[libvirt] is there a way to convert vm's filter into comandline
hi,all is there a way to convert vm's filter into comandline, i think it is useful. if there is the functionality, so you think it is worthy to be done. thanks
On 03/26/2014 07:20 PM, bigclouds wrote:
hi,all
is there a way to convert vm's filter into comandline, i think it is useful.
You mean, as in virsh domxml-to-native qemu-argv $(virsh dumpxml $dom) or are you asking about the nwfilter settings applied on behalf of a guest? -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
On 03/26/2014 08:43 PM, Eric Blake wrote:
On 03/26/2014 07:20 PM, bigclouds wrote:
hi,all
is there a way to convert vm's filter into comandline, i think it is useful.
You mean, as in virsh domxml-to-native qemu-argv $(virsh dumpxml $dom)
Correction: virsh dumpxml $dom > file virsh domxml-to-native qemu-argv file -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
On 03/27/2014 04:43 AM, Eric Blake wrote:
On 03/26/2014 07:20 PM, bigclouds wrote:
hi,all
is there a way to convert vm's filter into comandline, i think it is useful. You mean, as in virsh domxml-to-native qemu-argv $(virsh dumpxml $dom)
or are you asking about the nwfilter settings applied on behalf of a guest?
Since this same person previously asked about "netfilter" on IRC, I'm assuming the latter... No, there isn't a way within libvirt to retrive this information. Beyond that, Dan Berrange is in the middle of refactoring the nwfilter code to not use the commandline at all in the case where firewalld is running, so in the future libvirt won't even be running any external commands to setup nwfilter rules. One way to get the information would be to run "iptables -S" before and after starting the guest, then look at the difference between the two outputs.
Dan Berrange: if there are some one work with you to refactore nwfilter architeture. i hope i can help thanks At 2014-03-27 17:41:15,"Laine Stump" <laine@laine.org> wrote:
On 03/27/2014 04:43 AM, Eric Blake wrote:
On 03/26/2014 07:20 PM, bigclouds wrote:
hi,all
is there a way to convert vm's filter into comandline, i think it is useful. You mean, as in virsh domxml-to-native qemu-argv $(virsh dumpxml $dom)
or are you asking about the nwfilter settings applied on behalf of a guest?
Since this same person previously asked about "netfilter" on IRC, I'm assuming the latter...
No, there isn't a way within libvirt to retrive this information. Beyond that, Dan Berrange is in the middle of refactoring the nwfilter code to not use the commandline at all in the case where firewalld is running, so in the future libvirt won't even be running any external commands to setup nwfilter rules.
One way to get the information would be to run "iptables -S" before and after starting the guest, then look at the difference between the two outputs.
On Thu, Mar 27, 2014 at 10:31:32PM +0800, longguang.yue wrote:
Dan Berrange: if there are some one work with you to refactore nwfilter architeture. i hope i can help
I've already done pretty much all the work for this. I'm onto testing it now before posting for review. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
On Thu, Mar 27, 2014 at 09:20:23AM +0800, bigclouds wrote:
hi,all
is there a way to convert vm's filter into comandline, i think it is useful. if there is the functionality, so you think it is worthy to be done.
Currently the nwfilter driver generates horrible hacky shell scripts which run a variety of (eb|ip)tables commands. I'm killing all of the shell script code so that we can directly invoke iptables or talk to firewalld over DBus. The commands we will generate though won't be suitable for a user to run directly, because libvirt will parse the output of some commands in order to determine what subsequent commands to run. This kind of logic isn't something you can just "export" from libvirt, so what you suggest isn't really practical Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
killing all of the shell script code ? you mean nwfilter of libvirt does not exist any more? yes. nwfilter code is horrible . maybe we can think of a better way. after all ip|eb tables is complicated, and must be done, user or libvirt. thanks At 2014-03-27 18:57:23,"Daniel P. Berrange" <berrange@redhat.com> wrote:
On Thu, Mar 27, 2014 at 09:20:23AM +0800, bigclouds wrote:
hi,all
is there a way to convert vm's filter into comandline, i think it is useful. if there is the functionality, so you think it is worthy to be done.
Currently the nwfilter driver generates horrible hacky shell scripts which run a variety of (eb|ip)tables commands. I'm killing all of the shell script code so that we can directly invoke iptables or talk to firewalld over DBus. The commands we will generate though won't be suitable for a user to run directly, because libvirt will parse the output of some commands in order to determine what subsequent commands to run. This kind of logic isn't something you can just "export" from libvirt, so what you suggest isn't really practical
Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
On 03/27/2014 08:25 AM, longguang.yue wrote: [please don't top-post on technical lists]
killing all of the shell script code ?
Rewriting it so it uses saner mechanisms than shell script.
you mean nwfilter of libvirt does not exist any more?
No. nwfilter will still exist, it will just be more efficient and more maintainable from the libvirt point of view. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
participants (5)
-
bigclouds -
Daniel P. Berrange -
Eric Blake -
Laine Stump -
longguang.yue