Re: [libvirt] [PATCH] net: use newer iptables syntax
On Mon, Mar 25, 2013 at 08:39:40PM +0100, Stefan Seyfried wrote:
Hi all,
iptables-1.4.18 removed the long deprecated "state" match.
Use "conntrack" instead in forwarding rules.
Fixes openSUSE bug https://bugzilla.novell.com/811251 #811251.
real patch is attached as I'm pretty sure that thunderbird will mess it
up otherwise :(
Basically it's
s/--match state/--match conntrack/
s/--state /--ctstate/
This is supported by old iptables. (tested with 1.4.14)
in src/til/viriptables.c
Best regards,
Stefan
--
Stefan Seyfried
Linux Consultant & Developer
Mail: seyfried(a)b1-systems.de GPG Key: 0x731B665B
B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
>From 1aa2736263537e7856db9820bce835c1b3c2b51a Mon Sep 17 00:00:00
2001
From: Stefan Seyfried <seife+dev(a)b1-systems.com>
Date: Mon, 25 Mar 2013 20:27:46 +0100
Subject: [PATCH] net: use newer iptables syntax
iptables-1.4.18 removed the long deprecated "state" match.
Use "conntrack" instead in forwarding rules.
Fixes openSUSE bug https://bugzilla.novell.com/811251 #811251.
---
src/util/viriptables.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/util/viriptables.c b/src/util/viriptables.c
index 8cfafc0..19d6161 100644
--- a/src/util/viriptables.c
+++ b/src/util/viriptables.c
@@ -480,8 +480,8 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx,
"--destination", networkstr,
"--in-interface", physdev,
"--out-interface", iface,
- "--match", "state",
- "--state",
"ESTABLISHED,RELATED",
+ "--match", "conntrack",
+ "--ctstate",
"ESTABLISHED,RELATED",
"--jump", "ACCEPT",
NULL);
} else {
@@ -490,8 +490,8 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx,
action,
"--destination", networkstr,
"--out-interface", iface,
- "--match", "state",
- "--state",
"ESTABLISHED,RELATED",
+ "--match", "conntrack",
+ "--ctstate",
"ESTABLISHED,RELATED",
"--jump", "ACCEPT",
NULL);
}
--
1.8.2
ACK.