On 03/26/2013 07:59 AM, Stefan Berger wrote: > On 03/22/2013 04:37 PM, Stefan Berger wrote: >> Linux netfilter at some point inverted the meaning of the '--ctdir >> reply' >> and newer netfilter implementations now expect '--ctdir original' >> instead and vice-versa. >> We probe for this netfilter change via a UDP message over loopback and 3 >> filtering rules applied to INPUT two times, one time with '--ctdir >> original' >> which should then work on 'fixed' netfilter and one other time with >> '--ctdir reply' which should only work on the 'old' netfilter. >> If neither one of the tests gets the data through, then the loopback >> device >> is probably not configured correctly. If both tests get the data through >> something must be seriously wrong. In both of these two latter cases >> no '--ctdir' will then be applied to the rules. > > Are you going to let 1.0.4 sail without 'something like this'? My opinion is that the patch we should apply should be a simple patch that just removes use of --ctdir. According to the netfilter developer who responded to the thread on libvirt-users, it doesn't add any extra security not already provided by conntrack: https://www.redhat.com/archives/libvirt-users/2013-March/msg00121.html https://www.redhat.com/archives/libvirt-users/2013-March/msg00128.html Not being an expert on netfilter internals, I can't dispute his claim. Does anyone else have an opinion? -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list