Bug#680537: [ovs-dev] [PATCH] debian: Do not change iptables rules by default.

Thu, 12 Jul 2012 22:50:21 -0700 

On Thu, Jul 12, 2012 at 09:17:11PM -0700, Ben Pfaff wrote:
> Debian kernel maintainer Bastian Blank writes, at
> http://bugs.debian.org/680537:
> 
>    The netfilter rules are a shared resource. There is no synchronization,
>    so the admin have the last word. As kernel maintainer, I see it similar
>    to a configuration file, so ยง10.7 policy applies.
> 
>    The purpose of openvswitch is to provide support for switching, not to
>    setup filter rules. This means it violates the principle of least
>    surprise.
> 
> I believe that the argument by analogy to configuration files is weak,
> given that the Debian policy section in question is very specifically about
> files, not about general principles.  On the other hand, Debian does not
> install any firewall by default, so the presence of a rule that blocks GRE
> traffic is a sign that the administrator has taken an explicit action to
> install a firewall that blocks GRE, and therefore it is rather rude to
> override this.  Therefore, this patch simply turns off this behavior on
> Debian, given that in ordinary Debian installations it will have no
> adverse effect on Open vSwitch.

FWIW, I am in complete agreement with Ben on this.

> Debian bug #680537.
> CC: 680...@bugs.debian.org
> Reported-by: Bastian Blank <wa...@debian.org>
> Signed-off-by: Ben Pfaff <b...@nicira.com>
> ---
>  debian/openvswitch-switch.init |    2 --
>  1 files changed, 0 insertions(+), 2 deletions(-)
> 
> diff --git a/debian/openvswitch-switch.init b/debian/openvswitch-switch.init
> index 3c93720..f650f87 100755
> --- a/debian/openvswitch-switch.init
> +++ b/debian/openvswitch-switch.init
> @@ -72,8 +72,6 @@ start () {
>      fi
>      set "$@" $OVS_CTL_OPTS
>      "$@" || exit $?
> -
> -    ovs_ctl --protocol=gre enable-protocol
>  }
>  
>  stop () {
> -- 
> 1.7.2.5
> 
> _______________________________________________
> dev mailing list
> d...@openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to