On Fri, Mar 22, 2013 at 08:26:59AM -0400, Stefan Berger wrote: > Linux netfilter at some point inverted the meaning of the '--ctdir reply' > and newer netfilter implementations now expect '--ctdir original' > instead and vice-versa. > We probe for this netfilter change via a UDP message over loopback and 3 > filtering rules applied to INPUT. If the sent byte arrives, the newer > netfilter implementation has been detected. I think this is really very hackish. If this test capability goes wrong for any reason, then we're going to silently setting up incorrect rules, which would be a security flaw. I think we need a more robust detection system for this. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list