https://bugzilla.redhat.com/show_bug.cgi?id=752254 points out that libvirt cannot support nwfilter on a system with /tmp mounted noexec (which is a very common setup in security-conscious setups), all because we were trying to directly invoke a temporary script instead of invoking a shell to read the script. I've split this patch into 2 parts, on the off-chance that patch 2 would run afoul of command line length limits (if the total size of the generated nwfilter commands could possibly cause E2BIG, then we have to go through a temporary file). But my recollection is that modern Linux kernels support unlimited command-line length (that is, ARG_MAX is not a concern on Linux), and that nwfilter_ebiptables_driver only compiles on Linux, so my preference would be to squash these into a single commit, if others agree that we don't have to worry about length limits. At any rate, I'm quite impressed at the number of lines of code I was able to remove in order to fix a bug! Eric Blake (2): nwfilter: avoid failure with noexec /tmp nwfilter: simplify execution of ebiptables scripts src/nwfilter/nwfilter_ebiptables_driver.c | 134 ++-------------------------- 1 files changed, 10 insertions(+), 124 deletions(-) -- 1.7.4.4 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list