On Mon, Mar 25, 2013 at 08:39:40PM +0100, Stefan Seyfried wrote:
Hi all,
iptables-1.4.18 removed the long deprecated "state" match. Use "conntrack" instead in forwarding rules. Fixes openSUSE bug https://bugzilla.novell.com/811251 #811251.
real patch is attached as I'm pretty sure that thunderbird will mess it up otherwise :(
Basically it's
s/--match state/--match conntrack/ s/--state /--ctstate/
This is supported by old iptables. (tested with 1.4.14)
in src/til/viriptables.c
Best regards,
Stefan -- Stefan Seyfried Linux Consultant & Developer Mail: seyfried@b1-systems.de GPG Key: 0x731B665B
B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
From 1aa2736263537e7856db9820bce835c1b3c2b51a Mon Sep 17 00:00:00 2001 From: Stefan Seyfried <seife+dev@b1-systems.com> Date: Mon, 25 Mar 2013 20:27:46 +0100 Subject: [PATCH] net: use newer iptables syntax
iptables-1.4.18 removed the long deprecated "state" match. Use "conntrack" instead in forwarding rules. Fixes openSUSE bug https://bugzilla.novell.com/811251 #811251. --- src/util/viriptables.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/util/viriptables.c b/src/util/viriptables.c index 8cfafc0..19d6161 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -480,8 +480,8 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx, "--destination", networkstr, "--in-interface", physdev, "--out-interface", iface, - "--match", "state", - "--state", "ESTABLISHED,RELATED", + "--match", "conntrack", + "--ctstate", "ESTABLISHED,RELATED", "--jump", "ACCEPT", NULL); } else { @@ -490,8 +490,8 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx, action, "--destination", networkstr, "--out-interface", iface, - "--match", "state", - "--state", "ESTABLISHED,RELATED", + "--match", "conntrack", + "--ctstate", "ESTABLISHED,RELATED", "--jump", "ACCEPT", NULL); } -- 1.8.2
ACK.