Re: [libvirt] [PATCH v3] nwfilter: probe for inverted ctdir
On 03/27/2013 10:30 AM, Laine Stump wrote:
My opinion is that the patch we should apply should be a simple
patch
that just removes use of --ctdir. According to the netfilter developer
who responded to the thread on libvirt-users, it doesn't add any extra
security not already provided by conntrack:
https://www.redhat.com/archives/libvirt-users/2013-March/msg00121.html
https://www.redhat.com/archives/libvirt-users/2013-March/msg00128.html
Not being an expert on netfilter internals, I can't dispute his claim.
Does anyone else have an opinion?
What filters specifically caused the use of --ctdir, and are they broken
if we omit the use of --ctdir?
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
Attachments:
- signature.asc (application/pgp-signature — 621 bytes)