[ovs-git] Open vSwitch: debian: Do not change iptables rules by default. (branch-1.7)

dev at openvswitch.org dev at openvswitch.org
Wed Jul 18 17:26:11 UTC 2012


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Open vSwitch".

The branch, branch-1.7 has been updated
       via  0736e068b43d6b47c0bdeef780ba116c57cdc0b1 (commit)
      from  1345642d9d3664b438845cd5da55fee1aba6608e (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 0736e068b43d6b47c0bdeef780ba116c57cdc0b1
Diffs: http://openvswitch.org/cgi-bin/gitweb.cgi?p=openvswitch;a=commitdiff;h=0736e068b43d6b47c0bdeef780ba116c57cdc0b1
Author: Ben Pfaff <blp at nicira.com>
		
debian: Do not change iptables rules by default.
		
Debian kernel maintainer Bastian Blank writes, at
http://bugs.debian.org/680537:

   The netfilter rules are a shared resource. There is no synchronization,
   so the admin have the last word. As kernel maintainer, I see it similar
   to a configuration file, so §10.7 policy applies.

   The purpose of openvswitch is to provide support for switching, not to
   setup filter rules. This means it violates the principle of least
   surprise.

I believe that the argument by analogy to configuration files is weak,
given that the Debian policy section in question is very specifically about
files, not about general principles.  On the other hand, Debian does not
install any firewall by default, so the presence of a rule that blocks GRE
traffic is a sign that the administrator has taken an explicit action to
install a firewall that blocks GRE, and therefore it is rather rude to
override this.  Therefore, this patch simply turns off this behavior on
Debian, given that in ordinary Debian installations it will have no
adverse effect on Open vSwitch.

Debian bug #680537.
CC: 680537 at bugs.debian.org
Reported-by: Bastian Blank <waldi at debian.org>
Signed-off-by: Ben Pfaff <blp at nicira.com>
Acked-by: Simon Horman <horms at verge.net.au>


-----------------------------------------------------------------------

Summary of changes:
 debian/openvswitch-switch.init |    2 --
 1 files changed, 0 insertions(+), 2 deletions(-)


hooks/post-receive
-- 
Open vSwitch



More information about the git mailing list