Stefan,
Can't you achieve the same thing by reserving an early block
of priorities (and a late one, for system stuff that should be done late)?
If you use negative numbers, then you lose the capability of
ever extending priorities to interpret the negative number as "from the end"
as done in ebtables/iptables line numbers. I think that is more useful, and
having to do that outside of priorities would mean extra parsing and encoding
to get that effect.
I also think that nwfilters ought to reflect the underlying filter
mechanisms as much as possible. Really, I'd prefer they were simply
parameterized shell scripts of ebtables/iptables commands run at significant
events (start-up, shutdown, migrate) instead of XML-encoded things. Then
the full feature sets of ebtables/iptables would be available "for free", instead
of requiring libvirt patches to, e.g., add "return/continue" or multiple chains.
Barring that, at least I think what nwfilters provides should be a close
map to ebtables/iptables capabilities. Mapping line numbers into a wide range
of priorities is straightforward, but if you use negative numbers in an ordinary
sort, you can no longer use the sign as ebtables/iptables does. Because
you've limited the range, you could do something hacky with offsets (anything
below "-1000" is "from the end" or some such), but that's arcane.
Using priorities in multiple places is very like programming in basic
and what both ebtables/iptables and nwfilters could use better I think would
be the capability to label rules by name and reference the label to identify the
rule location. Then you might, e.g., add a rule at "myrules + 5" and don't care
what particular priority/line number "myrules" is.
+-DLS
Can't you achieve the same thing by reserving an early block
of priorities (and a late one, for system stuff that should be done late)?
If you use negative numbers, then you lose the capability of
ever extending priorities to interpret the negative number as "from the end"
as done in ebtables/iptables line numbers. I think that is more useful, and
having to do that outside of priorities would mean extra parsing and encoding
to get that effect.
I also think that nwfilters ought to reflect the underlying filter
mechanisms as much as possible. Really, I'd prefer they were simply
parameterized shell scripts of ebtables/iptables commands run at significant
events (start-up, shutdown, migrate) instead of XML-encoded things. Then
the full feature sets of ebtables/iptables would be available "for free", instead
of requiring libvirt patches to, e.g., add "return/continue" or multiple chains.
Barring that, at least I think what nwfilters provides should be a close
map to ebtables/iptables capabilities. Mapping line numbers into a wide range
of priorities is straightforward, but if you use negative numbers in an ordinary
sort, you can no longer use the sign as ebtables/iptables does. Because
you've limited the range, you could do something hacky with offsets (anything
below "-1000" is "from the end" or some such), but that's arcane.
Using priorities in multiple places is very like programming in basic
and what both ebtables/iptables and nwfilters could use better I think would
be the capability to label rules by name and reference the label to identify the
rule location. Then you might, e.g., add a rule at "myrules + 5" and don't care
what particular priority/line number "myrules" is.
+-DLS
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list