https://bugzilla.suse.com/show_bug.cgi?id=1201510 Thomas Renninger <trenn@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jfehlig@suse.com -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1201510 https://bugzilla.suse.com/show_bug.cgi?id=1201510#c1 --- Comment #1 from James Fehlig <jfehlig@suse.com> --- I spend some time today trying to figure out how libvirt uses iptables and friends. We already know libvirt supports firewalld and its nftables backend, but the results of a quick experiment showed it uses iptables, ip6tables, and ebtables in other ways. I build libvirt without support for iptables, installed the resulting packages on a TW machine without iptables, and found many libvirt-tck test failures along with inability to start the 'default' network # virsh net-start default error: Failed to start network default error: Cannot find 'iptables' in path: No such file or directory libvirt has two firewall abstractions. One for firewalld, which is implemented by src/util/virtfirewalld.[ch]. The other is an abstraction over iptables, ip6tables, and ebtables and is implemented in src/util/virfirewall.[ch]. The latter has history prior to firewalld and (I assume) is still used due to cases where firewalld is not installed or disabled. The network and nwfilter drivers use the firewall abstraction directly, or iptables and ebtables wrappers implemented in src/util/viriptables.[ch] and src/util/virebtables.[ch] respectively. The network driver also uses the firewalld abstraction, but afaict primarily to ensure firewalld (if enabled) is configured properly to support any virtual networks the user has defined. After a first look, I'm not sure how to go about "replacing" iptables and friends with nftables. The nwfilter driver has a src/nwfilter/nwfilter_ebiptables_driver.c backend. Presumably a nwfilter_nftables_driver could be added as an optional backend. The firewall abstraction uses the notion of a rule layer to decide which iptables tool to use. Rules marked with VIR_FIREWALL_LAYER_ETHERNET use ebtables, those marked with VIR_FIREWALL_LAYER_IPV4 use iptables, and VIR_FIREWALL_LAYER_IPV6 use ip6tables. A new layer could be added for nftables. Or if nftables really can be used in place of the iptables tools and it is pervasive in the linux distros, then maybe the existing abstraction can be replaced with an nftables one. Whatever the approach, we'll need to coordinate with upstream on supporting nftables as an option to iptables. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1201510 https://bugzilla.suse.com/show_bug.cgi?id=1201510#c3 --- Comment #3 from James Fehlig <jfehlig@suse.com> --- (In reply to Santiago Zarate from comment #2)

iptables-backend-nft should help here.

I remember thinking about that while doing the investigation for comment #1. But now that I've looked closer, I'm not sure how it will help. libvirt currently 'BuildRequires' iptables, and the libvirt-daemon-driver-{network,nwfilter} subpackages 'Requires' iptables. I can substitute that for iptables-backend-nft, but I see iptables-backend-nft itself 'Requires' iptables. Or it's quite possible I'm missing how you envision iptables-backend-nft will help :-). -- You are receiving this mail because: You are on the CC list for the bug.