[libvirt] [PATCH v3] nwfilter: probe for inverted ctdir

Stefan Berger stefanb at linux.vnet.ibm.com
Thu Mar 28 11:11:01 UTC 2013 

On 03/27/2013 09:09 PM, Stefan Berger wrote:
> On 03/27/2013 02:01 PM, Eric Blake wrote:
>> On 03/27/2013 10:30 AM, Laine Stump wrote:
>>> My opinion is that the patch we should apply should be a simple patch
>>> that just removes use of --ctdir. According to the netfilter developer
>>> who responded to the thread on libvirt-users, it doesn't add any extra
>>> security not already provided by conntrack:
>>>
>>> https://www.redhat.com/archives/libvirt-users/2013-March/msg00121.html
>>> https://www.redhat.com/archives/libvirt-users/2013-March/msg00128.html
>>>
>>> Not being an expert on netfilter internals, I can't dispute his claim.
>>>
>>> Does anyone else have an opinion?
>> What filters specifically caused the use of --ctdir, and are they broken
>> if we omit the use of --ctdir?
>
> It depends on how you write the filters that the --ctdir is being used.
>
> iirc: The effect of the --ctdir usage is that if one has an incoming 
> rule and and outgoing rule with the same IP address on the 'other' 
> side the check for an ESTABLISHED state is not enough to ACCEPT the 
> traffic, if one was to remove one of the rules while communication in 
> both directions was occurring and an immediate cut of the traffic in 
> one way was expected. The effect so far was that if the rule for the 
> incoming rule was removed it would cut the incoming traffic 
> immediately while the traffic in outgoing direction was uninterrupted. 
> I think that if we remove this now the traffic in both directions will 
> continue. I will verify tomorrow.

Verified. I have a ping running from the VM to destination 'A' and from 
'A' to the VM. The --ctdir enforces the direction of the traffic and if 
one of the following rules is removed, the ping is immediately cut.

   <rule action='accept' direction='out' priority='500'>
     <icmp/>
   </rule>
   <rule action='accept' direction='in' priority='500'>
     <icmp/>
   </rule>

The ping is not cut anymore upon removal of one of the above rules if 
--ctdir was to be removed entirely.

More information about the libvir-list mailing list