On 03/27/2013 10:30 AM, Laine Stump wrote: > My opinion is that the patch we should apply should be a simple patch > that just removes use of --ctdir. According to the netfilter developer > who responded to the thread on libvirt-users, it doesn't add any extra > security not already provided by conntrack: > > https://www.redhat.com/archives/libvirt-users/2013-March/msg00121.html > https://www.redhat.com/archives/libvirt-users/2013-March/msg00128.html > > Not being an expert on netfilter internals, I can't dispute his claim. > > Does anyone else have an opinion? What filters specifically caused the use of --ctdir, and are they broken if we omit the use of --ctdir? -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list