On 15.01.2013 11:06, Jozsef Kadlecsik wrote:
On Tue, 15 Jan 2013, Victor Julien wrote:
On 01/15/2013 10:11 AM, Jan Engelhardt wrote:
On Tuesday 2013-01-15 06:09, Nick Edwards wrote:
WARNING: The state match is obsolete. Use conntrack instead.
Getting these errors since upgrading to 1.4.17
It is a warning, not an error. (An error would not let use you
the command at all.)
Am I right in assuming that :
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
must now become :
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
or does that not do the same thing?
state is a redundant subset of conntrack (the latter was introduced around
Linux 2.5.32) and shall go away.
I think removing it is a bad idea. For years and years all docs, books,
tutorials and frontends (like my own) have worked with "state". The
change seems so trivial "s/-m state --state/-m conntrack --ctstate/g"
that it would appear keeping "state" around as an alias or compatibility
layer would require minimal effort. Why not keep it around?
Actually, I have to agree. Why don't we keep "state" as an alias and
accept the old syntax in "conntrack"?
What's the compelling reason to break countless scripts?
Yes please, bump +1
I never understood why 'state' wasn't simply extended.
Not doing a smooth transition, is just very unfriendly to users, for
actually no good reason.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html