On Mon, Aug 13, 2012 at 04:24:04PM -0400, Laine Stump wrote: > We can then decide at runtime whether or not to actually use the > commands. You had mentioned on IRC the possibility of firewalld starting > up after libvirt, or shutting down while libvirt is still running. The > issue I see with that is that libvirt always cleans up after its > iptables rules - if you destroy a libvirt network, it removes all the > iptables rules. Likewise, when libvirtd is restarted, every rule for > every network is deleted and re-added. What will happen if a network is > started when firewalld isn't running, and then shutdown after firewalld > is started? (i.e. rules were added with iptables) What about the > opposite situation? And of course what about the situation where some of > the networks have rules added by iptables, and some have rules added by > firewalld, and we then want to restart libvirtd (delete / add all rules > for all networks)? We should likely have a QEMU driver configuration parameter to determine which firewall impl to use. If not set we can detect at libvirtd startup whether firewalld should be used or not. If we enabled firewalld initially and it is later stopped, we should raise an error when trying to start VMs ie, we should *not* try to dynamically switch our firewall impl onthe fly. Pick one impl and then stick with it. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list