[libvirt-users] Recreating nwfilter rules without a restart
Brian Rak
brak at gameservers.com
Wed Mar 26 21:31:55 UTC 2014
On 3/26/2014 3:50 PM, Brian Rak wrote:
> Let's say I have some iptables rules defined to restrict guest
> traffic. If I restart the hosts firewall 'service iptables restart',
> all the guest-specific rules get blown away.
>
> Is there a way to reapply all the guest firewall rules, without
> restarting each individual guest?
>
> It looks like if I edit a nwfilter with `virsh nwfilter-edit` it goes
> and reapplies the rules to all the guests, so this functionality seems
> to be present already.
>
This is no where close to an optimal solution, but the following python
script will kick off a reload of all the defined nwfilter rulesets
(assuming they have at least one rule with a <mac> match present. In
our environment, they do, so this works okay. Did I mention what a
terrible hack this is?
#!/usr/bin/python2.7
FILTERS_TO_RELOAD = [
'clean-traffic',
'my-filter',
]
import libvirt, time
from xml.etree import ElementTree
conn = libvirt.open(None)
if conn == None:
critical('Failed to connect')
sys.exit(1)
for id in conn.listAllNWFilters():
if not id.name() in FILTERS_TO_RELOAD:
continue
print "Reloading ", id.name()
myxml = id.XMLDesc()
tree = ElementTree.fromstring(myxml)
mac = tree.findall('rule/mac')[-1]
mac.set('comment','reloaded at '+time.strftime('%F %T'))
myxml = ElementTree.tostring(tree)
conn.nwfilterDefineXML(myxml).XMLDesc()
It looks like the actual function I want is either
virNWFilterTriggerVMFilterRebuild or virNWFilterInstFiltersOnAllVMs, but
I can't seem to figure out how to get virsh to be able to access either
of these.
More information about the libvirt-users
mailing list