2011/10/19 David Stevens <dlstevens@xxxxxxxxxx>: > > -----Matthias Bolte <matthias.bolte@xxxxxxxxxxxxxx> wrote: ----- > >> >>Well, you miss the point that nwfilters is meant as a general >>firewall >>interface. ebtables/iptables just happens to be an implementation of >>this interface. Using ebtables/iptables specific shell scripts would >>replace the generic interface with something specific to >>ebtables/iptables. > > No, I just don't agree with it. I think an administrator on OS > "X" > is already familiar with the firewall capabilities on his/her OS and so > having > a new, less-capable abstraction instead of the firewall s/he already knows > is not a benefit. If these were instead hooks in libvirt that called sample > scripts > per-OS, administrators could easily do whatever they want to do when an > interface is brought up, brought down, or migrated. They could then also > make full use of their firewall capabilities and customize completely as > needed. The goal of libvirt is to give you an interface that is not specific to the underlying hypervisor, firewall, storage etc. In case of your suggestion about firewall specific scripts that are triggered by libvirt on specific events, this is already possible. Libvirt provides you with such hooks: http://libvirt.org/hooks.html -- Matthias Bolte http://photron.blogspot.com -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list