Comment # 1 on bug 1201510 from 
I spend some time today trying to figure out how libvirt uses iptables and
friends. We already know libvirt supports firewalld and its nftables backend,
but the results of a quick experiment showed it uses iptables, ip6tables, and
ebtables in other ways. I build libvirt without support for iptables, installed
the resulting packages on a TW machine without iptables, and found many
libvirt-tck test failures along with inability to start the 'default' network

# virsh net-start default
error: Failed to start network default
error: Cannot find 'iptables' in path: No such file or directory

libvirt has two firewall abstractions. One for firewalld, which is implemented
by src/util/virtfirewalld.[ch]. The other is an abstraction over iptables,
ip6tables, and ebtables and is implemented in src/util/virfirewall.[ch]. The
latter has history prior to firewalld and (I assume) is still used due to cases
where firewalld is not installed or disabled.

The network and nwfilter drivers use the firewall abstraction directly, or
iptables and ebtables wrappers implemented in src/util/viriptables.[ch] and
src/util/virebtables.[ch] respectively. The network driver also uses the
firewalld abstraction, but afaict primarily to ensure firewalld (if enabled) is
configured properly to support any virtual networks the user has defined.

After a first look, I'm not sure how to go about "replacing" iptables and
friends with nftables. The nwfilter driver has a
src/nwfilter/nwfilter_ebiptables_driver.c backend. Presumably a
nwfilter_nftables_driver could be added as an optional backend.

The firewall abstraction uses the notion of a rule layer to decide which
iptables tool to use. Rules marked with VIR_FIREWALL_LAYER_ETHERNET use
ebtables, those marked with VIR_FIREWALL_LAYER_IPV4 use iptables, and
VIR_FIREWALL_LAYER_IPV6 use ip6tables. A new layer could be added for nftables.
Or if nftables really can be used in place of the iptables tools and it is
pervasive in the linux distros, then maybe the existing abstraction can be
replaced with an nftables one.

Whatever the approach, we'll need to coordinate with upstream on supporting
nftables as an option to iptables.

You are receiving this mail because: