On Wed, Oct 19, 2011 at 03:14:20PM -0600, David Stevens wrote:
-----Matthias Bolte [1]<matthias.bolte@googlemail.com> wrote: -----
Well, you miss the point that nwfilters is meant as a general firewall interface. ebtables/iptables just happens to be an implementation of this interface. Using ebtables/iptables specific shell scripts would replace the generic interface with something specific to ebtables/iptables.
No, I just don't agree with it. I think an administrator on OS "X" is already familiar with the firewall capabilities on his/her OS and so having a new, less-capable abstraction instead of the firewall s/he already knows is not a benefit. If these were instead hooks in libvirt that called sample scripts per-OS, administrators could easily do whatever they want to do when an interface is brought up, brought down, or migrated. They could then also make full use of their firewall capabilities and customize completely as needed.
Whether you agree with it or not is irrelevant for libvirt patch review discussions. The abstraction into a implementation independant syntax & API is the primary reason for libvirt's existance, and is not up for debate. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|