Hi Solene,

Thanks for the great work! I wrote the iptables service in the hope of
some day extending it to something like this, but you've beaten me to
it! :-) Some feedback follows.

Your implementation duplicates some of the code in the iptables
service. How about making it simply /extend/ the iptables service with
the generated rules? This way, you won't have to handle the start/stop
iptables-restore gexps. The iptables service, when stopped, already has
the correct behaviour of opening all ports.

WDYT?

Regards,
Arun