[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] Add support for firewalld



On 04/24/2012 11:27 AM, Daniel P. Berrange wrote:
On Tue, Apr 24, 2012 at 10:20:32AM -0400, Stefan Berger wrote:
On 04/23/2012 05:11 PM, Thomas Woerner wrote:
Add support for firewalld

* bridge_driver, nwfilter_driver: new dbus filters to get FirewallD1.Reloaded
   signal and DBus.NameOwnerChanged on org.fedoraproject.FirewallD1
* iptables, ebtables, nwfilter_ebiptables_driver: use firewall-cmd direct
   passthrough interface
After some more massaging of the nwfilter code, my suggestion would
now be to split this patch up into two parts, one touching the
nwfilter driver, the other (1st) part for the rest. I did a lot of
changes in the nwfilter driver that I can send you and you may want
to merge or I can merge it with your nwfilter-related code changes.

It seems to be working when using the firewall-cmd, but
unfortunately running the TCK test suite for example is like 8 times
slower when using firewalld. Also the VM startup times have
significantly increased. :-((
I wonder if that would be improved by making DBus calls directly
to firewalld, instead of invoking firewalld-cmd all the time. The
latter is unquestionably inefficient compared to DBus calls, but
it'd be interesting to know if that's really what's causing the
x8 slowdown.

That would a bigger code change to go directly through DBus. I am currently accumulating CLI commands to execute and then run them in a batch.

For comparison:

time firewall-cmd --direct --passthrough eb -t nat -L
[...]
real    0m0.102s
user    0m0.075s
sys    0m0.013s


versus


time ebtables -t nat -L
[...]
real    0m0.003s
user    0m0.000s
sys    0m0.002s

Well, I guess it adds up.

  Stefan


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]