On Fri, Jul 13, 2012 at 02:19:10PM +0900, Simon Horman wrote:
> On Thu, Jul 12, 2012 at 09:48:34PM -0700, Ben Pfaff wrote:
> > On Fri, Jul 13, 2012 at 01:46:39PM +0900, Simon Horman wrote:
> > > On Thu, Jul 12, 2012 at 09:17:11PM -0700, Ben Pfaff wrote:
> > > > Debian kernel maintainer Bastian Blank writes, at
> > > > http://bugs.debian.org/680537:
> > > >
> > > > The netfilter rules are a shared resource. There is no
> > > > synchronization,
> > > > so the admin have the last word. As kernel maintainer, I see it
> > > > similar
> > > > to a configuration file, so ยง10.7 policy applies.
> > > >
> > > > The purpose of openvswitch is to provide support for switching, not
> > > > to
> > > > setup filter rules. This means it violates the principle of least
> > > > surprise.
> > > >
> > > > I believe that the argument by analogy to configuration files is weak,
> > > > given that the Debian policy section in question is very specifically
> > > > about
> > > > files, not about general principles. On the other hand, Debian does not
> > > > install any firewall by default, so the presence of a rule that blocks
> > > > GRE
> > > > traffic is a sign that the administrator has taken an explicit action to
> > > > install a firewall that blocks GRE, and therefore it is rather rude to
> > > > override this. Therefore, this patch simply turns off this behavior on
> > > > Debian, given that in ordinary Debian installations it will have no
> > > > adverse effect on Open vSwitch.
> > >
> > > FWIW, I am in complete agreement with Ben on this.
> >
> > Want to give me an Acked-by?
>
> Acked-by: Simon Horman <ho...@verge.net.au>
I uploaded this to Debian as -4. It's already installed in the
archive, although the build failed on ia64 for strange reasons:
http://openvswitch.org/pipermail/dev/2012-July/019025.html
Justin is going to branch for 1.8 today, then I'll push this to
master.
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
