network: bridge_driver: add BSD implementation

Add BSD-specific platform flavor of the bridge driver which will be used
as a base for Packet Filter (pf) based NAT networking implementation.

Signed-off-by: Roman Bogorodskiy <bogorodskiy@gmail.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

diff --git a/po/POTFILES b/po/POTFILES
index 084f60ba00a51df2fa943f6a88cb38f5db686662..dc7293d0cd5aa6192995c687b5c81b2988a6f133 100644 (file)
--- a/po/POTFILES
+++ b/po/POTFILES
@@ -145,6 +145,7 @@ src/lxc/lxc_hostdev.c
 src/lxc/lxc_native.c
 src/lxc/lxc_process.c
 src/network/bridge_driver.c
+src/network/bridge_driver_bsd.c
 src/network/bridge_driver_conf.c
 src/network/bridge_driver_linux.c
 src/network/bridge_driver_nop.c

diff --git a/src/network/bridge_driver_bsd.c b/src/network/bridge_driver_bsd.c
new file mode 100644 (file)
index 0000000..2e7c354
--- /dev/null
+++ b/src/network/bridge_driver_bsd.c
@@ -0,0 +1,98 @@
+/*
+ * Copyright (C) 2025 FreeBSD Foundation
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+
+#include "virlog.h"
+#include "network_pf.h"
+
+#define VIR_FROM_THIS VIR_FROM_NONE
+
+VIR_LOG_INIT("network.bridge_driver_bsd");
+
+
+void networkPreReloadFirewallRules(virNetworkDriverState *driver G_GNUC_UNUSED,
+                                   bool startup G_GNUC_UNUSED,
+                                   bool force G_GNUC_UNUSED)
+{
+}
+
+
+void networkPostReloadFirewallRules(bool startup G_GNUC_UNUSED)
+{
+}
+
+
+int networkCheckRouteCollision(virNetworkDef *def G_GNUC_UNUSED)
+{
+    return 0;
+}
+
+int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED,
+                            virFirewallBackend firewallBackend,
+                            virFirewall **fwRemoval G_GNUC_UNUSED)
+{
+    if (def->bridgeZone) {
+        virReportError(VIR_ERR_INTERNAL_ERROR,
+                       _("zone %1$s requested for network %2$s but firewalld is not supported on BSD"),
+                       def->bridgeZone, def->name);
+        return -1;
+    }
+
+    if (def->forward.type == VIR_NETWORK_FORWARD_OPEN) {
+        VIR_DEBUG("No firewall rules to add for mode='open' network '%s'", def->name);
+    } else {
+        VIR_DEBUG("Adding firewall rules for mode='%s' network '%s' using %s",
+                  virNetworkForwardTypeToString(def->forward.type),
+                  def->name,
+                  virFirewallBackendTypeToString(firewallBackend));
+
+        /* now actually add the rules */
+        switch (firewallBackend) {
+        case VIR_FIREWALL_BACKEND_NONE:
+            virReportError(VIR_ERR_NO_SUPPORT, "%s",
+                           _("No firewall backend is available"));
+            return -1;
+
+        case VIR_FIREWALL_BACKEND_PF:
+            return pfAddFirewallRules(def);
+
+        case VIR_FIREWALL_BACKEND_IPTABLES:
+        case VIR_FIREWALL_BACKEND_NFTABLES:
+        case VIR_FIREWALL_BACKEND_LAST:
+            virReportEnumRangeError(virFirewallBackend, firewallBackend);
+            return -1;
+        }
+    }
+    return 0;
+}
+
+void
+networkRemoveFirewallRules(virNetworkObj *obj,
+                           bool unsetZone G_GNUC_UNUSED)
+{
+    virNetworkDef *def = virNetworkObjGetDef(obj);
+
+    if (def->forward.type == VIR_NETWORK_FORWARD_OPEN) {
+        VIR_DEBUG("No firewall rules to remove for mode='open' network '%s'",
+                  def->name);
+        return;
+    }
+
+    pfRemoveFirewallRules(def);
+}

diff --git a/src/network/bridge_driver_conf.c b/src/network/bridge_driver_conf.c
index 309d64fa848061eebc92905bbc2f2a812e40336f..280c0f9c4f723859335f2a48a1178cd0be118556 100644 (file)
--- a/src/network/bridge_driver_conf.c
+++ b/src/network/bridge_driver_conf.c
@@ -130,6 +130,10 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_GNUC_UNUSED,
         }
 
         case VIR_FIREWALL_BACKEND_PF: {
+            g_autofree char *pfctlInPath = virFindFileInPath(PFCTL);
+
+            if (pfctlInPath)
+                fwBackendSelected = true;
             break;
         }
 

diff --git a/src/network/bridge_driver_platform.c b/src/network/bridge_driver_platform.c
index 9ddcb7106350a9e48c7ba640cc83154da06996db..42fbcdbc0b302f4e4ba7eef33405125cb01461d1 100644 (file)
--- a/src/network/bridge_driver_platform.c
+++ b/src/network/bridge_driver_platform.c
@@ -25,6 +25,8 @@
 
 #if defined(__linux__)
 # include "bridge_driver_linux.c"
+#elif defined(__FreeBSD__)
+# include "bridge_driver_bsd.c"
 #else
 # include "bridge_driver_nop.c"
 #endif