[Engine-devel] Gluster IPTable configuration

[Alon Bar-Lev]

----- Original Message -----
> From: "Doron Fediuck" <dfediuck at redhat.com>
> To: "Itamar Heim" <iheim at redhat.com>
> Cc: "David Jaša" <djasa at redhat.com>, engine-devel at ovirt.org
> Sent: Monday, September 3, 2012 9:09:04 AM
> Subject: Re: [Engine-devel] Gluster IPTable configuration
> 
> > 
> > why not use the chains approach, and have a chain per service?
> > 
> 
> Since you wish to avoid collisions.
> So for gluster only, have a VIRT prefix as well.

If an implementation may separate between the WHAT and the HOW, it may be easier to be maintained.

---
WHAT

Merge several iptables rules into one node iptables.

HOW

Use templates to build string, send string as a file in remote.
---

As you can see the HOW (which is the actual implementation) knows nothing about iptables. So it is simple and can be reused. The whole logic of WHAT is put into the metadata, where humans may customized without touching the code, even when iptables get messy and complex.

An example of WHAT and HOW that are not separated is the authentication/authorization (Kerberos/LDAP) implementation, where both WHAT and HOW are inter-connected, the cost of adding a new environment in this case is huge.

Doron suggested to use comments or some signature within the iptables configuration, this is what templates are all about, however, instead of re-inventing the wheel, a standard text based templates engine can be used.

The template (the WHAT) may use custom chains, regular chains, it is not important as implementation (the HOW) is not looking into the content.

Alon.