We currently have three areas of code which deal with firewall changes. The bridge driver's iptables usage, the QEMU driver's ebtables usage for mac filters and the nwfilter code. These all directly invoke the iptables/ebtables commands or in the case of nwfilter invoke horrible generated shell scripts. The latter in particular has always been an unpleasant design choice, but it has been made much worse by support for firewalld. We are now invoking firewall-cmd just in order to make a DBus method call to firewalld which then invokes the real *tables commands. This has a notable performance impact. This proof of concept series introduces a new virFirewallPtr object for encapsulating all firewall changes. It provides a transactional API for making firewall changes, so the caller can define a set of rules which must either all succeed or all fail, along with a set of rules to perform rollback upon fail. It will either execute *tables commands directly or will call the DBus method for firewalld directly. The upshot is that it will become possible to unit test all the firewall code much more easily, instead of having to rely on integration testing that we currently have for nwfilter. We will also have much improved performance by avoiding the firewall-cmd tool and easier to understand code too. In this series I've only done the core infrastructure and the conversion of viriptables + virebtables source files. The work on nwfilter is a bigger job that I'm still working on. Daniel P. Berrange (7): Introduce a new set of helper macros for mocking symbols Create a re-usable DBus LD_PRELOAD mock library Switch systemd test to use generic dbus mock Add ability to register callback for virCommand dry run Introduce an object for managing firewall rulesets Convert bridge driver over to use new firewall APIs Convert ebtables code over to use firewall APIs include/libvirt/virterror.h | 1 + po/POTFILES.in | 1 + src/Makefile.am | 2 + src/libvirt_private.syms | 13 + src/network/bridge_driver_linux.c | 669 ++++++++++++++++---------------------- src/util/vircommand.c | 47 ++- src/util/vircommand.h | 12 +- src/util/virebtables.c | 187 +++-------- src/util/virerror.c | 1 + src/util/virfirewall.c | 653 +++++++++++++++++++++++++++++++++++++ src/util/virfirewall.h | 93 ++++++ src/util/virfirewallpriv.h | 45 +++ src/util/viriptables.c | 634 ++++++++++++++++-------------------- src/util/viriptables.h | 114 ++++--- tests/Makefile.am | 30 +- tests/testutils.c | 18 +- tests/virfirewalltest.c | 619 +++++++++++++++++++++++++++++++++++ tests/virkmodtest.c | 8 +- tests/virmock.h | 298 +++++++++++++++++ tests/virmockdbus.c | 64 ++++ tests/virnetdevbandwidthtest.c | 3 +- tests/virsystemdmock.c | 139 -------- tests/virsystemdtest.c | 89 ++++- 23 files changed, 2626 insertions(+), 1114 deletions(-) create mode 100644 src/util/virfirewall.c create mode 100644 src/util/virfirewall.h create mode 100644 src/util/virfirewallpriv.h create mode 100644 tests/virfirewalltest.c create mode 100644 tests/virmock.h create mode 100644 tests/virmockdbus.c delete mode 100644 tests/virsystemdmock.c -- 1.8.5.3 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list