On Tue, Jun 21, 2011 at 05:42:50PM -0700, Andrew Evans wrote: > On Tue, 2011-06-21 at 16:41 -0700, Ben Pfaff wrote: > > On Tue, Jun 21, 2011 at 04:35:18PM -0700, Andrew Evans wrote: > > > On Tue, 2011-06-21 at 16:09 -0700, Ben Pfaff wrote: > > > > On Tue, Jun 21, 2011 at 04:02:49PM -0700, Andrew Evans wrote: > > > > > What if, instead of making the default INPUT policy ACCEPT, the > > > > > sysadmin > > > > > puts a '--jump DROP' rule at the end of the chain instead to > > > > > accomplish > > > > > the same thing? > > > > > > > > I'm pretty sure that iptables is Turing complete. I just picked some > > > > heuristics that seemed like they would usually be correct. Another > > > > alternative would be to remove that test entirely. We'd get an > > > > unneeded rule sometimes but at least it would be consistent. > > > > > > > > What do you think? > > > > > > Yes, I think I'd just remove the INPUT policy check. > > > > OK, here's an incremental, how's it look? Thanks. > > That looks fine to me, thanks. Push whenever you're ready.
Thanks, I tested it again and pushed it. _______________________________________________ dev mailing list [email protected] http://openvswitch.org/mailman/listinfo/dev
