[libvirt] [PATCH] Add support for firewalld
Stefan Berger
stefanb at linux.vnet.ibm.com
Tue Apr 24 16:01:38 UTC 2012
On 04/24/2012 11:27 AM, Daniel P. Berrange wrote:
> On Tue, Apr 24, 2012 at 10:20:32AM -0400, Stefan Berger wrote:
>> On 04/23/2012 05:11 PM, Thomas Woerner wrote:
>>> Add support for firewalld
>>>
>>> * bridge_driver, nwfilter_driver: new dbus filters to get FirewallD1.Reloaded
>>> signal and DBus.NameOwnerChanged on org.fedoraproject.FirewallD1
>>> * iptables, ebtables, nwfilter_ebiptables_driver: use firewall-cmd direct
>>> passthrough interface
>> After some more massaging of the nwfilter code, my suggestion would
>> now be to split this patch up into two parts, one touching the
>> nwfilter driver, the other (1st) part for the rest. I did a lot of
>> changes in the nwfilter driver that I can send you and you may want
>> to merge or I can merge it with your nwfilter-related code changes.
>>
>> It seems to be working when using the firewall-cmd, but
>> unfortunately running the TCK test suite for example is like 8 times
>> slower when using firewalld. Also the VM startup times have
>> significantly increased. :-((
> I wonder if that would be improved by making DBus calls directly
> to firewalld, instead of invoking firewalld-cmd all the time. The
> latter is unquestionably inefficient compared to DBus calls, but
> it'd be interesting to know if that's really what's causing the
> x8 slowdown.
That would a bigger code change to go directly through DBus. I am
currently accumulating CLI commands to execute and then run them in a batch.
For comparison:
time firewall-cmd --direct --passthrough eb -t nat -L
[...]
real 0m0.102s
user 0m0.075s
sys 0m0.013s
versus
time ebtables -t nat -L
[...]
real 0m0.003s
user 0m0.000s
sys 0m0.002s
Well, I guess it adds up.
Stefan
More information about the libvir-list
mailing list