The new/rebased version of netcf in this release of RHEL has 3 main purposes:
1) Pull in patches already carried against RHEL for netcf to simplify maintenance.
2) Lock down the version of gnulib used for building, so that a build of the netcf srpm from source will be guaranteed to be using *exactly* the same source as is used for the officially distributed RHEL binary of netcf.
3) Remove the code in netcf that examines the iptables configuration and optionally adds a rule to bypass filtering on bridge devices. This was deemed appropriate for 3 reasons:
a) The additional iptables rule:
-A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
is only necessary if the kernel tunable:
is set to 1, but the default for that tunable is 0 (ie the extra rule isn't needed), and if someone has changed the tunable, they surely did it for a purpose, and netcf unceremoniously adding the rule will defeat that purpose.
b) Adding rules to the firewall is a policy decision, which is beyond the scope of what netcf should do.
c) The code in netcf that read the iptables config was prone to error, and the majority of cases where netcf was unable to properly initialize were caused by the failure of this code; removing it makes netcf more reliable.
A user who has not modified the default setting of net.bridge.bridge-nf-call-iptables will not see any operational change when running ncftool, or libvirt/virt-manager (the only current consumers of netcf). Similarly, even users who *have* changed net.bridge.bridge-nf-call-iptables to 1, but have previously run ncftool or libvirt at least once, will also not see any operational change, as the extra iptables rule will have already been added (and once there, it persists across system reboots).