Debian Bug#718810 reports a problem with the state match across iptables versions. The following rules were created with the same states using 1.4.14. The state information on the state match do now show with 1.4.19.1's iptables-save or " iptables -L". The conntrack match's ctstate works as expected with the upgrade. # Generated by iptables-save v1.4.19.1 on Tue Aug 6 18:15:36 2013 *filter :INPUT ACCEPT [270:16468] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [197:23360] -A INPUT -m state -A INPUT -m conntrack --ctstate INVALID,NEW,RELATED,ESTABLISHED COMMIT # Completed on Tue Aug 6 18:15:36 2013 # Generated by iptables-save v1.4.14 on Tue Aug 6 18:16:43 2013 *filter :INPUT ACCEPT [535:33200] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [384:42988] -A INPUT -m state --state INVALID,NEW,RELATED,ESTABLISHED -A INPUT -m conntrack --ctstate INVALID,NEW,RELATED,ESTABLISHED COMMIT # Completed on Tue Aug 6 18:16:43 2013 It seems to work fine the other way around, with 1.4.19.1 creating the rules. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
