On 03/27/2013 09:09 PM, Stefan Berger wrote:
On 03/27/2013 02:01 PM, Eric Blake wrote:
On 03/27/2013 10:30 AM, Laine Stump wrote:
My opinion is that the patch we should apply should be a simple patch
that just removes use of --ctdir. According to the netfilter developer
who responded to the thread on libvirt-users, it doesn't add any extra
security not already provided by conntrack:
https://www.redhat.com/archives/libvirt-users/2013-March/msg00121.html
https://www.redhat.com/archives/libvirt-users/2013-March/msg00128.html
Not being an expert on netfilter internals, I can't dispute his claim.
Does anyone else have an opinion?
What filters specifically caused the use of --ctdir, and are they broken
if we omit the use of --ctdir?
It depends on how you write the filters that the --ctdir is being used.
iirc: The effect of the --ctdir usage is that if one has an incoming
rule and and outgoing rule with the same IP address on the 'other'
side the check for an ESTABLISHED state is not enough to ACCEPT the
traffic, if one was to remove one of the rules while communication in
both directions was occurring and an immediate cut of the traffic in
one way was expected. The effect so far was that if the rule for the
incoming rule was removed it would cut the incoming traffic
immediately while the traffic in outgoing direction was uninterrupted.
I think that if we remove this now the traffic in both directions will
continue. I will verify tomorrow.
Verified. I have a ping running from the VM to destination 'A' and from
'A' to the VM. The --ctdir enforces the direction of the traffic and if
one of the following rules is removed, the ping is immediately cut.
<rule action='accept' direction='out' priority='500'>
<icmp/>
</rule>
<rule action='accept' direction='in' priority='500'>
<icmp/>
</rule>
The ping is not cut anymore upon removal of one of the above rules if
--ctdir was to be removed entirely.
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list