Re: [libvirt] [PATCH v2] nwfilter: probe for inverted ctdir
On 03/22/2013 08:26 AM, Stefan Berger wrote:
Linux netfilter at some point inverted the meaning of the
'--ctdir reply'
and newer netfilter implementations now expect '--ctdir original'
instead and vice-versa.
We probe for this netfilter change via a UDP message over loopback and 3
filtering rules applied to INPUT. If the sent byte arrives, the newer
netfilter implementation has been detected.
While this is an admirable piece of work :-), I'm concerned that it may
1) be fragile, and 2) assume too much about the system being probed, and
end up giving incorrect results in some circumstances. But since we have
the check in place, we would be lulled into believing that we always
correctly know which version of --ctdir we're working with, and end up
with a non-working system and no clear indication why.
It's very distressing that so little thought was apparently put into the
far-reaching effects of making such an ABI change to netfilter; in my
mind it really does render --ctdir more or less unusable except for very
controlled cases where the same people are maintaining both
netfilter/kernel and libvirt for a particular release of a particular
distro.
I unfortunately also don't have any alternative to offer, other than
"just don't use it" (although this message Pablo from netfilter says
that can be done with no reduction in security):
https://www.redhat.com/archives/libvirt-users/2013-March/msg00128.html