Brian Rak
2014-Mar-26 19:50 UTC
[libvirt-users] Recreating nwfilter rules without a restart
Let's say I have some iptables rules defined to restrict guest traffic. If I restart the hosts firewall 'service iptables restart', all the guest-specific rules get blown away. Is there a way to reapply all the guest firewall rules, without restarting each individual guest? It looks like if I edit a nwfilter with `virsh nwfilter-edit` it goes and reapplies the rules to all the guests, so this functionality seems to be present already.
Brian Rak
2014-Mar-26 21:31 UTC
Re: [libvirt-users] Recreating nwfilter rules without a restart
On 3/26/2014 3:50 PM, Brian Rak wrote:> Let's say I have some iptables rules defined to restrict guest > traffic. If I restart the hosts firewall 'service iptables restart', > all the guest-specific rules get blown away. > > Is there a way to reapply all the guest firewall rules, without > restarting each individual guest? > > It looks like if I edit a nwfilter with `virsh nwfilter-edit` it goes > and reapplies the rules to all the guests, so this functionality seems > to be present already. >This is no where close to an optimal solution, but the following python script will kick off a reload of all the defined nwfilter rulesets (assuming they have at least one rule with a <mac> match present. In our environment, they do, so this works okay. Did I mention what a terrible hack this is? #!/usr/bin/python2.7 FILTERS_TO_RELOAD = [ 'clean-traffic', 'my-filter', ] import libvirt, time from xml.etree import ElementTree conn = libvirt.open(None) if conn == None: critical('Failed to connect') sys.exit(1) for id in conn.listAllNWFilters(): if not id.name() in FILTERS_TO_RELOAD: continue print "Reloading ", id.name() myxml = id.XMLDesc() tree = ElementTree.fromstring(myxml) mac = tree.findall('rule/mac')[-1] mac.set('comment','reloaded at '+time.strftime('%F %T')) myxml = ElementTree.tostring(tree) conn.nwfilterDefineXML(myxml).XMLDesc() It looks like the actual function I want is either virNWFilterTriggerVMFilterRebuild or virNWFilterInstFiltersOnAllVMs, but I can't seem to figure out how to get virsh to be able to access either of these.