[libvirt] [PATCH] Add support for firewalld

[Daniel P. Berrange]

On Tue, Apr 24, 2012 at 10:20:32AM -0400, Stefan Berger wrote:
> On 04/23/2012 05:11 PM, Thomas Woerner wrote:
> >Add support for firewalld
> >
> >* bridge_driver, nwfilter_driver: new dbus filters to get FirewallD1.Reloaded
> >   signal and DBus.NameOwnerChanged on org.fedoraproject.FirewallD1
> >* iptables, ebtables, nwfilter_ebiptables_driver: use firewall-cmd direct
> >   passthrough interface
> 
> After some more massaging of the nwfilter code, my suggestion would
> now be to split this patch up into two parts, one touching the
> nwfilter driver, the other (1st) part for the rest. I did a lot of
> changes in the nwfilter driver that I can send you and you may want
> to merge or I can merge it with your nwfilter-related code changes.
> 
> It seems to be working when using the firewall-cmd, but
> unfortunately running the TCK test suite for example is like 8 times
> slower when using firewalld. Also the VM startup times have
> significantly increased. :-((

I wonder if that would be improved by making DBus calls directly
to firewalld, instead of invoking firewalld-cmd all the time. The
latter is unquestionably inefficient compared to DBus calls, but
it'd be interesting to know if that's really what's causing the
x8 slowdown.

> Is this scheduled to be included in the next libvirt release ? I
> guess architecturally it also is needed for FC 17, so is the plan
> then to include the latest version of libvirt with firewalld support
> in FC17?

The libvirt in Fedora 17 is frozen at this point. So if we did include
this, it'd be cherry-picking backports.


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|