On 03/20/2013 08:30 PM, Pablo Neira Ayuso wrote: >> >> So apparently, netfilter's behaviour was indeed reversed at some >> point, therefore libvirt stopped working properly. > > --ctdir was broken and it was fixed in patch: In other words, the kernel folks made a silent change in ABI. Eww. How can we reliably tell which kernels have the old behavior, and which have the new, so that libvirt knows which sense to use? > By looking at the changes you made: > >> --A FI-vnet0 -p tcp -m tcp --sport 110 -m conntrack --ctstate >> ESTABLISHED -m conntrack --ctdir ORIGINAL -j RETURN >> +-A FI-vnet0 -p tcp -m tcp --sport 110 -m conntrack --ctstate >> ESTABLISHED -m conntrack --ctdir REPLY -j RETURN > > The first rule looks wrong to me indeed, traffic coming in the > original direction will initiate the connection to destination port > TCP/110. Therefore, your change is correct. Correct for the new kernel interpretation, but we also want to support use of libvirt with older kernels, preferably with a runtime check so that a binary compiled on an older kernel will still work after a kernel upgrade. > > It's unfortunate nobody noticed this rule was incorrect so far (even > if it was working). It's also unfortunate that the kernel folks did a silent ABI change, without offering any witness of which behavior is in operation. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users
