On Monday 2012-10-08 01:17, Pablo Neira Ayuso wrote: >The Netfilter project proudly presents: > > iptables 1.4.16.1 > >iptables -I INPUT -j ACCEPT >says: >iptables: No chain/target/match by that name. >This also breaks iptables-restore, of course. Jan, you'll have to explain >me how you have tested this. This was tested by adding rules with different targets that had both aliases defined and those without. ./iptables/xtables-multi main4 -t raw -N foo ./iptables/xtables-multi main4 -t raw -A foo -j NOTRACK with kernels that had xt_CT and no xt_CT at all ./iptables/xtables-multi main4 -N foo ./iptables/xtables-multi main4 -A foo -m state --state NEW with kernels that had xt_conntrack.3, and xt_conntrack.3 removed (leaving only xt_conntrack.2) ./iptables/xtables-multi main4 -t raw -N bar ./iptables/xtables-multi main4 -t raw -A bar -j MARK --set-xmark 1 ./iptables/xtables-multi main4 -t raw -A foo -j bar plus of course the "standard" (no pun intended) testsuite that we had so far: # ./iptables/xtables-multi restore6 tests/options-most.rules WARNING: --localtz is being replaced by --kerneltz, since "local" is ambiguous. Note the kernel timezone has caveats - see manpage for details. As you spotted, options-most.rules did not include -j <verdict>. While v1.4.16-1-g2aaa7ec fixes -j verdict, it breaks NOTRACK in all instances. To reuse a line, "you'll have to explain me how you have tested this." A patch to what I think should fly is posted as a reply hereto. Please give that a spin. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
