22 Mar
2013
22 Mar
'13
7:53 p.m.
On 03/22/2013 02:29 PM, Laine Stump wrote:
> On 03/22/2013 08:26 AM, Stefan Berger wrote:
>> Linux netfilter at some point inverted the meaning of the '--ctdir reply'
>> and newer netfilter implementations now expect '--ctdir original'
>> instead and vice-versa.
>> We probe for this netfilter change via a UDP message over loopback and 3
>> filtering rules applied to INPUT. If the sent byte arrives, the newer
>> netfilter implementation has been detected.
> While this is an admirable piece of work :-), I'm concerned that it may
> 1) be fragile, and 2) assume too much about the system being probed, and
> end up giving incorrect results in some circumstances. But since we have
> the check in place, we would be lulled into believing that we always
> correctly know which version of --ctdir we're working with, and end up
> with a non-working system and no clear indication why.
So is the consensus now that it cannot be probed for in all cases by
libvirt? What alternative do you suggest? Removal of --ctdir usage even
if it was there for a reason?
Stefan