Re: [libvirt-users] netfilter+libvirt=(smth got broken?)
On 03/20/2013 08:30 PM, Pablo Neira Ayuso wrote:
>
> So apparently, netfilter's behaviour was indeed reversed at some
> point, therefore libvirt stopped working properly.
--ctdir was broken and it was fixed in patch:
In other words, the kernel folks made a silent change in ABI. Eww.
How can we reliably tell which kernels have the old behavior, and which
have the new, so that libvirt knows which sense to use?
By looking at the changes you made:
> --A FI-vnet0 -p tcp -m tcp --sport 110 -m conntrack --ctstate
> ESTABLISHED -m conntrack --ctdir ORIGINAL -j RETURN
> +-A FI-vnet0 -p tcp -m tcp --sport 110 -m conntrack --ctstate
> ESTABLISHED -m conntrack --ctdir REPLY -j RETURN
The first rule looks wrong to me indeed, traffic coming in the
original direction will initiate the connection to destination port
TCP/110. Therefore, your change is correct.
Correct for the new kernel interpretation, but we also want to support
use of libvirt with older kernels, preferably with a runtime check so
that a binary compiled on an older kernel will still work after a kernel
upgrade.
It's unfortunate nobody noticed this rule was incorrect so far (even
if it was working).
It's also unfortunate that the kernel folks did a silent ABI change,
without offering any witness of which behavior is in operation.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
Attachments:
- signature.asc (application/pgp-signature — 621 bytes)