[ovs-dev] [ovs-ctl 4/4] Avoid inserting duplicate iptables rules when restarting vswitch.

Ben Pfaff blp at nicira.com
Tue Jun 21 23:41:03 UTC 2011


On Tue, Jun 21, 2011 at 04:35:18PM -0700, Andrew Evans wrote:
> On Tue, 2011-06-21 at 16:09 -0700, Ben Pfaff wrote:
> > On Tue, Jun 21, 2011 at 04:02:49PM -0700, Andrew Evans wrote:
> > > What if, instead of making the default INPUT policy ACCEPT, the sysadmin
> > > puts a '--jump DROP' rule at the end of the chain instead to accomplish
> > > the same thing?
> > 
> > I'm pretty sure that iptables is Turing complete.  I just picked some
> > heuristics that seemed like they would usually be correct.  Another
> > alternative would be to remove that test entirely.  We'd get an
> > unneeded rule sometimes but at least it would be consistent.
> > 
> > What do you think?
> 
> Yes, I think I'd just remove the INPUT policy check.

OK, here's an incremental, how's it look?  Thanks.

diff --git a/utilities/ovs-ctl.8 b/utilities/ovs-ctl.8
index c57631b..7aa8408 100644
--- a/utilities/ovs-ctl.8
+++ b/utilities/ovs-ctl.8
@@ -260,19 +260,13 @@ nothing, assuming that lack of filtering means that the protocol is
 enabled.
 .
 .IP \(bu
-If the \fBINPUT\fR chain has a default \fBACCEPT\fR policy, this
-command does nothing, assuming that if there are rules installed to
-drop the traffic then this is intentional policy on the system
-administrator's part.
-.
-.IP \(bu
 If the \fBINPUT\fR chain has a rule that matches the specified
 protocol, then this command does nothing, assuming that whatever rule
 is installed reflects the system administrator's decisions.
 .
 .IP \(bu
-Otherwise, this command installs a rule that caused traffic of the
-specified protocol to be accepted.
+Otherwise, this command installs a rule that accepts traffic of the
+specified protocol.
 .
 .PP
 This command normally completes successfully, even if it does
diff --git a/utilities/ovs-ctl.in b/utilities/ovs-ctl.in
index 9a6d26e..4d1ce18 100755
--- a/utilities/ovs-ctl.in
+++ b/utilities/ovs-ctl.in
@@ -292,19 +292,15 @@ enable_protocol () {
     insert="$insert -j ACCEPT"
 
     if (iptables -S INPUT) >/dev/null 2>&1; then
-        if iptables -S INPUT | grep '^-P INPUT ACCEPT$' >/dev/null; then
-            log_success_msg "iptables INPUT policy is ACCEPT, not explicitly enabling $name"
-        else
-            case `iptables -S INPUT | sed "$search"` in
-                '')
-                    action "Enabling $name with iptables" $insert
-                    ;;
-                *)
-                    # There's already a rule for this protocol.  Don't override it.
-                    log_success_msg "iptables already has a rule for $name, not explicitly enabling"
-                    ;;
-            esac
-        fi
+        case `iptables -S INPUT | sed "$search"` in
+            '')
+                action "Enabling $name with iptables" $insert
+                ;;
+            *)
+                # There's already a rule for this protocol.  Don't override it.
+                log_success_msg "iptables already has a rule for $name, not explicitly enabling"
+                ;;
+        esac
     elif (iptables --version) >/dev/null 2>&1; then
         action "iptables binary not installed, not adding a rule for $name"
     else



More information about the dev mailing list