Hi Team, I am using QEMU/KVM for launching VMs and libvirt to govern those VMs. I would like to synchronise the connection tracking entries specific to the VM during the VM LIVE migrations. It is required when the firewall is implemented at the host level like libvirt's "network filters". Unless these connection tracking entries are synchronised, all the connections to the VM are lost and all TCP connections should be reestablished. Is there any option already available? or do we need to develop the code? We can't rely on the migration hooks as VM pause in the source hypervisor and VM on in the destination hypervisor is done by QEMU and it does not wait for any application that needs to sync-up some metadata — In my case, it is conntrack entries.
If I like to add the code and contribute to the community, what could be the best approach to take? Approach-1: Add a new command in QEMU to configure "maximum waiting-time allowed". During the VM Migration, Invoke the hook in the source when the VM is paused and wait till the time value configured is elapsed or the hook returns success, then do VM on in the destination. It is more generic and its up to the application to synchronise whatever required with in the specified time span. Approach-2: Modify the migrate command to accept the list of IP-Address, which should be an optional parameter. If the IP-Address is specified, along the dirty page synchronisation, synchronise the conntrack entries that matches the IP address in its source or destination address and in the destination QEMU, the conntrack entries should be segregated and programmed in the hypervisor. Thank you, Bharath Paulraj
