Re: [libvirt] [PATCH V2 00/10] Make inner workings of nwfilters more flexible + extensions
On Wed, Oct 19, 2011 at 03:14:20PM -0600, David Stevens wrote:
-----Matthias Bolte [1]<matthias.bolte(a)googlemail.com>
wrote: -----
>
>Well, you miss the point that nwfilters is meant as a general
>firewall
>interface. ebtables/iptables just happens to be an implementation of
>this interface. Using ebtables/iptables specific shell scripts would
>replace the generic interface with something specific to
>ebtables/iptables.
No, I just don't agree with it. I think an administrator on OS
"X"
is already familiar with the firewall capabilities on his/her OS and so
having
a new, less-capable abstraction instead of the firewall s/he already knows
is not a benefit. If these were instead hooks in libvirt that called
sample scripts
per-OS, administrators could easily do whatever they want to do when an
interface is brought up, brought down, or migrated. They could then also
make full use of their firewall capabilities and customize completely as
needed.
Whether you agree with it or not is irrelevant for libvirt patch review
discussions. The abstraction into a implementation independant syntax &
API is the primary reason for libvirt's existance, and is not up for
debate.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|