[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH v2] nwfilter: probe for inverted ctdir



On 03/22/2013 02:29 PM, Laine Stump wrote:
On 03/22/2013 08:26 AM, Stefan Berger wrote:
Linux netfilter at some point inverted the meaning of the '--ctdir reply'
and newer netfilter implementations now expect '--ctdir original'
instead and vice-versa.
We probe for this netfilter change via a UDP message over loopback and 3
filtering rules applied to INPUT. If the sent byte arrives, the newer
netfilter implementation has been detected.
While this is an admirable piece of work :-), I'm concerned that it may
1) be fragile, and 2) assume too much about the system being probed, and
end up giving incorrect results in some circumstances. But since we have
the check in place, we would be lulled into believing that we always
correctly know which version of --ctdir we're working with, and end up
with a non-working system and no clear indication why.

So is the consensus now that it cannot be probed for in all cases by libvirt? What alternative do you suggest? Removal of --ctdir usage even if it was there for a reason?

    Stefan




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]