Re: Linux 4.3.1 regression: -m state returns "Protocol wrong type for socket"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sat, 12 Dec 2015, Remzi AKYÜZ wrote:

> "-m state " could not use without protocol. Therefore we must use witch
> -p tcp.

Why should the "state" match be used with protocol? It was never required, 
nowhere described and the match always worked without any other parameters 
in the rule.

Best regards,
Jozsef

> If we have alot of rule we can use additional parameter like as;
> 
> iptables -A INPUT -p tcp --dport 22 -s 1.2.3.4 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> 
> maybe this is better;
> 
> iptables -A INPUT -p tcp --dport 22 -s 1.2.3.4 -m conntrack --ctstate
> RELATED,ESTABLISHED -j ACCEPT
> 
> What you need, iptables give it to you. :-)
> 
> 12-12-2015 12:18 tarihinde Jozsef Kadlecsik yazd?:
> > On Sat, 12 Dec 2015, Remzi AKYÜZ wrote:
> >
> >> Please use with -p tcp
> >>
> >> iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
> > That's not a solution at all, this can break a huge number of 
> > configurations.
> >
> > Best regards,
> > Jozsef 
> >
> >> 12-12-2015 05:38 tarihinde Dâniel Fraga yazd?:
> >>> 	After upgrading the kernel from 4.3.0 to 4.3.1 (with the same
> >>> configuration), -m state doesn't work anymore.
> >>>
> >>> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> >>>
> >>> 	returns:
> >>>
> >>> iptables: Protocol wrong type for socket.
> >>>
> >>> 	I'm using iptables v1.4.21.
> >>>
> >>> 	Any hints?
> >>>
> >> --
> >> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> >> the body of a message to majordomo@xxxxxxxxxxxxxxx
> >> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> >>
> > -
> > E-mail  : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx
> > PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
> > Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
> >           H-1525 Budapest 114, POB. 49, Hungary
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

-
E-mail  : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux