ping
On 20.03.2020 12:25, nshirokovskiy wrote:
> Hi, all.
>
>
>
> Some time ago I posted RFC [1] concerning an issue of unresponsive
>
> libvird during restart if there is large number of VMs that have network
>
> filters on their interfaces. It was identified that in most cases we
>
> don't need actually to reinstall network filter rules on daemon restart.
>
> Thus I proposed patches [2] that check whether we need to reapply rules
>
> or not.
>
>
>
> The first version has a drawback that daemon won't reapply rules if
>
> someone mangled them between daemon stop and start (and this can be done
>
> just by restarting firewalld). The second one is just ugly :)
>
>
>
> Around that time Florian Westphal in a letter off the mailing list
>
> suggested to use {iptables|ebtables}-restore to apply rules in one
>
> binary call. These binaries has --noflush option so that we won't reset
>
> current state of tables. We also need one more -L call for
>
> iptables/ebtables to query current filter state to be able to construct
>
> input for restore binaries.
>
>
>
> I wonder can we use this approach? I see currently only one issue - we
>
> won't use firealld to spawn rules. But why we need to spawn rules
>
> through firewalld if it present? We use passthrough mode anyway. I tried
>
> to dig history for hints but didn't found anything. Patch [3] introduced
>
> spawning rules thru firewalld-cmd.
>
>
>
> Nikolay
>
>
>
> [1] [RFC] Faster libvirtd restart with nwfilter rules
>
> https://www.redhat.com/archives/libvir-list/2018-September/msg01206.html
>
>
>
> [2] nwfilter: don't reinstantiate filters if they are not changed
>
> v1: https://www.redhat.com/archives/libvir-list/2018-October/msg00904.html
>
> v2: https://www.redhat.com/archives/libvir-list/2018-October/msg01317.html
>
>
>
> [3] network: use firewalld instead of iptables, when available
>
> v0: https://www.redhat.com/archives/libvir-list/2012-April/msg01236.html
>
> v1: https://www.redhat.com/archives/libvir-list/2012-August/msg00447.html
>
> ...
>
> v4: https://www.redhat.com/archives/libvir-list/2012-August/msg01097.html
>
>