Re: [PATCH 1/2] network: bridge_driver: add BSD implementation

Daniel P . Berrangé via Devel Thu, 26 Jun 2025 04:51:35 -0700

On Sat, Apr 26, 2025 at 09:42:35AM +0200, Roman Bogorodskiy wrote:
> Add BSD-specific platform flavor of the bridge driver which will be used
> as a base for Packet Filter (pf) based NAT networking implementation.
> 
> Signed-off-by: Roman Bogorodskiy <bogorods...@gmail.com>
> ---
>  po/POTFILES                          |   1 +
>  src/network/bridge_driver_bsd.c      | 101 +++++++++++++++++++++++++++
>  src/network/bridge_driver_platform.c |   2 +
>  3 files changed, 104 insertions(+)
>  create mode 100644 src/network/bridge_driver_bsd.c
> 
> diff --git a/po/POTFILES b/po/POTFILES
> index 9747c38951..90664fe6e7 100644
> --- a/po/POTFILES
> +++ b/po/POTFILES
> @@ -145,6 +145,7 @@ src/lxc/lxc_hostdev.c
>  src/lxc/lxc_native.c
>  src/lxc/lxc_process.c
>  src/network/bridge_driver.c
> +src/network/bridge_driver_bsd.c
>  src/network/bridge_driver_conf.c
>  src/network/bridge_driver_linux.c
>  src/network/bridge_driver_nop.c
> diff --git a/src/network/bridge_driver_bsd.c b/src/network/bridge_driver_bsd.c
> new file mode 100644
> index 0000000000..93312fe6db
> --- /dev/null
> +++ b/src/network/bridge_driver_bsd.c
> @@ -0,0 +1,101 @@
> +/*
> + * Copyright (C) 2025 FreeBSD Foundation
> + *
> + * This library is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2.1 of the License, or (at your option) any later version.
> + *
> + * This library is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with this library.  If not, see
> + * <http://www.gnu.org/licenses/>.
> + */
> +
> +#include <config.h>
> +
> +#include "virlog.h"
> +
> +#define VIR_FROM_THIS VIR_FROM_NONE
> +
> +VIR_LOG_INIT("network.bridge_driver_bsd");
> +
> +static virErrorPtr errInitV4;
> +static virErrorPtr errInitV6;
> +
> +void networkPreReloadFirewallRules(virNetworkDriverState *driver 
> G_GNUC_UNUSED,
> +                                   bool startup G_GNUC_UNUSED,
> +                                   bool force G_GNUC_UNUSED)
> +{
> +}
> +
> +
> +void networkPostReloadFirewallRules(bool startup G_GNUC_UNUSED)
> +{
> +}
> +
> +
> +int networkCheckRouteCollision(virNetworkDef *def G_GNUC_UNUSED)
> +{
> +    return 0;
> +}
> +
> +int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED,
> +                            virFirewallBackend firewallBackend,
> +                            virFirewall **fwRemoval G_GNUC_UNUSED)
> +{


You should report an error if "def->bridgeZone" is non-NULL,
similar to the way Linux reports it when firewalld is not
available.

> +    if (def->forward.type == VIR_NETWORK_FORWARD_OPEN) {
> +        VIR_DEBUG("No firewall rules to add for mode='open' network '%s'", 
> def->name);
> +    } else {
> +        VIR_DEBUG("Adding firewall rules for mode='%s' network '%s' using 
> %s",
> +                  virNetworkForwardTypeToString(def->forward.type),
> +                  def->name,
> +                  virFirewallBackendTypeToString(firewallBackend));
> +
> +        if (errInitV4 &&
> +            (virNetworkDefGetIPByIndex(def, AF_INET, 0) ||
> +             virNetworkDefGetRouteByIndex(def, AF_INET, 0))) {
> +            virSetError(errInitV4);
> +            return -1;
> +        }
> +
> +        if (errInitV6 &&
> +            (virNetworkDefGetIPByIndex(def, AF_INET6, 0) ||
> +             virNetworkDefGetRouteByIndex(def, AF_INET6, 0) ||
> +             def->ipv6nogw)) {
> +            virSetError(errInitV6);
> +            return -1;
> +        }
> +
> +        /* now actually add the rules */
> +        switch (firewallBackend) {
> +        case VIR_FIREWALL_BACKEND_NONE:
> +            virReportError(VIR_ERR_NO_SUPPORT, "%s",
> +                           _("No firewall backend is available"));
> +            return -1;
> +
> +        case VIR_FIREWALL_BACKEND_IPTABLES:
> +        case VIR_FIREWALL_BACKEND_NFTABLES:
> +        case VIR_FIREWALL_BACKEND_LAST:
> +            virReportEnumRangeError(virFirewallBackend, firewallBackend);
> +            return -1;
> +        }
> +    }
> +    return 0;
> +}
> +
> +void
> +networkRemoveFirewallRules(virNetworkObj *obj,
> +                           bool unsetZone G_GNUC_UNUSED)
> +{
> +    virNetworkDef *def = virNetworkObjGetDef(obj);
> +    if (def->forward.type == VIR_NETWORK_FORWARD_OPEN) {
> +        VIR_DEBUG("No firewall rules to remove for mode='open' network '%s'",
> +                  def->name);
> +        return;
> +    }
> +}
> diff --git a/src/network/bridge_driver_platform.c 
> b/src/network/bridge_driver_platform.c
> index 9ddcb71063..42fbcdbc0b 100644
> --- a/src/network/bridge_driver_platform.c
> +++ b/src/network/bridge_driver_platform.c
> @@ -25,6 +25,8 @@
>  
>  #if defined(__linux__)
>  # include "bridge_driver_linux.c"
> +#elif defined(__FreeBSD__)
> +# include "bridge_driver_bsd.c"
>  #else
>  # include "bridge_driver_nop.c"
>  #endif
> -- 
> 2.49.0
> 

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Re: [PATCH 1/2] network: bridge_driver: add BSD implementation

Reply via email to