[libvirt] [PATCH v2] nwfilter: probe for inverted ctdir

Stefan Berger stefanb at linux.vnet.ibm.com
Fri Mar 22 18:53:17 UTC 2013


On 03/22/2013 02:29 PM, Laine Stump wrote:
> On 03/22/2013 08:26 AM, Stefan Berger wrote:
>> Linux netfilter at some point inverted the meaning of the '--ctdir reply'
>> and newer netfilter implementations now expect '--ctdir original'
>> instead and vice-versa.
>> We probe for this netfilter change via a UDP message over loopback and 3
>> filtering rules applied to INPUT. If the sent byte arrives, the newer
>> netfilter implementation has been detected.
> While this is an admirable piece of work :-), I'm concerned that it may
> 1) be fragile, and 2) assume too much about the system being probed, and
> end up giving incorrect results in some circumstances. But since we have
> the check in place, we would be lulled into believing that we always
> correctly know which version of --ctdir we're working with, and end up
> with a non-working system and no clear indication why.

So is the consensus now that it cannot be probed for in all cases by 
libvirt? What alternative do you suggest? Removal of --ctdir usage even 
if it was there for a reason?

     Stefan






More information about the libvir-list mailing list