On Fri, Jul 06, 2012 at 03:16:03PM -0700, Ben Pfaff wrote:
> On Fri, Jul 06, 2012 at 06:13:25PM +0200, Bastian Blank wrote:
> > The openvswitch-switch init script modifies filter rules using iptables
> > without consent by the admin.
> Where are the requirements spelled out? I couldn't quickly find
> anything in policy about this.
The netfilter rules are a shared resource. There is no synchronization,
so the admin have the last word. As kernel maintainer, I see it similar
to a configuration file, so ยง10.7 policy applies.
The purpose of openvswitch is to provide support for switching, not to
setup filter rules. This means it violates the principle of least
surprise.
At last, it makes your package randomly broken if the admin uses his
power to setup his own rules and replaces your gre rule.
Bastian
--
Another Armenia, Belgium ... the weak innocents who always seem to be
located on a natural invasion route.
-- Kirk, "Errand of Mercy", stardate 3198.4
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
