On 04/13/2013 12:53 AM, Ben Pfaff wrote: > On Fri, Apr 12, 2013 at 01:50:43PM -0700, Gurucharan Shetty wrote: >> Till now, by default, we add firewall holes for >> gre traffic. There may be users that do not use gre tunnels >> and they may be surprised with this behavior. > > It would be nice to add a sentence or a paragraph mentioning why we > leave the hole for XenServer. > > These two patches seem OK to me--I think this is a better approach > overall--but I think it would be nice to complete our conversation > with Lorand in the thread for the patch he posted, and try to reach > consensus, before we apply them.
I also lean towards keeping the ports closed by default, but I'm pretty sure there will be several users bitten by this. Perhaps we can add a paragraph to INSTALL.RHEL and INSTALL.XenServer (and the FAQ?) about some tunnel ports needing holes in the firewall, and how to "properly" configure OVS so the necessary ports are opened automatically on system and OVS restart (and closed on OVS stop). -Lori _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev