On 07/26/2017 05:59 PM, Major Hayden wrote: > > firewalld disadvantages > ----------------------- > 1) Different distributions have different base rule sets
Also different distributions offer different version of firewalld which means different behavior and possibly bugs between them. The Ansible module may not always 'mask' such things we either going to spend time improving the module or workaround all these in our playbooks. Improving the upstream module of course is a good thing but I just wanted to point out the maintenance cost of that. > 2) Medium/High complexity rules require --direct, which is like using > iptables anyway > 3) It's another daemon to manage/monitor > 4) We wouldn't be able to use firewalld's "zones" very heavily > 5) Saving/restoring iptables rules is battle-tested already I am slightly in favor of iptables (or even nftables) mostly because they provide a stable known interface which can work for simple and complex rules. As your 2nd point above correctly states, if we start using the 'direct' rule feature of firewalld, then we will end up having a mixture of pure firewalld and iptables rules which may not be the cleaner option in terms of maintainability. -- markos SUSE LINUX GmbH | GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg) Maxfeldstr. 5, D-90409, Nürnberg __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev