Re: [PATCH v3] nwfilter: probe for inverted ctdir

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 03/26/2013 07:59 AM, Stefan Berger wrote:
> On 03/22/2013 04:37 PM, Stefan Berger wrote:
>> Linux netfilter at some point inverted the meaning of the '--ctdir
>> reply'
>> and newer netfilter implementations now expect '--ctdir original'
>> instead and vice-versa.
>> We probe for this netfilter change via a UDP message over loopback and 3
>> filtering rules applied to INPUT two times, one time with '--ctdir
>> original'
>> which should then work on 'fixed' netfilter and one other time with
>> '--ctdir reply' which should only work on the 'old' netfilter.
>> If neither one of the tests gets the data through, then the loopback
>> device
>> is probably not configured correctly. If both tests get the data through
>> something must be seriously wrong. In both of these two latter cases
>> no '--ctdir' will then be applied to the rules.
>
> Are you going to let 1.0.4 sail without 'something like this'?

My opinion is that the patch we should apply should be a simple patch
that just removes use of --ctdir. According to the netfilter developer
who responded to the thread on libvirt-users, it doesn't add any extra
security not already provided by conntrack:

   https://www.redhat.com/archives/libvirt-users/2013-March/msg00121.html
   https://www.redhat.com/archives/libvirt-users/2013-March/msg00128.html

Not being an expert on netfilter internals, I can't dispute his claim.

Does anyone else have an opinion?

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]