2011/10/19 David Stevens <dlstevens@xxxxxxxxxx>: > I also think that nwfilters ought to reflect the underlying > filter > mechanisms as much as possible. Really, I'd prefer they were simply > parameterized shell scripts of ebtables/iptables commands run at significant > events (start-up, shutdown, migrate) instead of XML-encoded things. Then > the full feature sets of ebtables/iptables would be available "for free", > instead > of requiring libvirt patches to, e.g., add "return/continue" or multiple > chains. Well, you miss the point that nwfilters is meant as a general firewall interface. ebtables/iptables just happens to be an implementation of this interface. Using ebtables/iptables specific shell scripts would replace the generic interface with something specific to ebtables/iptables. The general nwfilters interface allows to have an ebtables/iptables based implementation for the Linux based hypervisors and an ipfw based implementation for FreeBSD and other implementations that are specific to VirtualBox, ESX, Hyper-V, PowerHypervisor etc. How well the nwfilters interface maps to all those different firewalls is another question, but with this general interface there is at least the possibility to configure the different firewalls of different hypervisors via libvirt. -- Matthias Bolte http://photron.blogspot.com -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list