On Tue, Jun 21, 2011 at 04:02:49PM -0700, Andrew Evans wrote: > On Tue, 2011-06-21 at 12:45 -0700, Ben Pfaff wrote: > > On startup, some OVS initscripts insert an iptables rule to allow GRE > > traffic (because GRE support is an important OVS feature). I noticed that, > > each time I restarted OVS, this added another GRE-related rule to the > > iptables chain. This is wasteful, because each additional rule increases > > the time it takes to process a packet in the IP stack. > > > > This commit avoids the problem by inserting an iptables rule when there > > isn't already an appropriate rule. It also avoids inserting an iptables > > rule if the iptables policy is ACCEPT, meaning that packets are accepted > > by default; in such a case, if the GRE packet would be dropped, it is > > because the system administrator made that decision explicitly. > > What if, instead of making the default INPUT policy ACCEPT, the sysadmin > puts a '--jump DROP' rule at the end of the chain instead to accomplish > the same thing?
I'm pretty sure that iptables is Turing complete. I just picked some heuristics that seemed like they would usually be correct. Another alternative would be to remove that test entirely. We'd get an unneeded rule sometimes but at least it would be consistent. What do you think? _______________________________________________ dev mailing list [email protected] http://openvswitch.org/mailman/listinfo/dev
