debian: Do not change iptables rules by default.

Debian kernel maintainer Bastian Blank writes, at
http://bugs.debian.org/680537:

   The netfilter rules are a shared resource. There is no synchronization,
   so the admin have the last word. As kernel maintainer, I see it similar
   to a configuration file, so §10.7 policy applies.

   The purpose of openvswitch is to provide support for switching, not to
   setup filter rules. This means it violates the principle of least
   surprise.

I believe that the argument by analogy to configuration files is weak,
given that the Debian policy section in question is very specifically about
files, not about general principles.  On the other hand, Debian does not
install any firewall by default, so the presence of a rule that blocks GRE
traffic is a sign that the administrator has taken an explicit action to
install a firewall that blocks GRE, and therefore it is rather rude to
override this.  Therefore, this patch simply turns off this behavior on
Debian, given that in ordinary Debian installations it will have no
adverse effect on Open vSwitch.

Debian bug #680537.
CC: 680537@bugs.debian.org
Reported-by: Bastian Blank <waldi@debian.org>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Simon Horman <horms@verge.net.au>

diff --git a/debian/openvswitch-switch.init b/debian/openvswitch-switch.init
index 3c937205599bc00fbcca3195d73b8cbae07ef466..f650f8731cde080a01e6ad78ae8f56b7924eddd3 100755 (executable)
--- a/debian/openvswitch-switch.init
+++ b/debian/openvswitch-switch.init
@@ -72,8 +72,6 @@ start () {
     fi
     set "$@" $OVS_CTL_OPTS
     "$@" || exit $?
-
-    ovs_ctl --protocol=gre enable-protocol
 }
 
 stop () {