On 3/26/2014 3:50 PM, Brian Rak wrote:
Let's say I have some iptables rules defined to restrict guest
traffic. If I restart the hosts firewall 'service iptables restart',
all the guest-specific rules get blown away.
Is there a way to reapply all the guest firewall rules, without
restarting each individual guest?
It looks like if I edit a nwfilter with `virsh nwfilter-edit` it goes
and reapplies the rules to all the guests, so this functionality seems
to be present already.
This is no where close to an optimal solution, but the following python
script will kick off a reload of all the defined nwfilter rulesets
(assuming they have at least one rule with a <mac> match present. In
our environment, they do, so this works okay. Did I mention what a
terrible hack this is?
#!/usr/bin/python2.7
FILTERS_TO_RELOAD = [
'clean-traffic',
'my-filter',
]
import libvirt, time
from xml.etree import ElementTree
conn = libvirt.open(None)
if conn == None:
critical('Failed to connect')
sys.exit(1)
for id in conn.listAllNWFilters():
if not id.name() in FILTERS_TO_RELOAD:
continue
print "Reloading ", id.name()
myxml = id.XMLDesc()
tree = ElementTree.fromstring(myxml)
mac = tree.findall('rule/mac')[-1]
mac.set('comment','reloaded at '+time.strftime('%F %T'))
myxml = ElementTree.tostring(tree)
conn.nwfilterDefineXML(myxml).XMLDesc()
It looks like the actual function I want is either
virNWFilterTriggerVMFilterRebuild or virNWFilterInstFiltersOnAllVMs, but
I can't seem to figure out how to get virsh to be able to access either
of these.
_______________________________________________
libvirt-users mailing list
libvirt-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvirt-users
