[ovs-dev] [ovs-ctl 4/4] Avoid inserting duplicate iptables rules when restarting vswitch.
Andrew Evans
aevans at nicira.com
Tue Jun 21 23:35:18 UTC 2011
On Tue, 2011-06-21 at 16:09 -0700, Ben Pfaff wrote:
> On Tue, Jun 21, 2011 at 04:02:49PM -0700, Andrew Evans wrote:
> > What if, instead of making the default INPUT policy ACCEPT, the sysadmin
> > puts a '--jump DROP' rule at the end of the chain instead to accomplish
> > the same thing?
>
> I'm pretty sure that iptables is Turing complete. I just picked some
> heuristics that seemed like they would usually be correct. Another
> alternative would be to remove that test entirely. We'd get an
> unneeded rule sometimes but at least it would be consistent.
>
> What do you think?
Yes, I think I'd just remove the INPUT policy check.
More information about the dev
mailing list