[ovs-dev] [ovs-ctl 4/4] Avoid inserting duplicate iptables rules when restarting vswitch.
Ben Pfaff
blp at nicira.com
Tue Jun 21 23:41:03 UTC 2011
On Tue, Jun 21, 2011 at 04:35:18PM -0700, Andrew Evans wrote:
> On Tue, 2011-06-21 at 16:09 -0700, Ben Pfaff wrote:
> > On Tue, Jun 21, 2011 at 04:02:49PM -0700, Andrew Evans wrote:
> > > What if, instead of making the default INPUT policy ACCEPT, the sysadmin
> > > puts a '--jump DROP' rule at the end of the chain instead to accomplish
> > > the same thing?
> >
> > I'm pretty sure that iptables is Turing complete. I just picked some
> > heuristics that seemed like they would usually be correct. Another
> > alternative would be to remove that test entirely. We'd get an
> > unneeded rule sometimes but at least it would be consistent.
> >
> > What do you think?
>
> Yes, I think I'd just remove the INPUT policy check.
OK, here's an incremental, how's it look? Thanks.
diff --git a/utilities/ovs-ctl.8 b/utilities/ovs-ctl.8
index c57631b..7aa8408 100644
--- a/utilities/ovs-ctl.8
+++ b/utilities/ovs-ctl.8
@@ -260,19 +260,13 @@ nothing, assuming that lack of filtering means that the protocol is
enabled.
.
.IP \(bu
-If the \fBINPUT\fR chain has a default \fBACCEPT\fR policy, this
-command does nothing, assuming that if there are rules installed to
-drop the traffic then this is intentional policy on the system
-administrator's part.
-.
-.IP \(bu
If the \fBINPUT\fR chain has a rule that matches the specified
protocol, then this command does nothing, assuming that whatever rule
is installed reflects the system administrator's decisions.
.
.IP \(bu
-Otherwise, this command installs a rule that caused traffic of the
-specified protocol to be accepted.
+Otherwise, this command installs a rule that accepts traffic of the
+specified protocol.
.
.PP
This command normally completes successfully, even if it does
diff --git a/utilities/ovs-ctl.in b/utilities/ovs-ctl.in
index 9a6d26e..4d1ce18 100755
--- a/utilities/ovs-ctl.in
+++ b/utilities/ovs-ctl.in
@@ -292,19 +292,15 @@ enable_protocol () {
insert="$insert -j ACCEPT"
if (iptables -S INPUT) >/dev/null 2>&1; then
- if iptables -S INPUT | grep '^-P INPUT ACCEPT$' >/dev/null; then
- log_success_msg "iptables INPUT policy is ACCEPT, not explicitly enabling $name"
- else
- case `iptables -S INPUT | sed "$search"` in
- '')
- action "Enabling $name with iptables" $insert
- ;;
- *)
- # There's already a rule for this protocol. Don't override it.
- log_success_msg "iptables already has a rule for $name, not explicitly enabling"
- ;;
- esac
- fi
+ case `iptables -S INPUT | sed "$search"` in
+ '')
+ action "Enabling $name with iptables" $insert
+ ;;
+ *)
+ # There's already a rule for this protocol. Don't override it.
+ log_success_msg "iptables already has a rule for $name, not explicitly enabling"
+ ;;
+ esac
elif (iptables --version) >/dev/null 2>&1; then
action "iptables binary not installed, not adding a rule for $name"
else
More information about the dev
mailing list