[ovs-dev] [ovs-ctl 4/4] Avoid inserting duplicate iptables rules when restarting vswitch.

Andrew Evans aevans at nicira.com
Tue Jun 21 23:02:49 UTC 2011


On Tue, 2011-06-21 at 12:45 -0700, Ben Pfaff wrote:
> On startup, some OVS initscripts insert an iptables rule to allow GRE
> traffic (because GRE support is an important OVS feature).  I noticed that,
> each time I restarted OVS, this added another GRE-related rule to the
> iptables chain.  This is wasteful, because each additional rule increases
> the time it takes to process a packet in the IP stack.
> 
> This commit avoids the problem by inserting an iptables rule when there
> isn't already an appropriate rule.  It also avoids inserting an iptables
> rule if the iptables policy is ACCEPT, meaning that packets are accepted
> by default; in such a case, if the GRE packet would be dropped, it is
> because the system administrator made that decision explicitly.

What if, instead of making the default INPUT policy ACCEPT, the sysadmin
puts a '--jump DROP' rule at the end of the chain instead to accomplish
the same thing?

The code looks good to me.





More information about the dev mailing list