During the ipset implementatio, we designed a refactor  to cleanup the firewall driver a bit, and move all the ipset low-level knowledge down into the IpsetManager.
I'd like to see this merged for J, and, it's a bit of an urgent matter to decide, because we keep adding small changes   fruit of the early testing which break the refactor, and will add extra work which needs to be refactored too. The advantage of merging now, vs in J, is having K & J share a more common code base, which would help us during bug backports/etc in the future. Shihanzhang and I, are happy to see this merge during K, as it doesn't incur in functional changes, just code blocks are moved from the iptables firewall driver to IpsetManager, and the corresponding tests are moved too. This is where I'd like to see the driver going, in conjunction with a separate driver for Iptables+Ipset, but that second part is change which can't be done now (CI changes, documentation, etc.)  https://review.openstack.org/#/c/120806/  https://review.openstack.org/#/c/121455/  to be done: not re-loading iptables when only ipset group members change.  to be done: better locking strategy (brian haley is looking at that) Best regards, Miguel Ángel Ajo. _______________________________________________ OpenStack-dev mailing list OpenStackemail@example.com http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev