From 4462b85a5688ed0fe8388941d949f75866a0b5c4 Mon Sep 17 00:00:00 2001
From: Roman Bogorodskiy <bogorodskiy@gmail.com>
Date: Tue, 22 Apr 2025 19:07:32 +0200
Subject: [PATCH] network: bridge_driver: add BSD implementation

Add BSD-specific platform flavor of the bridge driver which will be used
as a base for Packet Filter (pf) based NAT networking implementation.

Signed-off-by: Roman Bogorodskiy <bogorodskiy@gmail.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
---
 po/POTFILES                          |  1 +
 src/network/bridge_driver_bsd.c      | 98 ++++++++++++++++++++++++++++
 src/network/bridge_driver_conf.c     |  4 ++
 src/network/bridge_driver_platform.c |  2 +
 4 files changed, 105 insertions(+)
 create mode 100644 src/network/bridge_driver_bsd.c

diff --git a/po/POTFILES b/po/POTFILES
index 084f60ba00..dc7293d0cd 100644
--- a/po/POTFILES
+++ b/po/POTFILES
@@ -145,6 +145,7 @@ src/lxc/lxc_hostdev.c
 src/lxc/lxc_native.c
 src/lxc/lxc_process.c
 src/network/bridge_driver.c
+src/network/bridge_driver_bsd.c
 src/network/bridge_driver_conf.c
 src/network/bridge_driver_linux.c
 src/network/bridge_driver_nop.c
diff --git a/src/network/bridge_driver_bsd.c b/src/network/bridge_driver_bsd.c
new file mode 100644
index 0000000000..2e7c354237
--- /dev/null
+++ b/src/network/bridge_driver_bsd.c
@@ -0,0 +1,98 @@
+/*
+ * Copyright (C) 2025 FreeBSD Foundation
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+
+#include "virlog.h"
+#include "network_pf.h"
+
+#define VIR_FROM_THIS VIR_FROM_NONE
+
+VIR_LOG_INIT("network.bridge_driver_bsd");
+
+
+void networkPreReloadFirewallRules(virNetworkDriverState *driver G_GNUC_UNUSED,
+                                   bool startup G_GNUC_UNUSED,
+                                   bool force G_GNUC_UNUSED)
+{
+}
+
+
+void networkPostReloadFirewallRules(bool startup G_GNUC_UNUSED)
+{
+}
+
+
+int networkCheckRouteCollision(virNetworkDef *def G_GNUC_UNUSED)
+{
+    return 0;
+}
+
+int networkAddFirewallRules(virNetworkDef *def G_GNUC_UNUSED,
+                            virFirewallBackend firewallBackend,
+                            virFirewall **fwRemoval G_GNUC_UNUSED)
+{
+    if (def->bridgeZone) {
+        virReportError(VIR_ERR_INTERNAL_ERROR,
+                       _("zone %1$s requested for network %2$s but firewalld is not supported on BSD"),
+                       def->bridgeZone, def->name);
+        return -1;
+    }
+
+    if (def->forward.type == VIR_NETWORK_FORWARD_OPEN) {
+        VIR_DEBUG("No firewall rules to add for mode='open' network '%s'", def->name);
+    } else {
+        VIR_DEBUG("Adding firewall rules for mode='%s' network '%s' using %s",
+                  virNetworkForwardTypeToString(def->forward.type),
+                  def->name,
+                  virFirewallBackendTypeToString(firewallBackend));
+
+        /* now actually add the rules */
+        switch (firewallBackend) {
+        case VIR_FIREWALL_BACKEND_NONE:
+            virReportError(VIR_ERR_NO_SUPPORT, "%s",
+                           _("No firewall backend is available"));
+            return -1;
+
+        case VIR_FIREWALL_BACKEND_PF:
+            return pfAddFirewallRules(def);
+
+        case VIR_FIREWALL_BACKEND_IPTABLES:
+        case VIR_FIREWALL_BACKEND_NFTABLES:
+        case VIR_FIREWALL_BACKEND_LAST:
+            virReportEnumRangeError(virFirewallBackend, firewallBackend);
+            return -1;
+        }
+    }
+    return 0;
+}
+
+void
+networkRemoveFirewallRules(virNetworkObj *obj,
+                           bool unsetZone G_GNUC_UNUSED)
+{
+    virNetworkDef *def = virNetworkObjGetDef(obj);
+
+    if (def->forward.type == VIR_NETWORK_FORWARD_OPEN) {
+        VIR_DEBUG("No firewall rules to remove for mode='open' network '%s'",
+                  def->name);
+        return;
+    }
+
+    pfRemoveFirewallRules(def);
+}
diff --git a/src/network/bridge_driver_conf.c b/src/network/bridge_driver_conf.c
index 309d64fa84..280c0f9c4f 100644
--- a/src/network/bridge_driver_conf.c
+++ b/src/network/bridge_driver_conf.c
@@ -130,6 +130,10 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_GNUC_UNUSED,
         }
 
         case VIR_FIREWALL_BACKEND_PF: {
+            g_autofree char *pfctlInPath = virFindFileInPath(PFCTL);
+
+            if (pfctlInPath)
+                fwBackendSelected = true;
             break;
         }
 
diff --git a/src/network/bridge_driver_platform.c b/src/network/bridge_driver_platform.c
index 9ddcb71063..42fbcdbc0b 100644
--- a/src/network/bridge_driver_platform.c
+++ b/src/network/bridge_driver_platform.c
@@ -25,6 +25,8 @@
 
 #if defined(__linux__)
 # include "bridge_driver_linux.c"
+#elif defined(__FreeBSD__)
+# include "bridge_driver_bsd.c"
 #else
 # include "bridge_driver_nop.c"
 #endif
-- 
2.47.3