Re: [libvirt] [PATCH] net: use newer iptables syntax
On 03/25/2013 09:24 PM, Hu Tao wrote:
On Mon, Mar 25, 2013 at 08:39:40PM +0100, Stefan Seyfried wrote:
> Hi all,
>
> iptables-1.4.18 removed the long deprecated "state" match.
> Use "conntrack" instead in forwarding rules.
> Fixes openSUSE bug https://bugzilla.novell.com/811251 #811251.
>
> real patch is attached as I'm pretty sure that thunderbird will mess it
> up otherwise :(
>
> Basically it's
>
> s/--match state/--match conntrack/
> s/--state /--ctstate/
This is supported by old iptables. (tested with 1.4.14)
The real question is RHEL 5, which shipped with iptables 1.3.5. But
there, I see this in the man page:
conntrack
This module, when combined with connection tracking, allows
access to
more connection tracking information than the "state" match.
(this
module is present only if iptables was compiled under a kernel
support-
ing this feature)
--ctstate state
Where state is a comma separated list of the connection
states
to match. Possible states are INVALID meaning that the
packet
is associated with no known connection, ESTABLISHED
meaning that
the packet is associated with a connection which has seen
pack-
ets in both directions, NEW meaning that the packet has
started
a new connection, or otherwise associated with a
connection
which has not seen packets in both directions, and RELATED
mean-
ing that the packet is starting a new connection, but is
associ-
ated with an existing connection, such as an FTP data
transfer,
or an ICMP error. SNAT A virtual state, matching if the
origi-
nal source address differs from the reply destination.
DNAT A
virtual state, matching if the original destination
differs from
the reply source.
state
This module, when combined with connection tracking, allows
access to
the connection tracking state for this packet.
--state state
Where state is a comma separated list of the connection
states
to match. Possible states are INVALID meaning that the
packet
could not be identified for some reason which includes
running
out of memory and ICMP errors which don’t correspond
to any
known connection, ESTABLISHED meaning that the packet is
associ-
ated with a connection which has seen packets in both
direc-
tions, NEW meaning that the packet has started a new
connection,
or otherwise associated with a connection which has not
seen
packets in both directions, and RELATED meaning that the
packet
is starting a new connection, but is associated with an
existing
connection, such as an FTP data transfer, or an ICMP error.
> @@ -490,8 +490,8 @@ iptablesForwardAllowRelatedIn(iptablesContext
*ctx,
> action,
> "--destination", networkstr,
> "--out-interface", iface,
> - "--match", "state",
> - "--state",
"ESTABLISHED,RELATED",
> + "--match", "conntrack",
> + "--ctstate",
"ESTABLISHED,RELATED",
> "--jump", "ACCEPT",
> NULL);
> }
> --
> 1.8.2
>
ACK.
So I agree with this assessment, and I have pushed the patch. (And
here's hoping --ctstate doesn't have the same problems as --ctdir at
being unreliable across kernel versions - maybe you have an opinion
there as well?
https://www.redhat.com/archives/libvir-list/2013-March/msg01558.html).
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
Attachments:
- signature.asc (application/pgp-signature — 621 bytes)