[libvirt] [PATCH V2 00/10] Make inner workings of nwfilters more flexible + extensions

[Daniel P. Berrange]

On Wed, Oct 19, 2011 at 03:14:20PM -0600, David Stevens wrote:
>    -----Matthias Bolte [1]<matthias.bolte at googlemail.com> wrote: -----
>    >
>    >Well, you miss the point that nwfilters is meant as a general
>    >firewall
>    >interface. ebtables/iptables just happens to be an implementation of
>    >this interface. Using ebtables/iptables specific shell scripts would
>    >replace the generic interface with something specific to
>    >ebtables/iptables.
> 
>               No, I just don't agree with it. I think an administrator on OS
>    "X"
>    is already familiar with the firewall capabilities on his/her OS and so
>    having
>    a new, less-capable abstraction instead of the firewall s/he already knows
>    is not a benefit. If these were instead hooks in libvirt that called
>    sample scripts
>    per-OS, administrators could easily do whatever they want to do when an
>    interface is brought up, brought down, or migrated. They could then also
>    make full use of their firewall capabilities and customize completely as
>    needed.

Whether you agree with it or not is irrelevant for libvirt patch review
discussions. The abstraction into a implementation independant syntax &
API is the primary reason for libvirt's existance, and is not up for
debate.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|