Re: [libvirt] [PATCH] * configura.ac, spec file: firewalld now defaults to enabled, depends on dbus * fixed comment for with_firewalld define * bridge_driver, nwfilter_driver: new dbus filters to get FirewallD1.Reloaded signal and DBus.NameOwnerChanged on org.fedoraproject.FirewallD1 * iptables, ebtables, nwfilter_ebiptables_driver: use firewall-cmd direct passthrough interface * spec file changed as requested
On Mon, Aug 13, 2012 at 04:24:04PM -0400, Laine Stump wrote:
We can then decide at runtime whether or not to actually use the
commands. You had mentioned on IRC the possibility of firewalld starting
up after libvirt, or shutting down while libvirt is still running. The
issue I see with that is that libvirt always cleans up after its
iptables rules - if you destroy a libvirt network, it removes all the
iptables rules. Likewise, when libvirtd is restarted, every rule for
every network is deleted and re-added. What will happen if a network is
started when firewalld isn't running, and then shutdown after firewalld
is started? (i.e. rules were added with iptables) What about the
opposite situation? And of course what about the situation where some of
the networks have rules added by iptables, and some have rules added by
firewalld, and we then want to restart libvirtd (delete / add all rules
for all networks)?
We should likely have a QEMU driver configuration parameter to determine
which firewall impl to use. If not set we can detect at libvirtd startup
whether firewalld should be used or not. If we enabled firewalld initially
and it is later stopped, we should raise an error when trying to start VMs
ie, we should *not* try to dynamically switch our firewall impl onthe
fly. Pick one impl and then stick with it.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|