Discussion:
[libvirt-users] Possible to edit/apply nwfilter at runtime?
Andre Goree
2018-02-16 16:59:42 UTC
Permalink
I'm trying to determine if it's possible to edit/attach/apply nwfilter
rules at runtime? I.e., after a VM is already running, can I apply a
nwfilter to the VM and have it work without rebooting the machine? Thus
far, I've not come across a way to do so, but I thought I'd ask here
before I chase my tail around Google.

Thanks!
--
Andre Goree
-=-=-=-=-=-
Email - andre at drenet.net
Website - http://blog.drenet.net
PGP key - http://www.drenet.net/pubkey.html
-=-=-=-=-=-
Daniel P. Berrangé
2018-02-16 17:12:12 UTC
Permalink
I'm trying to determine if it's possible to edit/attach/apply nwfilter rules
at runtime? I.e., after a VM is already running, can I apply a nwfilter to
the VM and have it work without rebooting the machine? Thus far, I've not
come across a way to do so, but I thought I'd ask here before I chase my
tail around Google.
Simply re-define the nwfilter in question using virsh nwfilter-define.
Any VMs using that filter will automatically update.


Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
Andre Goree
2018-02-16 18:44:10 UTC
Permalink
Post by Daniel P. Berrangé
I'm trying to determine if it's possible to edit/attach/apply nwfilter rules
at runtime? I.e., after a VM is already running, can I apply a nwfilter to
the VM and have it work without rebooting the machine? Thus far, I've not
come across a way to do so, but I thought I'd ask here before I chase my
tail around Google.
Simply re-define the nwfilter in question using virsh nwfilter-define.
Any VMs using that filter will automatically update.
Regards,
Daniel
--
|: https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o-
https://fstop138.berrange.com :|
|: https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|
Thank you for the quick reply.

As for adding the nwfilter to a guest that does not already have the
filter, will that guest need to be rebooted? Or can I add it to the
guest via 'virsh edit'?
I ask becase, from what I can tell, adding a new filter via 'virsh edit'
doesn't seem to work -- though it's good to know that once a 'filterref'
has been defined in the guest, it can be adjusted on the fly.
--
Andre Goree
-=-=-=-=-=-
Email - andre at drenet.net
Website - http://blog.drenet.net
PGP key - http://www.drenet.net/pubkey.html
-=-=-=-=-=-
Laine Stump
2018-02-16 19:29:23 UTC
Permalink
Post by Andre Goree
I'm trying to determine if it's possible to edit/attach/apply nwfilter rules
at runtime?  I.e., after a VM is already running, can I apply a
nwfilter to
the VM and have it work without rebooting the machine?  Thus far,
I've not
come across a way to do so, but I thought I'd ask here before I chase my
tail around Google.
Simply re-define the nwfilter in question using  virsh nwfilter-define.
Any VMs using that filter will automatically update.
Regards,
Daniel
--
|: https://berrange.com      -o-   
https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-           
https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-   
https://www.instagram.com/dberrange :|
Thank you for the quick reply.
As for adding the nwfilter to a guest that does not already have the
filter, will that guest need to be rebooted?  Or can I add it to the
guest via 'virsh edit'?
I ask becase, from what I can tell, adding a new filter via 'virsh edit'
doesn't seem to work --
Changes made with virsh edit don't take effect until the domain has been
completely stopped and restarted. However, you can make some changes
take effect immediately by using "virsh update-device" with the --live
option (be sure to also specify --config if you want the change to still
be there the next time the domain is started.
Post by Andre Goree
though it's good to know that once a 'filterref'
has been defined in the guest, it can be adjusted on the fly.
Andre Goree
2018-03-30 20:29:21 UTC
Permalink
Post by Daniel P. Berrangé
I'm trying to determine if it's possible to edit/attach/apply nwfilter rules
at runtime? I.e., after a VM is already running, can I apply a nwfilter to
the VM and have it work without rebooting the machine? Thus far, I've not
come across a way to do so, but I thought I'd ask here before I chase my
tail around Google.
Simply re-define the nwfilter in question using virsh nwfilter-define.
Any VMs using that filter will automatically update.
Regards,
Daniel
--
|: https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o-
https://fstop138.berrange.com :|
|: https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|
I've run into an issue here that I thought you might have some insight
on.

I can't seem to "re-define" a nwfilter. I must first 'virsh
nwfilter-undefine' then 'virsh nwfilter-define', or else use 'virsh
nwfilter-edit'. The problem being, I cannot use nwfilter-edit from a
script :/

My real problem is that if I want to add to and/or adjust a filter for a
VM, I basically have to call 'virsh update-device ...' which
unfortunately leaves the VM wide-open for a short period of time, which
is very undesirable.

