Currently documents only FreeBSD/pf specific configuration. Signed-off-by: Roman Bogorodskiy <bogorodskiy@gmail.com> --- docs/drivers.rst | 1 + docs/drvnetwork.rst | 28 ++++++++++++++++++++++++++++ docs/meson.build | 1 + 3 files changed, 30 insertions(+) create mode 100644 docs/drvnetwork.rst diff --git a/docs/drivers.rst b/docs/drivers.rst index b9dccdf5d2..f0d9e9ca34 100644 --- a/docs/drivers.rst +++ b/docs/drivers.rst @@ -6,6 +6,7 @@ Internal drivers - `Storage drivers <storage.html>`__ - `Node device driver <drvnodedev.html>`__ - `Secret driver <drvsecret.html>`__ +- `Network driver <drvnetwork.html>`__ The libvirt public API delegates its implementation to one or more internal drivers, depending on the `connection URI <uri.html>`__ passed when initializing diff --git a/docs/drvnetwork.rst b/docs/drvnetwork.rst new file mode 100644 index 0000000000..23082310ba --- /dev/null +++ b/docs/drvnetwork.rst @@ -0,0 +1,28 @@ +============== +Network driver +============== + +.. contents:: + +Platform-specific notes +======================= + +FreeBSD +------- + +FreeBSD netowork driver uses the pf firewall. Libvirt managed pf rules +are created within anchors. Anchors need to be configured manually by +the user. Sample ``/etc/pf.conf`` might look like: + +:: + + scrub all + + nat-anchor "libvirt\*" + anchor "libvirt\*" + + pass all + + +Users are not expected to manually modify rules in the ``"libvirt\*"`` +subanchors because the changes will be lost on restart. diff --git a/docs/meson.build b/docs/meson.build index 4f8982ee90..2c7c23271b 100644 --- a/docs/meson.build +++ b/docs/meson.build @@ -49,6 +49,7 @@ docs_rst_files = [ 'drvesx', 'drvhyperv', 'drvlxc', + 'drvnetwork', 'drvnodedev', 'drvopenvz', 'drvqemu', -- 2.49.0

On 8/13/25 19:00, Roman Bogorodskiy wrote:

Add BSD-specific platform flavor of the bridge driver which will be used as a base for Packet Filter (pf) based NAT networking implementation.

Signed-off-by: Roman Bogorodskiy <bogorodskiy@gmail.com> --- po/POTFILES | 1 + src/network/bridge_driver_bsd.c | 114 +++++++++++++++++++++++++++ src/network/bridge_driver_conf.c | 4 + src/network/bridge_driver_platform.c | 2 + 4 files changed, 121 insertions(+) create mode 100644 src/network/bridge_driver_bsd.c

