Re: [libvirt] [PATCH] nwfilter: Use -m conntrack rather than -m state

On 08/06/2013 09:52 AM, Stefan Berger wrote: > Since iptables version 1.4.16 '-m state --state NEW' is converted to > '-m conntrack --ctstate NEW'. Therefore, when encountering this or later > versions of iptables use '-m conntrack --ctstate'. > > Signed-off-by: Stefan Berger <stefanb(a)linux.vnet.ibm.com&gt; > > --- > src/nwfilter/nwfilter_ebiptables_driver.c | 50 +++++++++++++++++++++++++++++- > 1 file changed, 49 insertions(+), 1 deletion(-) > > Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c > =================================================================== > --- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c > +++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c > @@ -188,6 +188,9 @@ static const char ebiptables_script_set_ > > static const char *m_state_out_str = "-m state --state NEW,ESTABLISHED"; > static const char *m_state_in_str = "-m state --state ESTABLISHED"; > +static const char *m_state_out_str_new = "-m conntrack --ctstate NEW,ESTABLISHED"; > +static const char *m_state_in_str_new = "-m conntrack --ctstate ESTABLISHED"; > + > static const char *m_physdev_in_str = "-m physdev " PHYSDEV_IN; > static const char *m_physdev_out_str = "-m physdev " PHYSDEV_OUT; > static const char *m_physdev_out_old_str = "-m physdev " PHYSDEV_OUT_OLD; > @@ -4353,6 +4356,49 @@ ebiptablesDriverProbeCtdir(void) > iptables_ctdir_corrected = CTDIR_STATUS_OLD; > } > > +static void > +ebiptablesDriverProbeStateMatch(void) > +{ > + virBuffer buf = VIR_BUFFER_INITIALIZER; > + char *cmdout = NULL, *version; > + unsigned long thisversion; > + > + NWFILTER_SET_IPTABLES_SHELLVAR(&buf); > + > + virBufferAsprintf(&buf, > + "$IPT --version"); > + > + if (ebiptablesExecCLI(&buf, NULL, &cmdout) < 0) { > + VIR_ERROR(_("Testing of iptables command failed: %s"), > + cmdout); > + return; Probably should just goto cleanup since we'll need to free buf

> + } > + > + /* > + * we expect output in the format > + * iptables v1.4.16 > + */ > + if (!(version = strchr(cmdout, 'v')) && > + virParseVersionString(version + 1, &thisversion, true) < 0) { > + VIR_ERROR(_("Could not determine iptables version from string %s"), > + cmdout); > + goto cleanup; > + } > + > + /* > + * since version 1.4.16 '-m state --state ...' will be converted to > + * '-m conntrack --ctstate ...' > + */ > + if (thisversion > 1 * 1000000 + 4 * 1000 + 16) { > + m_state_out_str = m_state_out_str_new; > + m_state_in_str = m_state_in_str_new; > + } > + > +cleanup: Need to free 'buf' too right?