From 3855f9fbd4fe16490f31218aa96b80600e5f638d Mon Sep 17 00:00:00 2001 From: Laine Stump Date: Sun, 21 Apr 2024 14:10:37 -0400 Subject: [PATCH] network: prefer the nftables backend over iptables MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The patch that added the nftables backend for virtual networks left iptables as the default backend when both nftables and iptables are installed. The only functional difference between the two backends is that the nftables backend doesn't add any rules to fix up the checksum of DHCP packets, which will cause failures on guests with very old OSes (e.g. RHEL5) that have a virtio-net network interface using vhost packet processing (the default), connected to a libvirt virtual network, and configured to acquire the interface IP using DHCP. Since RHEL5 has been out of support for several years already, we might as well start off nftables support right by making it the default. Distros that aren't quite ready to default to nftables (e.g. maybe they're rebasing libvirt within a release and don't want to surprise anyone with an automatic switch from iptables to nftables) can simply run meson with "-Dfirewall_backend=iptables" during their official package build. In the extremely unlikely case that this causes a problem for a user, they can work around the failure by adding " to the guest element. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- meson_options.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meson_options.txt b/meson_options.txt index cd2b9acc79..ad354a8668 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -115,8 +115,8 @@ option('dtrace', type: 'feature', value: 'auto', description: 'use dtrace for st option('firewalld', type: 'feature', value: 'auto', description: 'firewalld support') # dep:firewalld option('firewalld_zone', type: 'feature', value: 'auto', description: 'whether to install firewalld libvirt zone') -option('firewall_backend_default_1', type: 'string', value: 'iptables', description: 'first firewall backend to try when none is specified') -option('firewall_backend_default_2', type: 'string', value: 'nftables', description: 'second firewall backend to try when none is specified (and first is unavailable)') +option('firewall_backend_default_1', type: 'string', value: 'nftables', description: 'first firewall backend to try when none is specified') +option('firewall_backend_default_2', type: 'string', value: 'iptables', description: 'second firewall backend to try when none is specified (and first is unavailable)') option('host_validate', type: 'feature', value: 'auto', description: 'build virt-host-validate') option('init_script', type: 'combo', choices: ['systemd', 'openrc', 'check', 'none'], value: 'check', description: 'Style of init script to install') option('loader_nvram', type: 'string', value: '', description: 'Pass list of pairs of : paths. Both pairs and list items are separated by a colon.')