netfilter_complete() currently rejects every filter attached to a vhost-backed netdev. That prevents filter-redirector from being used on the TAP backends that handle switchover capture and replay.
Permit filter-redirector on vhost-backed TAP netdevs, but keep the gate narrow: other filters are still rejected and non-TAP backends remain unsupported. Later commits can widen the filter set without duplicating the backend restriction. Signed-off-by: Cindy Lu <[email protected]> --- net/filter.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/net/filter.c b/net/filter.c index 76345c1a9d..b9646b9e00 100644 --- a/net/filter.c +++ b/net/filter.c @@ -255,8 +255,19 @@ static void netfilter_complete(UserCreatable *uc, Error **errp) } if (get_vhost_net(ncs[0])) { - error_setg(errp, "Vhost is not supported"); - return; + bool redirector = object_dynamic_cast(OBJECT(uc), + "filter-redirector"); + bool buffer = object_dynamic_cast(OBJECT(uc), "filter-buffer"); + bool vhost_filter = redirector || buffer; + + if (!redirector) { + error_setg(errp, "Vhost is not supported"); + return; + } + if (vhost_filter && ncs[0]->info->type != NET_CLIENT_DRIVER_TAP) { + error_setg(errp, "Vhost filter support requires a TAP backend"); + return; + } } if (strcmp(nf->position, "head") && strcmp(nf->position, "tail")) { -- 2.52.0
