Disable TX checksumming with API

SethNY

Currently I manually disable on TX checksumming on OPNsense firewalls per recommendation.

Is there (undocumented) XO API support for this?

Manual process:
Click the VM
Click the Network tab
Next to each interface is a small settings icon with a blue background
For every interface click the gear icon then disable TX checksumming

I currently have a bunch of Check Point firewall VMs in my lab and they have a several interfaces each. I would like to disable checksumming on all interfaces via API, ansible, and (ideally) terraform.

splastunov

You can always try to use XAPI, or xe cli tool

SethNY

@splastunov said in Disable TX checksumming with API:

XAPI

Thank you, I found https://xapi-project.github.io/xen-api/networking.html

SethNY

Sorry for the necropost but here is what I did.

import XenAPI
import ssl

HOST_IP = "192.168.1.100"
USERNAME = "root"
PASSWORD = "hostpasswordsecret"
VM_LIST = ('sms', 'firewall1a', 'firewall1b', 'firewall2a', 'firewall2b', 'firewall3a', 'firewall3b')

def main():
    # disable https certificate checking
    if hasattr(ssl, '_create_unverified_context'):
        ssl._create_default_https_context = ssl._create_unverified_context
    url = f"https://{HOST_IP}"
    session = XenAPI.Session(url)
    try:
        print(f"Connecting to {HOST_IP}...")
        session.xenapi.login_with_password(USERNAME, PASSWORD, "1.0", "python-script")
    except XenAPI.Failure as e:
        print(f"XenAPI Error: {e}")
        return
    except Exception as e:
        print(f"General Error: {e}")
        return
    for vm in VM_LIST:
        print(f"Searching for VM: {vm}...")
        vms = session.xenapi.VM.get_by_name_label(vm)
        if len(vms) == 0:
            print(f"Error: VM '{vm}' not found.")
            continue
        vm_ref = vms[0]
        vif_refs = session.xenapi.VM.get_VIFs(vm_ref)
        if not vif_refs:
            print("No network interfaces found on this VM.")
            continue
        print(f"Found {len(vif_refs)} interface(s). Updating settings...")
        for vif in vif_refs:
            device = session.xenapi.VIF.get_device(vif)
            other_config = session.xenapi.VIF.get_other_config(vif)
            # ethtool-tx transmit checksum offload
            # ethtool-tso TCP segmentation offload
            # ethtool-ufo UDP fragmentation offload
            # ethtool-gro generic receive offload
            if other_config.get('ethtool-tx') == 'off':
                print(f"  Interface {device}: TX Checksumming already disabled.")
            else:
                print(f"Disabling TX checksumming for interface {device}")
                other_config['ethtool-tx'] = 'off'
                try:
                    session.xenapi.VIF.set_other_config(vif, other_config)
                    print(f" - Interface {device}: TX Checksumming disabled (ethtool-tx: off)")
                    power_state = session.xenapi.VM.get_power_state(vm_ref)
                    if power_state == 'Running':
                        print("  [!] VM is RUNNING. A reboot is required for these changes to take effect.")
                    elif power_state == 'Halted':
                        print("  [i] VM is Halted. Changes will apply on next boot.")
                    else:
                        print(f"  [i] VM state is {power_state}.")
                        print("Note: You must reboot the VM or unplug/plug the VIFs for changes to take effect.")
                    print("")
                except XenAPI.Failure as e:
                    print(f"XenAPI Error: {e}")
                except Exception as e:
                    print(f"General Error: {e}")            
    try:
        session.xenapi.logout()
    except:
        pass
if __name__ == "__main__":
    main()

Pilow

@SethNY you could even enhance this VM_LIST =
with TAGs on VM, so that you manage the selection directly in XOA

poddingue

Bit of a necropost on your necropost, but this got easier in XO 6.5.
The REST API now accepts a txChecksumming parameter when you create a VIF (PR #9793, https://github.com/vatesfr/xen-orchestra/pull/9793), and it maps straight onto the ethtool-tx / other_config value you were setting by hand.
So, for new interfaces, you can do it through /rest/v0 now instead of the XAPI script. I think it's on the create path rather than existing VIFs, though, so for the firewalls already running your script or the gear icon is probably still the way, and I haven't tested it against a live VIF myself. Either way, it's nice to have it native in the API now.

All-Ki opened this pull request in vatesfr/xen-orchestra

closed feat(rest-api): add support for txChecksumming and rateLimitting on V… #9793