Re: [libvirt] [PATCH v2] nwfilter: probe for inverted ctdir
On Fri, Mar 22, 2013 at 08:26:59AM -0400, Stefan Berger wrote:
Linux netfilter at some point inverted the meaning of the
'--ctdir reply'
and newer netfilter implementations now expect '--ctdir original'
instead and vice-versa.
We probe for this netfilter change via a UDP message over loopback and 3
filtering rules applied to INPUT. If the sent byte arrives, the newer
netfilter implementation has been detected.
I think this is really very hackish. If this test capability goes
wrong for any reason, then we're going to silently setting up
incorrect rules, which would be a security flaw. I think we need
a more robust detection system for this.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|