Avoid inserting duplicate iptables rules when restarting vswitch.

Avoid inserting duplicate iptables rules when restarting vswitch.

On startup, some OVS initscripts insert an iptables rule to allow GRE
traffic (because GRE support is an important OVS feature).  I noticed that,
each time I restarted OVS, this added another GRE-related rule to the
iptables chain.  This is wasteful, because each additional rule increases
the time it takes to process a packet in the IP stack.

This commit avoids the problem by inserting an iptables rule when there
isn't already an appropriate rule.  It also avoids inserting an iptables
rule if the iptables policy is ACCEPT, meaning that packets are accepted
by default; in such a case, if the GRE packet would be dropped, it is
because the system administrator made that decision explicitly.

Signed-off-by: Ben Pfaff <blp@nicira.com>