On 03/21/2013 04:04 PM, Stefan Berger wrote:
Linux netfilter at some point inverted the meaning of the '--ctdir reply' and newer netfilter implementations now expect '--ctdir original' instread and vice-versa.
s/instread/instead/
We probe for this netfilter change via a UDP message over loopback and 3 filtering rules applied to INPUT. If the sent byte arrives, the newer netfilter implementation has been detected.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
--- src/nwfilter/nwfilter_ebiptables_driver.c | 123 ++++++++++++++++++++++++++++++ 1 file changed, 123 insertions(+)
+/* + * --ctdir original vs. reply's meaning was inverted in the netfilter + * at some point. We probe for it. + */ +static bool iptables_ctdir_corrected = false;
C guarantees that this is initialized to false without having to explicitly state that. Looks big, but it's a one-time probe done at initialization, and seems like it does the trick. You may want to wait for a review from Laine, but I didn't spot anything else wrong. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org