Copying Eric Garver as a knowledgeable maintainer of firewalld to confirm a question I have.... On Fri, Mar 20, 2020 at 12:25:49PM +0300, nshirokovskiy wrote: > Hi, all. > > Some time ago I posted RFC [1] concerning an issue of unresponsive > libvird during restart if there is large number of VMs that have network > filters on their interfaces. It was identified that in most cases we > don't need actually to reinstall network filter rules on daemon restart. > Thus I proposed patches [2] that check whether we need to reapply rules > or not. > > The first version has a drawback that daemon won't reapply rules if > someone mangled them between daemon stop and start (and this can be done > just by restarting firewalld). The second one is just ugly :) > > Around that time Florian Westphal in a letter off the mailing list > suggested to use {iptables|ebtables}-restore to apply rules in one > binary call. These binaries has --noflush option so that we won't reset > current state of tables. We also need one more -L call for > iptables/ebtables to query current filter state to be able to construct > input for restore binaries. > > I wonder can we use this approach? I see currently only one issue - we > won't use firealld to spawn rules. But why we need to spawn rules > through firewalld if it present? We use passthrough mode anyway. I tried > to dig history for hints but didn't found anything. Patch [3] introduced > spawning rules thru firewalld-cmd. For as long as libvirt has done firewall stuff we've have the issue with other apps on the system breaking / discarding our rules. Originally this was the "firewall" sysvinit script. When firewalld came along, libvirt switched to creating rules using the firwalld passthrough mode API, in the belief that any time firewalld re-creates its rules, it would preserve any rules we'd created via the passthrough mode. I vaguely recall some recentish discussions though where I think Eric Garver mentioned we were mistaken, and that firewalld does *nothing* to preserve passthrough mode rules. Eric, from firewalld's POV, is there any functional difference between an application directly creating rules by spawning "iptables", vs creating the same rules via the firewalld passthrough API ? If there is no difference, then libvirt could stop using the firewalld passthrough API, and switch to the iptables bulk load tools. > > Nikolay > > [1] [RFC] Faster libvirtd restart with nwfilter rules > https://www.redhat.com/archives/libvir-list/2018-September/msg01206.html > > [2] nwfilter: don't reinstantiate filters if they are not changed > v1: https://www.redhat.com/archives/libvir-list/2018-October/msg00904.html > v2: https://www.redhat.com/archives/libvir-list/2018-October/msg01317.html > > [3] network: use firewalld instead of iptables, when available > v0: https://www.redhat.com/archives/libvir-list/2012-April/msg01236.html > v1: https://www.redhat.com/archives/libvir-list/2012-August/msg00447.html > ... > v4: https://www.redhat.com/archives/libvir-list/2012-August/msg01097.html > > Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|