[libvirt] [PATCH v3] nwfilter: probe for inverted ctdir
Laine Stump
laine at laine.org
Wed Mar 27 16:30:42 UTC 2013
On 03/26/2013 07:59 AM, Stefan Berger wrote:
> On 03/22/2013 04:37 PM, Stefan Berger wrote:
>> Linux netfilter at some point inverted the meaning of the '--ctdir
>> reply'
>> and newer netfilter implementations now expect '--ctdir original'
>> instead and vice-versa.
>> We probe for this netfilter change via a UDP message over loopback and 3
>> filtering rules applied to INPUT two times, one time with '--ctdir
>> original'
>> which should then work on 'fixed' netfilter and one other time with
>> '--ctdir reply' which should only work on the 'old' netfilter.
>> If neither one of the tests gets the data through, then the loopback
>> device
>> is probably not configured correctly. If both tests get the data through
>> something must be seriously wrong. In both of these two latter cases
>> no '--ctdir' will then be applied to the rules.
>
> Are you going to let 1.0.4 sail without 'something like this'?
My opinion is that the patch we should apply should be a simple patch
that just removes use of --ctdir. According to the netfilter developer
who responded to the thread on libvirt-users, it doesn't add any extra
security not already provided by conntrack:
https://www.redhat.com/archives/libvirt-users/2013-March/msg00121.html
https://www.redhat.com/archives/libvirt-users/2013-March/msg00128.html
Not being an expert on netfilter internals, I can't dispute his claim.
Does anyone else have an opinion?
More information about the libvir-list
mailing list