diff --git a/po/POTFILES b/po/POTFILES index 084f60ba00..dc7293d0cd 100644 --- a/po/POTFILES +++ b/po/POTFILES @@ -145,6 +145,7 @@ src/lxc/lxc_hostdev.c src/lxc/lxc_native.c src/lxc/lxc_process.c src/network/bridge_driver.c +src/network/bridge_driver_bsd.c src/network/bridge_driver_conf.c src/network/bridge_driver_linux.c src/network/bridge_driver_nop.c diff --git a/src/network/bridge_driver_bsd.c b/src/network/bridge_driver_bsd.c new file mode 100644 index 0000000000..5914300763 --- /dev/null +++ b/src/network/bridge_driver_bsd.c @@ -0,0 +1,114 @@ +/* + * Copyright (C) 2025 FreeBSD Foundation + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * <http://www.gnu.org/licenses/>. + */ + +#include <config.h> + +#include "virlog.h" +#include "network_pf.h" + +#define VIR_FROM_THIS VIR_FROM_NONE + +VIR_LOG_INIT("network.bridge_driver_bsd"); + +static virErrorPtr errInitV4; +static virErrorPtr errInitV6; + +void networkPreReloadFirewallRules(virNetworkDriverState *driver G_GNUC_UNUSED, + bool startup G_GNUC_UNUSED, + bool force G_GNUC_UNUSED) +{ +} + + +void networkPostReloadFirewallRules(bool startup G_GNUC_UNUSED) +{ +} + + +int networkCheckRouteCollision(virNetworkDef *def G_GNUC_UNUSED) +{ + return 0; +} + +int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED, + virFirewallBackend firewallBackend, + virFirewall **fwRemoval G_GNUC_UNUSED) +{ + if (def->bridgeZone) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("zone %1$s requested for network %2$s but firewalld is not supported on BSD"), + def->bridgeZone, def->name); + return -1; + } + + if (def->forward.type == VIR_NETWORK_FORWARD_OPEN) { + VIR_DEBUG("No firewall rules to add for mode='open' network '%s'", def->name); + } else { + VIR_DEBUG("Adding firewall rules for mode='%s' network '%s' using %s", + virNetworkForwardTypeToString(def->forward.type), + def->name, + virFirewallBackendTypeToString(firewallBackend)); + + if (errInitV4 && + (virNetworkDefGetIPByIndex(def, AF_INET, 0) || + virNetworkDefGetRouteByIndex(def, AF_INET, 0))) { + virSetError(errInitV4); + return -1; + } + + if (errInitV6 && + (virNetworkDefGetIPByIndex(def, AF_INET6, 0) || + virNetworkDefGetRouteByIndex(def, AF_INET6, 0) || + def->ipv6nogw)) { + virSetError(errInitV6); + return -1; + }

Both of these blocks are dead code pretty much. In _linux.c these global variables can be set, but here they are never set. Just drop them.

+ + /* now actually add the rules */ + switch (firewallBackend) { + case VIR_FIREWALL_BACKEND_NONE: + virReportError(VIR_ERR_NO_SUPPORT, "%s", + _("No firewall backend is available")); + return -1; + + case VIR_FIREWALL_BACKEND_PF: + return pfAddFirewallRules(def); + + case VIR_FIREWALL_BACKEND_IPTABLES: + case VIR_FIREWALL_BACKEND_NFTABLES: + case VIR_FIREWALL_BACKEND_LAST: + virReportEnumRangeError(virFirewallBackend, firewallBackend); + return -1; + } + } + return 0; +} + +void +networkRemoveFirewallRules(virNetworkObj *obj, + bool unsetZone G_GNUC_UNUSED) +{ + virNetworkDef *def = virNetworkObjGetDef(obj); + if (def->forward.type == VIR_NETWORK_FORWARD_OPEN) {

Nitpick, separate variable declaration block and code block with an empty line.

+ VIR_DEBUG("No firewall rules to remove for mode='open' network '%s'", + def->name); + return; + } + + pfRemoveFirewallRules(def); +} diff --git a/src/network/bridge_driver_conf.c b/src/network/bridge_driver_conf.c index 309d64fa84..280c0f9c4f 100644 --- a/src/network/bridge_driver_conf.c +++ b/src/network/bridge_driver_conf.c @@ -130,6 +130,10 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_GNUC_UNUSED, }

case VIR_FIREWALL_BACKEND_PF: { + g_autofree char *pfctlInPath = virFindFileInPath(PFCTL); + + if (pfctlInPath) + fwBackendSelected = true; break; }

diff --git a/src/network/bridge_driver_platform.c b/src/network/bridge_driver_platform.c index 9ddcb71063..42fbcdbc0b 100644 --- a/src/network/bridge_driver_platform.c +++ b/src/network/bridge_driver_platform.c @@ -25,6 +25,8 @@

#if defined(__linux__) # include "bridge_driver_linux.c" +#elif defined(__FreeBSD__) +# include "bridge_driver_bsd.c" #else # include "bridge_driver_nop.c" #endif

Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Michal