Re: How can I control iptables/nftables rules addition on libvirtd host on Debian 12 ?
On Wed, Jan 29, 2025 at 12:24:47PM -0500, Laine Stump wrote:
On 1/29/25 8:39 AM, oza.4h07(a)gmail.com wrote:
(BTW, if your distro has libvirt 10.4.0 or newer, you can tell it to use
nftables rules rather than iptables - just add:
firewall_backend = "nftables"
to /etc/libvirt/network.conf)
Debian 12 doesn't come with a new enough libvirt version anyway, but
FYI a few months back I switched the default backend in Debian to
nftables (matching Fedora) only to walk back the decision after
getting several reports of it breaking software that's just too
popular to ignore. See [1] for more details.
I don't expect that Debian will be able to move off the iptables
backend any time soon, at least when it comes to the default.
Changing the backend on a per-system basis is of course totally
possible, as long as you understand the caveats.
[1] https://bugs.debian.org/1090355
--
Andrea Bolognani / Red Hat / Virtualization