[libvirt] [PATCH] Add support for firewalld

Daniel P. Berrange berrange at redhat.com
Tue Apr 24 16:11:27 UTC 2012 

On Tue, Apr 24, 2012 at 12:01:38PM -0400, Stefan Berger wrote:
> On 04/24/2012 11:27 AM, Daniel P. Berrange wrote:
> >On Tue, Apr 24, 2012 at 10:20:32AM -0400, Stefan Berger wrote:
> >>On 04/23/2012 05:11 PM, Thomas Woerner wrote:
> >>>Add support for firewalld
> >>>
> >>>* bridge_driver, nwfilter_driver: new dbus filters to get FirewallD1.Reloaded
> >>>   signal and DBus.NameOwnerChanged on org.fedoraproject.FirewallD1
> >>>* iptables, ebtables, nwfilter_ebiptables_driver: use firewall-cmd direct
> >>>   passthrough interface
> >>After some more massaging of the nwfilter code, my suggestion would
> >>now be to split this patch up into two parts, one touching the
> >>nwfilter driver, the other (1st) part for the rest. I did a lot of
> >>changes in the nwfilter driver that I can send you and you may want
> >>to merge or I can merge it with your nwfilter-related code changes.
> >>
> >>It seems to be working when using the firewall-cmd, but
> >>unfortunately running the TCK test suite for example is like 8 times
> >>slower when using firewalld. Also the VM startup times have
> >>significantly increased. :-((
> >I wonder if that would be improved by making DBus calls directly
> >to firewalld, instead of invoking firewalld-cmd all the time. The
> >latter is unquestionably inefficient compared to DBus calls, but
> >it'd be interesting to know if that's really what's causing the
> >x8 slowdown.
> 
> That would a bigger code change to go directly through DBus. I am
> currently accumulating CLI commands to execute and then run them in
> a batch.
> 
> For comparison:
> 
> time firewall-cmd --direct --passthrough eb -t nat -L
> [...]
> real    0m0.102s
> user    0m0.075s
> sys    0m0.013s
> 
> 
> versus
> 
> 
> time ebtables -t nat -L
> [...]
> real    0m0.003s
> user    0m0.000s
> sys    0m0.002s
> 
> Well, I guess it adds up.

Yeah the DBus connection handshake being repeated soo many times, causing
many many context switches for each single rule to be added.

I wonder if  firewall-cmd could be extended to allow multiple rules to
be specified at once. It'd just need some kind of character to be
designated as the separator for each rule.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the libvir-list mailing list