On 03/22/2013 08:26 AM, Stefan Berger wrote: > Linux netfilter at some point inverted the meaning of the '--ctdir reply' > and newer netfilter implementations now expect '--ctdir original' > instead and vice-versa. > We probe for this netfilter change via a UDP message over loopback and 3 > filtering rules applied to INPUT. If the sent byte arrives, the newer > netfilter implementation has been detected. While this is an admirable piece of work :-), I'm concerned that it may 1) be fragile, and 2) assume too much about the system being probed, and end up giving incorrect results in some circumstances. But since we have the check in place, we would be lulled into believing that we always correctly know which version of --ctdir we're working with, and end up with a non-working system and no clear indication why. It's very distressing that so little thought was apparently put into the far-reaching effects of making such an ABI change to netfilter; in my mind it really does render --ctdir more or less unusable except for very controlled cases where the same people are maintaining both netfilter/kernel and libvirt for a particular release of a particular distro. I unfortunately also don't have any alternative to offer, other than "just don't use it" (although this message Pablo from netfilter says that can be done with no reduction in security): https://www.redhat.com/archives/libvirt-users/2013-March/msg00128.html -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list