On Tue, 2011-06-21 at 12:45 -0700, Ben Pfaff wrote: > On startup, some OVS initscripts insert an iptables rule to allow GRE > traffic (because GRE support is an important OVS feature). I noticed that, > each time I restarted OVS, this added another GRE-related rule to the > iptables chain. This is wasteful, because each additional rule increases > the time it takes to process a packet in the IP stack. > > This commit avoids the problem by inserting an iptables rule when there > isn't already an appropriate rule. It also avoids inserting an iptables > rule if the iptables policy is ACCEPT, meaning that packets are accepted > by default; in such a case, if the GRE packet would be dropped, it is > because the system administrator made that decision explicitly.
What if, instead of making the default INPUT policy ACCEPT, the sysadmin puts a '--jump DROP' rule at the end of the chain instead to accomplish the same thing? The code looks good to me. _______________________________________________ dev mailing list [email protected] http://openvswitch.org/mailman/listinfo/dev
