[RFC] Faster libvirtd restart with nwfilter rules, one more time

nshirokovskiy nshirokovskiy at virtuozzo.com
Fri Mar 20 09:25:49 UTC 2020 

Hi, all.                                                                        
                                                                                
Some time ago I posted RFC [1] concerning an issue of unresponsive              
libvird during restart if there is large number of VMs that have network        
filters on their interfaces. It was identified that in most cases we            
don't need actually to reinstall network filter rules on daemon restart.        
Thus I proposed patches [2] that check whether we need to reapply rules         
or not.                                                                         
                                                                                
The first version has a drawback that daemon won't reapply rules if             
someone mangled them between daemon stop and start (and this can be done        
just by restarting firewalld). The second one is just ugly :)                   
                                                                                
Around that time Florian Westphal in a letter off the mailing list              
suggested to use {iptables|ebtables}-restore to apply rules in one              
binary call. These binaries has --noflush option so that we won't reset         
current state of tables.  We also need one more -L call for                     
iptables/ebtables to query current filter state to be able to construct         
input for restore binaries.                                                     
                                                                                
I wonder can we use this approach? I see currently only one issue - we          
won't use firealld to spawn rules. But why we need to spawn rules               
through firewalld if it present? We use passthrough mode anyway. I tried        
to dig history for hints but didn't found anything. Patch [3] introduced        
spawning rules thru firewalld-cmd.                                              
                                                                                
Nikolay                                                                         
                                                                                
[1] [RFC] Faster libvirtd restart with nwfilter rules                           
https://www.redhat.com/archives/libvir-list/2018-September/msg01206.html        
                                                                                
[2] nwfilter: don't reinstantiate filters if they are not changed               
v1: https://www.redhat.com/archives/libvir-list/2018-October/msg00904.html      
v2: https://www.redhat.com/archives/libvir-list/2018-October/msg01317.html      
                                                                                
[3] network: use firewalld instead of iptables, when available                  
v0: https://www.redhat.com/archives/libvir-list/2012-April/msg01236.html        
v1: https://www.redhat.com/archives/libvir-list/2012-August/msg00447.html       
...                                                                             
v4: https://www.redhat.com/archives/libvir-list/2012-August/msg01097.html

More information about the libvir-list mailing list