On Tue, Apr 24, 2012 at 10:20:32AM -0400, Stefan Berger wrote:
On 04/23/2012 05:11 PM, Thomas Woerner wrote:
Add support for firewalld
* bridge_driver, nwfilter_driver: new dbus filters to get FirewallD1.Reloaded signal and DBus.NameOwnerChanged on org.fedoraproject.FirewallD1 * iptables, ebtables, nwfilter_ebiptables_driver: use firewall-cmd direct passthrough interface
After some more massaging of the nwfilter code, my suggestion would now be to split this patch up into two parts, one touching the nwfilter driver, the other (1st) part for the rest. I did a lot of changes in the nwfilter driver that I can send you and you may want to merge or I can merge it with your nwfilter-related code changes.
It seems to be working when using the firewall-cmd, but unfortunately running the TCK test suite for example is like 8 times slower when using firewalld. Also the VM startup times have significantly increased. :-((
I wonder if that would be improved by making DBus calls directly to firewalld, instead of invoking firewalld-cmd all the time. The latter is unquestionably inefficient compared to DBus calls, but it'd be interesting to know if that's really what's causing the x8 slowdown.
Is this scheduled to be included in the next libvirt release ? I guess architecturally it also is needed for FC 17, so is the plan then to include the latest version of libvirt with firewalld support in FC17?
The libvirt in Fedora 17 is frozen at this point. So if we did include this, it'd be cherry-picking backports. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|