Re: [libvirt] [PATCH] Add support for firewalld
On Tue, Apr 24, 2012 at 10:20:32AM -0400, Stefan Berger wrote:
On 04/23/2012 05:11 PM, Thomas Woerner wrote:
>Add support for firewalld
>
>* bridge_driver, nwfilter_driver: new dbus filters to get FirewallD1.Reloaded
> signal and DBus.NameOwnerChanged on org.fedoraproject.FirewallD1
>* iptables, ebtables, nwfilter_ebiptables_driver: use firewall-cmd direct
> passthrough interface
After some more massaging of the nwfilter code, my suggestion would
now be to split this patch up into two parts, one touching the
nwfilter driver, the other (1st) part for the rest. I did a lot of
changes in the nwfilter driver that I can send you and you may want
to merge or I can merge it with your nwfilter-related code changes.
It seems to be working when using the firewall-cmd, but
unfortunately running the TCK test suite for example is like 8 times
slower when using firewalld. Also the VM startup times have
significantly increased. :-((
I wonder if that would be improved by making DBus calls directly
to firewalld, instead of invoking firewalld-cmd all the time. The
latter is unquestionably inefficient compared to DBus calls, but
it'd be interesting to know if that's really what's causing the
x8 slowdown.
Is this scheduled to be included in the next libvirt release ? I
guess architecturally it also is needed for FC 17, so is the plan
then to include the latest version of libvirt with firewalld support
in FC17?
The libvirt in Fedora 17 is frozen at this point. So if we did include
this, it'd be cherry-picking backports.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|