Re: [Engine-devel] Gluster IPTable configuration
----- Original Message -----
From: "Doron Fediuck" <dfediuck(a)redhat.com>
To: "Itamar Heim" <iheim(a)redhat.com>
Cc: "David Jaša" <djasa(a)redhat.com>, engine-devel(a)ovirt.org
Sent: Monday, September 3, 2012 9:09:04 AM
Subject: Re: [Engine-devel] Gluster IPTable configuration
>
> why not use the chains approach, and have a chain per service?
>
Since you wish to avoid collisions.
So for gluster only, have a VIRT prefix as well.
If an implementation may separate between the WHAT and the HOW, it may be easier to be
maintained.
---
WHAT
Merge several iptables rules into one node iptables.
HOW
Use templates to build string, send string as a file in remote.
---
As you can see the HOW (which is the actual implementation) knows nothing about iptables.
So it is simple and can be reused. The whole logic of WHAT is put into the metadata, where
humans may customized without touching the code, even when iptables get messy and
complex.
An example of WHAT and HOW that are not separated is the authentication/authorization
(Kerberos/LDAP) implementation, where both WHAT and HOW are inter-connected, the cost of
adding a new environment in this case is huge.
Doron suggested to use comments or some signature within the iptables configuration, this
is what templates are all about, however, instead of re-inventing the wheel, a standard
text based templates engine can be used.
The template (the WHAT) may use custom chains, regular chains, it is not important as
implementation (the HOW) is not looking into the content.
Alon.