On 03/20/2013 08:30 PM, Pablo Neira Ayuso wrote:
So apparently, netfilter's behaviour was indeed reversed at some point, therefore libvirt stopped working properly.
--ctdir was broken and it was fixed in patch:
In other words, the kernel folks made a silent change in ABI. Eww. How can we reliably tell which kernels have the old behavior, and which have the new, so that libvirt knows which sense to use?
By looking at the changes you made:
--A FI-vnet0 -p tcp -m tcp --sport 110 -m conntrack --ctstate ESTABLISHED -m conntrack --ctdir ORIGINAL -j RETURN +-A FI-vnet0 -p tcp -m tcp --sport 110 -m conntrack --ctstate ESTABLISHED -m conntrack --ctdir REPLY -j RETURN
The first rule looks wrong to me indeed, traffic coming in the original direction will initiate the connection to destination port TCP/110. Therefore, your change is correct.
Correct for the new kernel interpretation, but we also want to support use of libvirt with older kernels, preferably with a runtime check so that a binary compiled on an older kernel will still work after a kernel upgrade.
It's unfortunate nobody noticed this rule was incorrect so far (even if it was working).
It's also unfortunate that the kernel folks did a silent ABI change, without offering any witness of which behavior is in operation. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org