I wonder if there's a way to edit the nwfilter _without_ libvirt having
to drop the filter for the VM before applying any changes.
--
Andre Goree
-=-=-=-=-=-
Email - andre at drenet.net
Website - http://blog.drenet.net
PGP key - http://www.drenet.net/pubkey.html
-=-=-=-=-=-
Laine Stump
2018-04-02 15:22:53 UTC
Permalink
I'm trying to determine if it's possible to edit/attach/apply nwfilter rules
at runtime?  I.e., after a VM is already running, can I apply a
nwfilter to
the VM and have it work without rebooting the machine?  Thus far,
I've not
come across a way to do so, but I thought I'd ask here before I chase my
tail around Google.
Simply re-define the nwfilter in question using  virsh nwfilter-define.
Any VMs using that filter will automatically update.
Regards,
Daniel
--
|: https://berrange.com      -o-   
https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-           
https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-   
https://www.instagram.com/dberrange :|
I've run into an issue here that I thought you might have some insight on.
I can't seem to "re-define" a nwfilter.
Why is that? The only thing (aside from a syntax error) that would cause
nwfilter-define to fail when the filter already exists would be if you
tried to define the filter with the same name but different (or
non-existent) uuid, or vice versa. As long as the new definition has the
same name and uuid, there should be no problem.

If you're relying on libvirt to provide the uuid when the filter is
originally defined, just modify your "update" script to do virsh
nwfilter-dumpxml to read the current text of the filter, modify that
text, then send the result to virsh nwfilter-define (that's exactly what
virsh nwfilter-edit does).
I must first 'virsh
nwfilter-undefine' then 'virsh nwfilter-define', or else use 'virsh
nwfilter-edit'.  The problem being, I cannot use nwfilter-edit from a
script :/
My real problem is that if I want to add to and/or adjust a filter for a
VM, I basically have to call 'virsh update-device ...' which
unfortunately leaves the VM wide-open for a short period of time, which
is very undesirable.
I wonder if there's a way to edit the nwfilter _without_ libvirt having
to drop the filter for the VM before applying any changes.
If this really doesn't work when using the same name and uuid as the
original nwfilter, please reply with the exact error message you
receive, along with the output of virsh nwfilter-dumpxml prior to the
attempt at redefinition, and the text you are sending that results in a
failed nwfilter-define.
Andre Goree
2018-04-02 18:02:54 UTC
Permalink
Post by Laine Stump
I've run into an issue here that I thought you might have some insight on.
I can't seem to "re-define" a nwfilter.
Why is that? The only thing (aside from a syntax error) that would cause
nwfilter-define to fail when the filter already exists would be if you
tried to define the filter with the same name but different (or
non-existent) uuid, or vice versa. As long as the new definition has the
same name and uuid, there should be no problem.
If you're relying on libvirt to provide the uuid when the filter is
originally defined, just modify your "update" script to do virsh
nwfilter-dumpxml to read the current text of the filter, modify that
text, then send the result to virsh nwfilter-define (that's exactly what
virsh nwfilter-edit does).
I must first 'virsh
nwfilter-undefine' then 'virsh nwfilter-define', or else use 'virsh
nwfilter-edit'.  The problem being, I cannot use nwfilter-edit from a
script :/
My real problem is that if I want to add to and/or adjust a filter for a
VM, I basically have to call 'virsh update-device ...' which
unfortunately leaves the VM wide-open for a short period of time, which
is very undesirable.
I wonder if there's a way to edit the nwfilter _without_ libvirt having
to drop the filter for the VM before applying any changes.
If this really doesn't work when using the same name and uuid as the
original nwfilter, please reply with the exact error message you
receive, along with the output of virsh nwfilter-dumpxml prior to the
attempt at redefinition, and the text you are sending that results in a
failed nwfilter-define.
You're absolutely correct! It must've been bc I allowed libvirt to
define the UUID, which I was not adding to my xml for the update. After
dumping the live rule and making changes to that xml, then defining
again, it worked as expected, thank you for checking me on that.

Also discovered that when I do it this way, the ebtables rules aren't
actually dropped as I thought was the case. Thanks for your help!
--
Andre Goree
-=-=-=-=-=-
Email - andre at drenet.net
Website - http://blog.drenet.net
PGP key - http://www.drenet.net/pubkey.html
-=-=-=-=-=-
Loading...