[libvirt PATCH 00/28] native support for nftables in virtual network driver

Daniel P. Berrangé berrange at redhat.com
Thu May 4 10:47:23 UTC 2023 

On Sun, Apr 30, 2023 at 11:19:15PM -0400, Laine Stump wrote:
> This patch series enables libvirt to use nftables rules rather than
> iptables *when setting up virtual networks* (it does *not* add
> nftables support to the nwfilter driver). It accomplishes this by
> abstracting several iptables functions (from viriptables.[ch] called
> by the virtual network driver into a rudimentary "virNetfilter API"
> (in virnetfilter.[ch], having the virtual network driver call the
> virNetFilter API rather than calling the existing iptables functions
> directly, and then finally adding an equivalent virNftables backend
> that can be used instead of iptables (selected manually via a
> network.conf setting, or automatically if iptables isn't found on the
> host).
> 
> A first look at the result may have you thinking that it's filled with
> a lot of bad decisions. While I would agree with that in many cases, I
> think that overall they are the "least bad" decisions, or at least
> "bad within acceptable limits / no worse than something else", and
> point out that it's been done in a way that minimizes (actually
> eliminates) the need for immediate changes to nwfilter (the other
> consumer of iptables, which *also* needs to be updated to use native
> nftables), and makes it much easier to change our mind about the
> details in the future.
> 
> When I first started on this (long, protracted, repeatedly interrupted
> for extended periods - many of these patches are > a year old) task, I
> considered doing an all-at-once complete replacement of iptables with
> nftables, since all the Linux distros we support have had nftables for
> several years, and I'm pretty sure nobody has it disabled (not even
> sure if it's possible to disable nftables while still enabling
> iptables, since they both use xtables in the kernel). But due to
> libvirt's use of "-t mangle -j CHECKSUM --checksum-fill" (see commit
> fd5b15ff all the way back in July 2010 for details) which has no
> equivalent in nftables rules (and we don't *want* it to!!), and the
> desire to be able to easily switch back to iptables in case of an
> unforeseen regression, we decided that both iptables and nftables need
> to be supported (for now), with the default (for now) remaining as
> iptables.
> 
> Just allowing for dual backends complicated matters, since it means
> that we have to have a config file, a setting, detection of which
> backends are available, and of course some sort of concept of an
> abstracted frontend that can use either backend based on the config
> setting (and/or auto-detection). Combining that with the fact that it
> would just be "too big" of a project to switch over nwfilter's
> iptables usage at the same time means that we have to keep around a
> lot of existing code for compatibility's sake rather than just wiping
> it all away and starting over.
> 
> So, what I've ended up with is:
> 
> 1) a network.conf file (didn't exist before) with a single setting
> "firewall_backend". If unset, the network driver tries to use iptables
> on the backend, and if that's missing, then tries to use nftables.

When testing your git branch active-nft-10 leavnig it unset didn't
work:

Running './src/libvirtd'...
2023-05-04 10:16:11.447+0000: 115377: info : libvirt version: 9.3.0
2023-05-04 10:16:11.447+0000: 115377: info : hostname: localhost.localdomain
2023-05-04 10:16:11.447+0000: 115377: error : virFirewallNew:118 : internal error: firewall_backend wasn't set, and no usable setting could be auto-detected
2023-05-04 10:16:11.447+0000: 115377: error : virNetFilterBackendUnsetError:51 : internal error: firewall_backend wasn't set, and no usable setting could be auto-detected
2023-05-04 10:16:11.447+0000: 115377: error : virNetFilterBackendUnsetError:51 : internal error: firewall_backend wasn't set, and no usable setting could be auto-detected
2023-05-04 10:16:11.473+0000: 115377: error : virFirewallNew:118 : internal error: firewall_backend wasn't set, and no usable setting could be auto-detected


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list