[libvirt] [firewalld PATCHv3] firewalld PATCH v3
Laine Stump
laine at laine.org
Wed Aug 15 15:43:33 UTC 2012
On 08/15/2012 11:24 AM, Laine Stump wrote:
> On 08/14/2012 02:59 PM, Thomas Woerner wrote:
>> * configura.ac, spec file: firewalld now defaults to enabled, depends on
>> dbus
>> * fixed comment for with_firewalld define
>> * bridge_driver, nwfilter_driver: new dbus filters to get FirewallD1.Reloaded
>> signal and DBus.NameOwnerChanged on org.fedoraproject.FirewallD1
>> * iptables, ebtables, nwfilter_ebiptables_driver: use firewall-cmd direct
>> passthrough interface
>> * spec file changed as requested
>> ---
>> configure.ac | 17 ++++++++++++++++
>> libvirt.spec.in | 11 +++++++++++
>> src/Makefile.am | 4 ++--
>> src/network/bridge_driver.c | 47 +++++++++++++++++++++++++++++++++++++++++++++
>> src/util/ebtables.c | 35 +++++++++++++++++++++++++++++++++
>> src/util/iptables.c | 21 ++++++++++++++++++--
>> 6 files changed, 131 insertions(+), 4 deletions(-)
> This isn't ready to push yet:
>
> The previous versions of this patch also made changes to the nwfilter
> driver, but this one doesn't. Did you forget to add those to the commit?
>
> This patch is still doing a search for the path of firewall-cmd every
> time ebtablesAddRemoveRule or iptablesAddRemoveRule is called.
> That's very wasteful. It should instead just do the search once when
> libvirtd starts. You should be able to do this with the
> VIR_ONCE_GLOBAL_INIT() macro and an associated xxxOnceInit() function.
>
> Also, I don't see any check for whether or not to use firewall-cmd other
> than whether or not the binary exists - if firewalld is disabled, will
> firewall-cmd still succeed? (by just calling iptables directly maybe?)
> If not, then we need to check if firewalld is enabled at libvirtd start
> time, and search for/populate (or not) the firewall-cmd path accordingly
> (this is needed both for util/(eb|ip)tables.c and for
> nwfilter/nwtilter_ebiptables_driver.c).
>
> Finally, in the commit log message, please put a description of what the
> patch does, rather than what changes have been made since the previous
> revision of the patch.
Also your name/email address needs to be added to AUTHORs, otherwise
"make syntax-check" fails.
More information about the libvir-list
mailing list