[libvirt] [PATCH] Add support for firewalld
Daniel P. Berrange
berrange at redhat.com
Tue Apr 24 16:11:27 UTC 2012
On Tue, Apr 24, 2012 at 12:01:38PM -0400, Stefan Berger wrote:
> On 04/24/2012 11:27 AM, Daniel P. Berrange wrote:
> >On Tue, Apr 24, 2012 at 10:20:32AM -0400, Stefan Berger wrote:
> >>On 04/23/2012 05:11 PM, Thomas Woerner wrote:
> >>>Add support for firewalld
> >>>
> >>>* bridge_driver, nwfilter_driver: new dbus filters to get FirewallD1.Reloaded
> >>> signal and DBus.NameOwnerChanged on org.fedoraproject.FirewallD1
> >>>* iptables, ebtables, nwfilter_ebiptables_driver: use firewall-cmd direct
> >>> passthrough interface
> >>After some more massaging of the nwfilter code, my suggestion would
> >>now be to split this patch up into two parts, one touching the
> >>nwfilter driver, the other (1st) part for the rest. I did a lot of
> >>changes in the nwfilter driver that I can send you and you may want
> >>to merge or I can merge it with your nwfilter-related code changes.
> >>
> >>It seems to be working when using the firewall-cmd, but
> >>unfortunately running the TCK test suite for example is like 8 times
> >>slower when using firewalld. Also the VM startup times have
> >>significantly increased. :-((
> >I wonder if that would be improved by making DBus calls directly
> >to firewalld, instead of invoking firewalld-cmd all the time. The
> >latter is unquestionably inefficient compared to DBus calls, but
> >it'd be interesting to know if that's really what's causing the
> >x8 slowdown.
>
> That would a bigger code change to go directly through DBus. I am
> currently accumulating CLI commands to execute and then run them in
> a batch.
>
> For comparison:
>
> time firewall-cmd --direct --passthrough eb -t nat -L
> [...]
> real 0m0.102s
> user 0m0.075s
> sys 0m0.013s
>
>
> versus
>
>
> time ebtables -t nat -L
> [...]
> real 0m0.003s
> user 0m0.000s
> sys 0m0.002s
>
> Well, I guess it adds up.
Yeah the DBus connection handshake being repeated soo many times, causing
many many context switches for each single rule to be added.
I wonder if firewall-cmd could be extended to allow multiple rules to
be specified at once. It'd just need some kind of character to be
designated as the separator for each rule.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list