Re: [Libvir] [patch 7/9] Add support for lokkit
On Fri, Jan 04, 2008 at 03:57:32PM +0000, Mark McLoughlin wrote:
Add support for integrating our iptables support with Fedora's iptables configuration using the lokkit --custom-rules command.
Basically, we write out our rules to /var/lib/libvirt/iptables and run lokkit --custom-rules so that if e.g. iptables is restarted or the user edits their firewall configuration, then libvirt's rules get reloaded.
Ahh, that's very nice to have.
+dnl +dnl ensure that Fedora's system-config-firewall knows +dnl about libvirt's iptables rules +dnl +AC_ARG_ENABLE(iptables-lokkit, + AC_HELP_STRING([--enable-iptables-lokkit=no/yes], + [enable registering libvirt's iptables rules with Fedora's lokkit]), + [],[enable_iptables_lokkit=no]) +if test x"$enable_iptables_lokkit" = x"yes"; then + AC_DEFINE(ENABLE_IPTABLES_LOKKIT, [], [whether support for Fedora's lokkit is enabled]) + AC_PATH_PROG(LOKKIT_PATH, lokkit, /usr/sbin/lokkit) + AC_DEFINE_UNQUOTED(LOKKIT_PATH, "$LOKKIT_PATH", [path to lokkit binary]) +fi +
Could we make the configure script a little more clever so that it is a tri-state and can auto-detect whether lokkit is available. - enable_iptables_lokkit=no - force disable - enable_iptables_lokkit=yes - check if it is supported, and error if not - enable_iptables_lokkit=check - check if it is supported and enable or disable as needed With 'check' being the default. This makes it 'do the right' thing by default, and lets the user have a strict override if neccessary. ACK to the rest of the patch Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|
On Sat, 2008-01-05 at 00:16 +0000, Daniel P. Berrange wrote:
Could we make the configure script a little more clever so that it is a tri-state and can auto-detect whether lokkit is available.
- enable_iptables_lokkit=no - force disable - enable_iptables_lokkit=yes - check if it is supported, and error if not - enable_iptables_lokkit=check - check if it is supported and enable or disable as needed
With 'check' being the default. This makes it 'do the right' thing by default, and lets the user have a strict override if neccessary.
Okay, but that makes system-config-firewall a BuildRequires. (I'll fold the attached patch into this 7/9 patch) Cheers, Mark.
On Mon, Jan 07, 2008 at 10:05:32AM +0000, Mark McLoughlin wrote:
On Sat, 2008-01-05 at 00:16 +0000, Daniel P. Berrange wrote:
Could we make the configure script a little more clever so that it is a tri-state and can auto-detect whether lokkit is available.
- enable_iptables_lokkit=no - force disable - enable_iptables_lokkit=yes - check if it is supported, and error if not - enable_iptables_lokkit=check - check if it is supported and enable or disable as needed
With 'check' being the default. This makes it 'do the right' thing by default, and lets the user have a strict override if neccessary.
Okay, but that makes system-config-firewall a BuildRequires.
(I'll fold the attached patch into this 7/9 patch)
Great, looks good. Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|
participants (2)
-
Daniel P. Berrange -
Mark McLoughlin