On 3/26/2014 3:50 PM, Brian Rak wrote:

Let's say I have some iptables rules defined to restrict guest traffic. If I restart the hosts firewall 'service iptables restart', all the guest-specific rules get blown away.

Is there a way to reapply all the guest firewall rules, without restarting each individual guest?

It looks like if I edit a nwfilter with `virsh nwfilter-edit` it goes and reapplies the rules to all the guests, so this functionality seems to be present already.

This is no where close to an optimal solution, but the following python script will kick off a reload of all the defined nwfilter rulesets (assuming they have at least one rule with a <mac> match present. In our environment, they do, so this works okay. Did I mention what a terrible hack this is? #!/usr/bin/python2.7 FILTERS_TO_RELOAD = [ 'clean-traffic', 'my-filter', ] import libvirt, time from xml.etree import ElementTree conn = libvirt.open(None) if conn == None: critical('Failed to connect') sys.exit(1) for id in conn.listAllNWFilters(): if not id.name() in FILTERS_TO_RELOAD: continue print "Reloading ", id.name() myxml = id.XMLDesc() tree = ElementTree.fromstring(myxml) mac = tree.findall('rule/mac')[-1] mac.set('comment','reloaded at '+time.strftime('%F %T')) myxml = ElementTree.tostring(tree) conn.nwfilterDefineXML(myxml).XMLDesc() It looks like the actual function I want is either virNWFilterTriggerVMFilterRebuild or virNWFilterInstFiltersOnAllVMs, but I can't seem to figure out how to get virsh to be able to access either of these.