On 08.05.2020 06:46, Laine Stump wrote:
> On 3/20/20 5:25 AM, nshirokovskiy wrote:
>> Hi, all.
>>
>> Some time ago I posted RFC [1] concerning an issue of unresponsive
>> libvird during restart if there is large number of VMs that have network
>> filters on their interfaces. It was identified that in most cases we
>> don't need actually to reinstall network filter rules on daemon restart.
>> Thus I proposed patches [2] that check whether we need to reapply rules
>> or not.
>>
>> The first version has a drawback that daemon won't reapply rules if
>> someone mangled them between daemon stop and start (and this can be done
>> just by restarting firewalld). The second one is just ugly :)
>>
>> Around that time Florian Westphal in a letter off the mailing list
>> suggested to use {iptables|ebtables}-restore to apply rules in one
>> binary call. These binaries has --noflush option so that we won't reset
>> current state of tables. We also need one more -L call for
>> iptables/ebtables to query current filter state to be able to construct
>> input for restore binaries.
>
>
> So are you considering doing something with this idea? At the end of our
> discussion, both libvirt and firewalld people agreed that we're gaining
> nothing from setting our rules via firewalld passthrough, and we would be
> potentially gaining *a lot* by setting them in batch mode with
> "iptables-restore -n".
>
>
> Perhaps we could just add a new firewall backend (in util/virfirewall.c) that
> checked for the presence of iptables-restore (and ip6tables-restore and
> ebtables-restore), and if they are found it would use a backend that just put
> all the rules for each layer together in a temporary file and send them to
> *-restore (the internals would need to be reorganized a bit, so that args
> like -w, -l, and -n could be added in during virFirewallApply (if necessary)
> rather than when initially adding rules).
>
>
> Ooh! I just tried it, and iptables-restore also accepts (and acts on) lines
> with "-D" to delete rules! So we could do everything in a single go -
> intermixing -D and -A rules in the same file (to minimize the time when the
> firewall would be incorrect while still taking advantage of the efficiency of
> doing everything in a batch).
>
>
Hi! Yeah, I'd want to write such a patch. Just not sure when I have time to
start get started.
Nikolay
