On 03/25/2013 09:24 PM, Hu Tao wrote: > On Mon, Mar 25, 2013 at 08:39:40PM +0100, Stefan Seyfried wrote: >> Hi all, >> >> iptables-1.4.18 removed the long deprecated "state" match. >> Use "conntrack" instead in forwarding rules. >> Fixes openSUSE bug https://bugzilla.novell.com/811251 #811251. >> >> real patch is attached as I'm pretty sure that thunderbird will mess it >> up otherwise :( >> >> Basically it's >> >> s/--match state/--match conntrack/ >> s/--state /--ctstate/ > > This is supported by old iptables. (tested with 1.4.14) The real question is RHEL 5, which shipped with iptables 1.3.5. But there, I see this in the man page: conntrack This module, when combined with connection tracking, allows access to more connection tracking information than the "state" match. (this module is present only if iptables was compiled under a kernel support- ing this feature) --ctstate state Where state is a comma separated list of the connection states to match. Possible states are INVALID meaning that the packet is associated with no known connection, ESTABLISHED meaning that the packet is associated with a connection which has seen pack- ets in both directions, NEW meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions, and RELATED mean- ing that the packet is starting a new connection, but is associ- ated with an existing connection, such as an FTP data transfer, or an ICMP error. SNAT A virtual state, matching if the origi- nal source address differs from the reply destination. DNAT A virtual state, matching if the original destination differs from the reply source. state This module, when combined with connection tracking, allows access to the connection tracking state for this packet. --state state Where state is a comma separated list of the connection states to match. Possible states are INVALID meaning that the packet could not be identified for some reason which includes running out of memory and ICMP errors which don’t correspond to any known connection, ESTABLISHED meaning that the packet is associ- ated with a connection which has seen packets in both direc- tions, NEW meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions, and RELATED meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error. >> @@ -490,8 +490,8 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx, >> action, >> "--destination", networkstr, >> "--out-interface", iface, >> - "--match", "state", >> - "--state", "ESTABLISHED,RELATED", >> + "--match", "conntrack", >> + "--ctstate", "ESTABLISHED,RELATED", >> "--jump", "ACCEPT", >> NULL); >> } >> -- >> 1.8.2 >> > > ACK. So I agree with this assessment, and I have pushed the patch. (And here's hoping --ctstate doesn't have the same problems as --ctdir at being unreliable across kernel versions - maybe you have an opinion there as well? https://www.redhat.com/archives/libvir-list/2013-March/msg01558.html). -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list