[ovs-dev] [ovs-ctl 4/4] Avoid inserting duplicate iptables rules when restarting vswitch.

Ben Pfaff blp at nicira.com
Wed Jun 22 16:15:44 UTC 2011


On Tue, Jun 21, 2011 at 05:42:50PM -0700, Andrew Evans wrote:
> On Tue, 2011-06-21 at 16:41 -0700, Ben Pfaff wrote:
> > On Tue, Jun 21, 2011 at 04:35:18PM -0700, Andrew Evans wrote:
> > > On Tue, 2011-06-21 at 16:09 -0700, Ben Pfaff wrote:
> > > > On Tue, Jun 21, 2011 at 04:02:49PM -0700, Andrew Evans wrote:
> > > > > What if, instead of making the default INPUT policy ACCEPT, the sysadmin
> > > > > puts a '--jump DROP' rule at the end of the chain instead to accomplish
> > > > > the same thing?
> > > > 
> > > > I'm pretty sure that iptables is Turing complete.  I just picked some
> > > > heuristics that seemed like they would usually be correct.  Another
> > > > alternative would be to remove that test entirely.  We'd get an
> > > > unneeded rule sometimes but at least it would be consistent.
> > > > 
> > > > What do you think?
> > > 
> > > Yes, I think I'd just remove the INPUT policy check.
> > 
> > OK, here's an incremental, how's it look?  Thanks.
> 
> That looks fine to me, thanks. Push whenever you're ready.

Thanks, I tested it again and pushed it.



More information about the dev mailing list