On 04/24/2012 11:27 AM, Daniel P. Berrange wrote:
On Tue, Apr 24, 2012 at 10:20:32AM -0400, Stefan Berger wrote:
On 04/23/2012 05:11 PM, Thomas Woerner wrote:
Add support for firewalld
* bridge_driver, nwfilter_driver: new dbus filters to get FirewallD1.Reloaded signal and DBus.NameOwnerChanged on org.fedoraproject.FirewallD1 * iptables, ebtables, nwfilter_ebiptables_driver: use firewall-cmd direct passthrough interface After some more massaging of the nwfilter code, my suggestion would now be to split this patch up into two parts, one touching the nwfilter driver, the other (1st) part for the rest. I did a lot of changes in the nwfilter driver that I can send you and you may want to merge or I can merge it with your nwfilter-related code changes.
It seems to be working when using the firewall-cmd, but unfortunately running the TCK test suite for example is like 8 times slower when using firewalld. Also the VM startup times have significantly increased. :-(( I wonder if that would be improved by making DBus calls directly to firewalld, instead of invoking firewalld-cmd all the time. The latter is unquestionably inefficient compared to DBus calls, but it'd be interesting to know if that's really what's causing the x8 slowdown.
That would a bigger code change to go directly through DBus. I am currently accumulating CLI commands to execute and then run them in a batch. For comparison: time firewall-cmd --direct --passthrough eb -t nat -L [...] real 0m0.102s user 0m0.075s sys 0m0.013s versus time ebtables -t nat -L [...] real 0m0.003s user 0m0.000s sys 0m0.002s Well, I guess it adds up. Stefan