[libvirt] [PATCH] * configura.ac, spec file: firewalld now defaults to enabled, depends on dbus * fixed comment for with_firewalld define * bridge_driver, nwfilter_driver: new dbus filters to get FirewallD1.Reloaded signal and DBus.NameOwnerChanged on org.fedoraproject.FirewallD1 * iptables, ebtables, nwfilter_ebiptables_driver: use firewall-cmd direct passthrough interface * spec file changed as requested

Daniel P. Berrange berrange at redhat.com
Tue Aug 14 09:08:10 UTC 2012 

On Mon, Aug 13, 2012 at 04:24:04PM -0400, Laine Stump wrote:
> We can then decide at runtime whether or not to actually use the
> commands. You had mentioned on IRC the possibility of firewalld starting
> up after libvirt, or shutting down while libvirt is still running. The
> issue I see with that is that libvirt always cleans up after its
> iptables rules - if you destroy a libvirt network, it removes all the
> iptables rules. Likewise, when libvirtd is restarted, every rule for
> every network is deleted and re-added. What will happen if a network is
> started when firewalld isn't running, and then shutdown after firewalld
> is started? (i.e. rules were added with iptables) What about the
> opposite situation? And of course what about the situation where some of
> the networks have rules added by iptables, and some have rules added by
> firewalld, and we then want to restart libvirtd (delete / add all rules
> for all networks)?

We should likely have a QEMU driver configuration parameter to determine
which firewall impl to use. If not set we can detect at libvirtd startup
whether firewalld should be used or not.  If we enabled firewalld initially
and it is later stopped, we should raise an error when trying to start VMs

ie, we should *not* try to dynamically switch our firewall impl onthe
fly. Pick one impl and then stick with it.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the libvir-list mailing list