rhel: Remove the firewall hole that we create for GRE.

Till now, by default, we add firewall holes for
gre traffic. There may be users that do not use GRE tunnels
and they may be surprised with this behavior. So, don't add
the firewall rules by default and update the documentation
to mention the same.

This patch does not remove the default GRE firewall rule for
xenserver because xenserver has a feature called "Cross-Host
Internal Networks" (CHIN) that uses GRE.

Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>

INSTALL.RHEL

@@ -101,6 +101,12 @@ RHEL.  On RHEL 5, the default RPM source directory is
     in this example: "kmod-openvswitch", "kmod-openvswitch-debug", and
     "kmod-openvswitch-kdump".
 
+A RHEL host has default firewall rules that prevent any Open vSwitch tunnel
+traffic from passing through. If a user configures Open vSwitch tunnels like
+GRE, VXLAN, LISP etc., they will either have to manually add iptables firewall
+rules to allow the tunnel traffic or add it through a startup script (Please
+refer to the "enable-protocol" command in the ovs-ctl(8) manpage).
+
 Red Hat Network Scripts Integration
 -----------------------------------
 

NEWS

@@ -13,7 +13,10 @@ post-v1.10.0
     - ovs-dpctl:
       * New debugging commands "add-flow", "mod-flow", "del-flow".
     - New syslog format, prefixed with "ovs|", to be easier to filter.
-
+    - RHEL: Removes the default firewall rule that allowed GRE traffic to
+      pass through. Any users that relied on this automatic firewall hole
+      will have to manually configure it. The ovs-ctl(8) manpage documents
+      the "enable-protocol" command that can be used as an alternative.
 
 v1.10.0 - xx xxx xxxx
 ---------------------

rhel/etc_init.d_openvswitch

@@ -48,8 +48,6 @@ start () {
     set "$@" $OVS_CTL_OPTS
     "$@"
 
-    ovs_ctl --protocol=gre enable-protocol
-
     touch /var/lock/subsys/openvswitch
 }