On 04/24/2012 11:27 AM, Daniel P. Berrange wrote:
On Tue, Apr 24, 2012 at 10:20:32AM -0400, Stefan Berger wrote:
On 04/23/2012 05:11 PM, Thomas Woerner wrote:
Add support for firewalld
* bridge_driver, nwfilter_driver: new dbus filters to get FirewallD1.Reloaded
signal and DBus.NameOwnerChanged on org.fedoraproject.FirewallD1
* iptables, ebtables, nwfilter_ebiptables_driver: use firewall-cmd direct
passthrough interface
After some more massaging of the nwfilter code, my suggestion would
now be to split this patch up into two parts, one touching the
nwfilter driver, the other (1st) part for the rest. I did a lot of
changes in the nwfilter driver that I can send you and you may want
to merge or I can merge it with your nwfilter-related code changes.
It seems to be working when using the firewall-cmd, but
unfortunately running the TCK test suite for example is like 8 times
slower when using firewalld. Also the VM startup times have
significantly increased. :-((
I wonder if that would be improved by making DBus calls directly
to firewalld, instead of invoking firewalld-cmd all the time. The
latter is unquestionably inefficient compared to DBus calls, but
it'd be interesting to know if that's really what's causing the
x8 slowdown.
That would a bigger code change to go directly through DBus. I am
currently accumulating CLI commands to execute and then run them in a batch.
For comparison:
time firewall-cmd --direct --passthrough eb -t nat -L
[...]
real 0m0.102s
user 0m0.075s
sys 0m0.013s
versus
time ebtables -t nat -L
[...]
real 0m0.003s
user 0m0.000s
sys 0m0.002s
Well, I guess it adds up.
Stefan
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list