During the ipset implementatio, we designed a refactor [1] to cleanup 
the firewall driver a bit, and move all the ipset low-level knowledge 
down into the  IpsetManager.

I'd like to see this merged for J, and, it's a bit of an urgent matter 
to decide, because we keep adding small changes [2] [3] fruit of the
early testing which break the refactor, and will add extra work which
needs to be refactored too.

The advantage of merging now, vs in J, is having K & J share a more common 
code base, which would help us during bug backports/etc in the future.

Shihanzhang and I, are happy to see this merge during K, as it doesn't 
incur in functional changes, just code blocks are moved from the iptables
firewall driver to IpsetManager, and the corresponding tests are moved too.

This is where I'd like to see the driver going, in conjunction with a separate
driver for Iptables+Ipset, but that second part is change which 
can't be done now (CI changes, documentation, etc.)

[1] https://review.openstack.org/#/c/120806/ 
[2] https://review.openstack.org/#/c/121455/
[3] to be done: not re-loading iptables when only ipset group members change.
[4] to be done: better locking strategy (brian haley is looking at that)

Best regards,
Miguel Ángel Ajo.

OpenStack-dev mailing list

Reply via email to