/bridge_driver_bsd.c
diff --git a/po/POTFILES b/po/POTFILES
index 084f60ba00..dc7293d0cd 100644
--- a/po/POTFILES
+++ b/po/POTFILES
@@ -145,6 +145,7 @@ src/lxc/lxc_hostdev.c
src/lxc/lxc_native.c
src/lxc/lxc_process.c
src/network/bridge_driver.c
+src/network/bridge_driver_bsd.c
src/network/bridge_driver_conf.c
src/network/bridge_driver_linux.c
src/network/bridge_driver_nop.c
diff --git a/src/network/bridge_driver_bsd.c b/src/network/bridge_driver_bsd.c
new file mode 100644
index 0000000000..5914300763
--- /dev/null
+++ b/src/network/bridge_driver_bsd.c
@@ -0,0 +1,114 @@
+/*
+ * Copyright (C) 2025 FreeBSD Foundation
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see
+ * <http://www.gnu.org/licenses/>;.
+ */
+
+#include <config.h>
+
+#include "virlog.h"
+#include "network_pf.h"
+
+#define VIR_FROM_THIS VIR_FROM_NONE
+
+VIR_LOG_INIT("network.bridge_driver_bsd");
+
+static virErrorPtr errInitV4;
+static virErrorPtr errInitV6;
+
+void networkPreReloadFirewallRules(virNetworkDriverState *driver G_GNUC_UNUSED,
+ bool startup G_GNUC_UNUSED,
+ bool force G_GNUC_UNUSED)
+{
+}
+
+
+void networkPostReloadFirewallRules(bool startup G_GNUC_UNUSED)
+{
+}
+
+
+int networkCheckRouteCollision(virNetworkDef *def G_GNUC_UNUSED)
+{
+ return 0;
+}
+
+int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED,
+ virFirewallBackend firewallBackend,
+ virFirewall **fwRemoval G_GNUC_UNUSED)
+{
+ if (def->bridgeZone) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("zone %1$s requested for network %2$s but firewalld is not
supported on BSD"),
+ def->bridgeZone, def->name);
+ return -1;
+ }
+
+ if (def->forward.type == VIR_NETWORK_FORWARD_OPEN) {
+ VIR_DEBUG("No firewall rules to add for mode='open' network
'%s'", def->name);
+ } else {
+ VIR_DEBUG("Adding firewall rules for mode='%s' network '%s'
using %s",
+ virNetworkForwardTypeToString(def->forward.type),
+ def->name,
+ virFirewallBackendTypeToString(firewallBackend));
+
+ if (errInitV4 &&
+ (virNetworkDefGetIPByIndex(def, AF_INET, 0) ||
+ virNetworkDefGetRouteByIndex(def, AF_INET, 0))) {
+ virSetError(errInitV4);
+ return -1;
+ }
+
+ if (errInitV6 &&
+ (virNetworkDefGetIPByIndex(def, AF_INET6, 0) ||
+ virNetworkDefGetRouteByIndex(def, AF_INET6, 0) ||
+ def->ipv6nogw)) {
+ virSetError(errInitV6);
+ return -1;
+ }
Both of these blocks are dead code pretty much. In _linux.c these global
variables can be set, but here they are never set. Just drop them.
+
+ /* now actually add the rules */
+ switch (firewallBackend) {
+ case VIR_FIREWALL_BACKEND_NONE:
+ virReportError(VIR_ERR_NO_SUPPORT, "%s",
+ _("No firewall backend is available"));
+ return -1;
+
+ case VIR_FIREWALL_BACKEND_PF:
+ return pfAddFirewallRules(def);
+
+ case VIR_FIREWALL_BACKEND_IPTABLES:
+ case VIR_FIREWALL_BACKEND_NFTABLES:
+ case VIR_FIREWALL_BACKEND_LAST:
+ virReportEnumRangeError(virFirewallBackend, firewallBackend);
+ return -1;
+ }
+ }
+ return 0;
+}
+
+void
+networkRemoveFirewallRules(virNetworkObj *obj,
+ bool unsetZone G_GNUC_UNUSED)
+{
+ virNetworkDef *def = virNetworkObjGetDef(obj);
+ if (def->forward.type == VIR_NETWORK_FORWARD_OPEN) {
Nitpick, separate variable declaration block and code block with an
empty line.
+ VIR_DEBUG("No firewall rules to remove for
mode='open' network '%s'",
+ def->name);
+ return;
+ }
+
+ pfRemoveFirewallRules(def);
+}
diff --git a/src/network/bridge_driver_conf.c b/src/network/bridge_driver_conf.c
index 309d64fa84..280c0f9c4f 100644
--- a/src/network/bridge_driver_conf.c
+++ b/src/network/bridge_driver_conf.c
@@ -130,6 +130,10 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg
G_GNUC_UNUSED,
}
case VIR_FIREWALL_BACKEND_PF: {
+ g_autofree char *pfctlInPath = virFindFileInPath(PFCTL);
+
+ if (pfctlInPath)
+ fwBackendSelected = true;
break;
}
diff --git a/src/network/bridge_driver_platform.c b/src/network/bridge_driver_platform.c
index 9ddcb71063..42fbcdbc0b 100644
--- a/src/network/bridge_driver_platform.c
+++ b/src/network/bridge_driver_platform.c
@@ -25,6 +25,8 @@
#if defined(__linux__)
# include "bridge_driver_linux.c"
+#elif defined(__FreeBSD__)
+# include "bridge_driver_bsd.c"
#else
# include "bridge_driver_nop.c"
#endif
Reviewed-by: Michal Privoznik <mprivozn(a)redhat.com>
Michal
0
days inactive
5
days old
3 comments
2 participants
participants (2)
-
Michal Prívozník -
Roman Bogorodskiy