Re: [Xen-devel] [PATCH 3/5] hotplug/linux: Improve iptables logic

[Sylvain Munaut <s.munaut@xxxxxxxxxxxxxxxxxxxx>]

Hi,


> I meant that rather than having a subroutine which adds a wildcard
> rule, you have an explicit "any" address, and tracking if it's been
> added, etc.

I used the "any" keywords because when you add v6 you need to
differentiate the case "none" allowed and "any" allowed to support the
case where only v6 or only v4 is allowed. So you can't just rely on
having an empty variable any more since it's more a "tri-state".

Also, in my patch set, instead of hardcoding 'FORWARD', I also used
variables to make customization easier when integrating with software
like ufw where the user rules should go in a separate chain (whose
name is different in v4 and v6), so the frob_iptables_command call
needs one more argument. At that point calling iptables directly is
not far off.


> Please take a look and see if you prefer my approach.

Sorry, but no, I don't see it as better, at best equivalent.

I can admit that some aspects of the v4 patch might not make sense on
their own and they're only there to more properly support the v6 and
have a better symmetry in how v4/v6 are processed and ease
customization.
I'd have to see how it works with v6 and user customization but I'm
not going to implement the v6 and redo all the testing purely to see
if it's at best equivalent in my eyes.


Cheers,

    Sylvain Munaut

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel