9:20 a.m.
hi,all
is there a way to convert vm's filter into comandline, i think it is useful.
if there is the functionality, so you think it is worthy to be done.
thanks
9:43 p.m.
On 03/26/2014 07:20 PM, bigclouds wrote:
hi,all
is there a way to convert vm's filter into comandline, i think it is useful.
You mean, as in
virsh domxml-to-native qemu-argv $(virsh dumpxml $dom)
or are you asking about the nwfilter settings applied on behalf of a guest?
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
9:46 p.m.
On 03/26/2014 08:43 PM, Eric Blake wrote:
On 03/26/2014 07:20 PM, bigclouds wrote:
> hi,all
>
> is there a way to convert vm's filter into comandline, i think it is useful.
You mean, as in
virsh domxml-to-native qemu-argv $(virsh dumpxml $dom)
Correction:
virsh dumpxml $dom > file
virsh domxml-to-native qemu-argv file
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
4:41 a.m.
On 03/27/2014 04:43 AM, Eric Blake wrote:
On 03/26/2014 07:20 PM, bigclouds wrote:
> hi,all
>
> is there a way to convert vm's filter into comandline, i think it is useful.
You mean, as in
virsh domxml-to-native qemu-argv $(virsh dumpxml $dom)
or are you asking about the nwfilter settings applied on behalf of a guest?
Since this same person previously asked about "netfilter" on IRC, I'm
assuming the latter...
No, there isn't a way within libvirt to retrive this information. Beyond
that, Dan Berrange is in the middle of refactoring the nwfilter code to
not use the commandline at all in the case where firewalld is running,
so in the future libvirt won't even be running any external commands to
setup nwfilter rules.
One way to get the information would be to run "iptables -S" before and
after starting the guest, then look at the difference between the two
outputs.
10:31 p.m.
Dan Berrange:
if there are some one work with you to refactore nwfilter architeture.
i hope i can help
thanks
At 2014-03-27 17:41:15,"Laine Stump" <laine(a)laine.org> wrote:
On 03/27/2014 04:43 AM, Eric Blake wrote:
> On 03/26/2014 07:20 PM, bigclouds wrote:
>> hi,all
>>
>> is there a way to convert vm's filter into comandline, i think it is useful.
> You mean, as in
> virsh domxml-to-native qemu-argv $(virsh dumpxml $dom)
>
> or are you asking about the nwfilter settings applied on behalf of a guest?
Since this same person previously asked about "netfilter" on IRC, I'm
assuming the latter...
No, there isn't a way within libvirt to retrive this information. Beyond
that, Dan Berrange is in the middle of refactoring the nwfilter code to
not use the commandline at all in the case where firewalld is running,
so in the future libvirt won't even be running any external commands to
setup nwfilter rules.
One way to get the information would be to run "iptables -S" before and
after starting the guest, then look at the difference between the two
outputs.
9:51 a.m.
On Thu, Mar 27, 2014 at 10:31:32PM +0800, longguang.yue wrote:
Dan Berrange:
if there are some one work with you to refactore nwfilter architeture.
i hope i can help
I've already done pretty much all the work for this. I'm onto testing
it now before posting for review.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
5:57 a.m.
On Thu, Mar 27, 2014 at 09:20:23AM +0800, bigclouds wrote:
hi,all
is there a way to convert vm's filter into comandline, i think it is useful.
if there is the functionality, so you think it is worthy to be done.
Currently the nwfilter driver generates horrible hacky shell scripts which
run a variety of (eb|ip)tables commands. I'm killing all of the shell
script code so that we can directly invoke iptables or talk to firewalld
over DBus. The commands we will generate though won't be suitable for a
user to run directly, because libvirt will parse the output of some
commands in order to determine what subsequent commands to run. This
kind of logic isn't something you can just "export" from libvirt, so
what you suggest isn't really practical
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
10:25 p.m.
killing all of the shell script code ?
you mean nwfilter of libvirt does not exist any more?
yes. nwfilter code is horrible .
maybe we can think of a better way. after all ip|eb tables is complicated, and must be
done, user or libvirt.
thanks
At 2014-03-27 18:57:23,"Daniel P. Berrange" <berrange(a)redhat.com> wrote:
On Thu, Mar 27, 2014 at 09:20:23AM +0800, bigclouds wrote:
> hi,all
>
> is there a way to convert vm's filter into comandline, i think it is useful.
> if there is the functionality, so you think it is worthy to be done.
Currently the nwfilter driver generates horrible hacky shell scripts which
run a variety of (eb|ip)tables commands. I'm killing all of the shell
script code so that we can directly invoke iptables or talk to firewalld
over DBus. The commands we will generate though won't be suitable for a
user to run directly, because libvirt will parse the output of some
commands in order to determine what subsequent commands to run. This
kind of logic isn't something you can just "export" from libvirt, so
what you suggest isn't really practical
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
9:42 a.m.
On 03/27/2014 08:25 AM, longguang.yue wrote:
[please don't top-post on technical lists]
killing all of the shell script code ?
Rewriting it so it uses saner mechanisms than shell script.
you mean nwfilter of libvirt does not exist any more?
No. nwfilter will still exist, it will just be more efficient and more
maintainable from the libvirt point of view.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
3896
days inactive
3896
days old
8 comments
5 participants
participants (5)
-
bigclouds -
Daniel P. Berrange -
Eric Blake -
Laine Stump -
longguang.yue