Code review comment for lp:~soren/nova/iptables-concurrency

So nova-local is now used for FORWARD and OUTPUT, whereas before it was only used for FORWARD, correct? Why the change?

Is use_nova_chains used anymore? It seems to have been replaced with the 'wrap' parameter. It may be prettier to have a helper function wrapped_chain('INPUT') or nova_chain('FORWARD') that we could use as the first parameter to add_rule, since we'd have the name in one spot, instead of having to look at two different parameters to determine what the actual chain name is. That also might let us get rid of the IptablesRule class and just store rules as tuples of (chain, rule).

I'm not quite done with this review, but I wanted to give you my early comments.