Hi, all.
Some time ago I posted RFC [1] concerning an issue of unresponsive
libvird during restart if there is large number of VMs that have network
filters on their interfaces. It was identified that in most cases we
don't need actually to reinstall network filter rules on daemon restart.
Thus I proposed patches [2] that check whether we need to reapply rules
or not.
The first version has a drawback that daemon won't reapply rules if
someone mangled them between daemon stop and start (and this can be done
just by restarting firewalld). The second one is just ugly :)
Around that time Florian Westphal in a letter off the mailing list
suggested to use {iptables|ebtables}-restore to apply rules in one
binary call. These binaries has --noflush option so that we won't reset
current state of tables. We also need one more -L call for
iptables/ebtables to query current filter state to be able to construct
input for restore binaries.
I wonder can we use this approach? I see currently only one issue - we
won't use firealld to spawn rules. But why we need to spawn rules
through firewalld if it present? We use passthrough mode anyway. I tried
to dig history for hints but didn't found anything. Patch [3] introduced
spawning rules thru firewalld-cmd.
Nikolay
[1] [RFC] Faster libvirtd restart with nwfilter rules
https://www.redhat.com/archives/libvir-list/2018-September/msg01206.html
[2] nwfilter: don't reinstantiate filters if they are not changed
v1: https://www.redhat.com/archives/libvir-list/2018-October/msg00904.html
v2: https://www.redhat.com/archives/libvir-list/2018-October/msg01317.html
[3] network: use firewalld instead of iptables, when available
v0: https://www.redhat.com/archives/libvir-list/2012-April/msg01236.html
v1: https://www.redhat.com/archives/libvir-list/2012-August/msg00447.html
...
v4: https://www.redhat.com/archives/libvir-list/2012-August/msg01097.html
