[libvirt] [PATCH V2 00/10] Make inner workings of nwfilters more flexible + extensions
Daniel P. Berrange
berrange at redhat.com
Thu Oct 20 08:39:04 UTC 2011
On Wed, Oct 19, 2011 at 03:14:20PM -0600, David Stevens wrote:
> -----Matthias Bolte [1]<matthias.bolte at googlemail.com> wrote: -----
> >
> >Well, you miss the point that nwfilters is meant as a general
> >firewall
> >interface. ebtables/iptables just happens to be an implementation of
> >this interface. Using ebtables/iptables specific shell scripts would
> >replace the generic interface with something specific to
> >ebtables/iptables.
>
> No, I just don't agree with it. I think an administrator on OS
> "X"
> is already familiar with the firewall capabilities on his/her OS and so
> having
> a new, less-capable abstraction instead of the firewall s/he already knows
> is not a benefit. If these were instead hooks in libvirt that called
> sample scripts
> per-OS, administrators could easily do whatever they want to do when an
> interface is brought up, brought down, or migrated. They could then also
> make full use of their firewall capabilities and customize completely as
> needed.
Whether you agree with it or not is irrelevant for libvirt patch review
discussions. The abstraction into a implementation independant syntax &
API is the primary reason for libvirt's existance, and is not up for
debate.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list