[Engine-devel] Gluster IPTable configuration

David Jaša djasa at redhat.com
Mon Sep 3 11:42:56 UTC 2012 

what about using netcf for the configuration similarly as libvirt does?
http://libvirt.org/formatnwfilter.html

IMHO it should solve the problem temporarily before firewalld matures.

David

PS: please keep me out of CC, I'm more than happy when I watch these
discussions via list


Alon Bar-Lev píše v Po 03. 09. 2012 v 05:51 -0400:
> 
> ----- Original Message -----
> > From: "Doron Fediuck" <dfediuck at redhat.com>
> > To: "Itamar Heim" <iheim at redhat.com>
> > Cc: "David Jaša" <djasa at redhat.com>, engine-devel at ovirt.org
> > Sent: Monday, September 3, 2012 9:09:04 AM
> > Subject: Re: [Engine-devel] Gluster IPTable configuration
> > 
> > > 
> > > why not use the chains approach, and have a chain per service?
> > > 
> > 
> > Since you wish to avoid collisions.
> > So for gluster only, have a VIRT prefix as well.
> 
> If an implementation may separate between the WHAT and the HOW, it may be easier to be maintained.
> 
> ---
> WHAT
> 
> Merge several iptables rules into one node iptables.
> 
> HOW
> 
> Use templates to build string, send string as a file in remote.
> ---
> 
> As you can see the HOW (which is the actual implementation) knows nothing about iptables. So it is simple and can be reused. The whole logic of WHAT is put into the metadata, where humans may customized without touching the code, even when iptables get messy and complex.
> 
> An example of WHAT and HOW that are not separated is the authentication/authorization (Kerberos/LDAP) implementation, where both WHAT and HOW are inter-connected, the cost of adding a new environment in this case is huge.
> 
> Doron suggested to use comments or some signature within the iptables configuration, this is what templates are all about, however, instead of re-inventing the wheel, a standard text based templates engine can be used.
> 
> The template (the WHAT) may use custom chains, regular chains, it is not important as implementation (the HOW) is not looking into the content.
> 
> Alon.
> _______________________________________________
> Engine-devel mailing list
> Engine-devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/engine-devel

-- 

David Jaša, RHCE

SPICE QE based in Brno
GPG Key:     22C33E24 
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24

More information about the Engine-devel mailing list