Re: [libvirt] [PATCH] Add support for firewalld

On 04/24/2012 11:27 AM, Daniel P. Berrange wrote: >On Tue, Apr 24, 2012 at 10:20:32AM -0400, Stefan Berger wrote: >>On 04/23/2012 05:11 PM, Thomas Woerner wrote: >>>Add support for firewalld >>> >>>* bridge_driver, nwfilter_driver: new dbus filters to get FirewallD1.Reloaded >>> signal and DBus.NameOwnerChanged on org.fedoraproject.FirewallD1 >>>* iptables, ebtables, nwfilter_ebiptables_driver: use firewall-cmd direct >>> passthrough interface >>After some more massaging of the nwfilter code, my suggestion would >>now be to split this patch up into two parts, one touching the >>nwfilter driver, the other (1st) part for the rest. I did a lot of >>changes in the nwfilter driver that I can send you and you may want >>to merge or I can merge it with your nwfilter-related code changes. >> >>It seems to be working when using the firewall-cmd, but >>unfortunately running the TCK test suite for example is like 8 times >>slower when using firewalld. Also the VM startup times have >>significantly increased. :-(( >I wonder if that would be improved by making DBus calls directly >to firewalld, instead of invoking firewalld-cmd all the time. The >latter is unquestionably inefficient compared to DBus calls, but >it'd be interesting to know if that's really what's causing the >x8 slowdown. That would a bigger code change to go directly through DBus. I am currently accumulating CLI commands to execute and then run them in a batch. For comparison: time firewall-cmd --direct --passthrough eb -t nat -L [...] real 0m0.102s user 0m0.075s sys 0m0.013s versus time ebtables -t nat -L [...] real 0m0.003s user 0m0.000s sys 0m0.002s Well, I guess it adds up.