Re: [libvirt] [PATCH] Add support for firewalld

On Tue, Apr 24, 2012 at 10:20:32AM -0400, Stefan Berger wrote: > On 04/23/2012 05:11 PM, Thomas Woerner wrote: >> Add support for firewalld >> >> * bridge_driver, nwfilter_driver: new dbus filters to get FirewallD1.Reloaded >> signal and DBus.NameOwnerChanged on org.fedoraproject.FirewallD1 >> * iptables, ebtables, nwfilter_ebiptables_driver: use firewall-cmd direct >> passthrough interface > After some more massaging of the nwfilter code, my suggestion would > now be to split this patch up into two parts, one touching the > nwfilter driver, the other (1st) part for the rest. I did a lot of > changes in the nwfilter driver that I can send you and you may want > to merge or I can merge it with your nwfilter-related code changes. > > It seems to be working when using the firewall-cmd, but > unfortunately running the TCK test suite for example is like 8 times > slower when using firewalld. Also the VM startup times have > significantly increased. :-(( I wonder if that would be improved by making DBus calls directly to firewalld, instead of invoking firewalld-cmd all the time. The latter is unquestionably inefficient compared to DBus calls, but it'd be interesting to know if that's really what's causing the x8 slowdown.