On 01/15/2013 10:11 AM, Jan Engelhardt wrote: > > On Tuesday 2013-01-15 06:09, Nick Edwards wrote: > >> WARNING: The state match is obsolete. Use conntrack instead. >> >> Getting these errors since upgrading to 1.4.17 > > It is a warning, not an error. (An error would not let use you > the command at all.) > >> Am I right in assuming that : >> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >> must now become : >> iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT >> or does that not do the same thing? > > state is a redundant subset of conntrack (the latter was introduced around > Linux 2.5.32) and shall go away. I think removing it is a bad idea. For years and years all docs, books, tutorials and frontends (like my own) have worked with "state". The change seems so trivial "s/-m state --state/-m conntrack --ctstate/g" that it would appear keeping "state" around as an alias or compatibility layer would require minimal effort. Why not keep it around? -- --------------------------------------------- Victor Julien http://www.inliniac.net/ PGP: http://www.inliniac.net/victorjulien.asc --------------------------------------------- -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
