ping
On 20.03.2020 12:25, nshirokovskiy wrote:
> Hi, all.
>
> Some time ago I posted RFC [1] concerning an issue of unresponsive
> libvird during restart if there is large number of VMs that have network
> filters on their interfaces. It was identified that in most cases we
> don't need actually to reinstall network filter rules on daemon restart.
> Thus I proposed patches [2] that check whether we need to reapply rules
> or not.
>
> The first version has a drawback that daemon won't reapply rules if
> someone mangled them between daemon stop and start (and this can be done
> just by restarting firewalld). The second one is just ugly :)
>
> Around that time Florian Westphal in a letter off the mailing list
> suggested to use {iptables|ebtables}-restore to apply rules in one
> binary call. These binaries has --noflush option so that we won't reset
> current state of tables. We also need one more -L call for
> iptables/ebtables to query current filter state to be able to construct
> input for restore binaries.
>
> I wonder can we use this approach? I see currently only one issue - we
> won't use firealld to spawn rules. But why we need to spawn rules
> through firewalld if it present? We use passthrough mode anyway. I tried
> to dig history for hints but didn't found anything. Patch [3] introduced
> spawning rules thru firewalld-cmd.
>
> Nikolay
>
> [1] [RFC] Faster libvirtd restart with nwfilter rules
> https://www.redhat.com/archives/libvir-list/2018-September/msg01206.html
>
> [2] nwfilter: don't reinstantiate filters if they are not changed
> v1: https://www.redhat.com/archives/libvir-list/2018-October/msg00904.html
> v2: https://www.redhat.com/archives/libvir-list/2018-October/msg01317.html
>
> [3] network: use firewalld instead of iptables, when available
> v0: https://www.redhat.com/archives/libvir-list/2012-April/msg01236.html
> v1: https://www.redhat.com/archives/libvir-list/2012-August/msg00447.html
> ...
> v4: https://www.redhat.com/archives/libvir-list/2012-August/msg01097.html
>
>
