Andre Goree
2018-Feb-16  16:59 UTC
[libvirt-users] Possible to edit/apply nwfilter at runtime?
I'm trying to determine if it's possible to edit/attach/apply nwfilter rules at runtime? I.e., after a VM is already running, can I apply a nwfilter to the VM and have it work without rebooting the machine? Thus far, I've not come across a way to do so, but I thought I'd ask here before I chase my tail around Google. Thanks! -- Andre Goree -=-=-=-=-=- Email - andre at drenet.net Website - http://blog.drenet.net PGP key - http://www.drenet.net/pubkey.html -=-=-=-=-=-
Daniel P. Berrangé
2018-Feb-16  17:12 UTC
Re: [libvirt-users] Possible to edit/apply nwfilter at runtime?
On Fri, Feb 16, 2018 at 11:59:42AM -0500, Andre Goree wrote:> I'm trying to determine if it's possible to edit/attach/apply nwfilter rules > at runtime? I.e., after a VM is already running, can I apply a nwfilter to > the VM and have it work without rebooting the machine? Thus far, I've not > come across a way to do so, but I thought I'd ask here before I chase my > tail around Google.Simply re-define the nwfilter in question using virsh nwfilter-define. Any VMs using that filter will automatically update. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
Andre Goree
2018-Feb-16  18:44 UTC
Re: [libvirt-users] Possible to edit/apply nwfilter at runtime?
On 2018/02/16 12:12 pm, Daniel P. Berrangé wrote:> On Fri, Feb 16, 2018 at 11:59:42AM -0500, Andre Goree wrote: >> I'm trying to determine if it's possible to edit/attach/apply nwfilter >> rules >> at runtime? I.e., after a VM is already running, can I apply a >> nwfilter to >> the VM and have it work without rebooting the machine? Thus far, I've >> not >> come across a way to do so, but I thought I'd ask here before I chase >> my >> tail around Google. > > Simply re-define the nwfilter in question using virsh nwfilter-define. > Any VMs using that filter will automatically update. > > > Regards, > Daniel > -- > |: https://berrange.com -o- > https://www.flickr.com/photos/dberrange :| > |: https://libvirt.org -o- > https://fstop138.berrange.com :| > |: https://entangle-photo.org -o- > https://www.instagram.com/dberrange :|Thank you for the quick reply. As for adding the nwfilter to a guest that does not already have the filter, will that guest need to be rebooted? Or can I add it to the guest via 'virsh edit'? I ask becase, from what I can tell, adding a new filter via 'virsh edit' doesn't seem to work -- though it's good to know that once a 'filterref' has been defined in the guest, it can be adjusted on the fly. -- Andre Goree -=-=-=-=-=- Email - andre at drenet.net Website - http://blog.drenet.net PGP key - http://www.drenet.net/pubkey.html -=-=-=-=-=-
Andre Goree
2018-Mar-30  20:29 UTC
Re: [libvirt-users] Possible to edit/apply nwfilter at runtime?
On 2018/02/16 12:12 pm, Daniel P. Berrangé wrote:> On Fri, Feb 16, 2018 at 11:59:42AM -0500, Andre Goree wrote: >> I'm trying to determine if it's possible to edit/attach/apply nwfilter >> rules >> at runtime? I.e., after a VM is already running, can I apply a >> nwfilter to >> the VM and have it work without rebooting the machine? Thus far, I've >> not >> come across a way to do so, but I thought I'd ask here before I chase >> my >> tail around Google. > > Simply re-define the nwfilter in question using virsh nwfilter-define. > Any VMs using that filter will automatically update. > > > Regards, > Daniel > -- > |: https://berrange.com -o- > https://www.flickr.com/photos/dberrange :| > |: https://libvirt.org -o- > https://fstop138.berrange.com :| > |: https://entangle-photo.org -o- > https://www.instagram.com/dberrange :|I've run into an issue here that I thought you might have some insight on. I can't seem to "re-define" a nwfilter. I must first 'virsh nwfilter-undefine' then 'virsh nwfilter-define', or else use 'virsh nwfilter-edit'. The problem being, I cannot use nwfilter-edit from a script :/ My real problem is that if I want to add to and/or adjust a filter for a VM, I basically have to call 'virsh update-device ...' which unfortunately leaves the VM wide-open for a short period of time, which is very undesirable. I wonder if there's a way to edit the nwfilter _without_ libvirt having to drop the filter for the VM before applying any changes. -- Andre Goree -=-=-=-=-=- Email - andre at drenet.net Website - http://blog.drenet.net PGP key - http://www.drenet.net/pubkey.html -=-=-=-=-=-