2:39 p.m.
Hi all,
iptables-1.4.18 removed the long deprecated "state" match.
Use "conntrack" instead in forwarding rules.
Fixes openSUSE bug https://bugzilla.novell.com/811251 #811251.
real patch is attached as I'm pretty sure that thunderbird will mess it
up otherwise :(
Basically it's
s/--match state/--match conntrack/
s/--state /--ctstate/
in src/til/viriptables.c
Best regards,
Stefan
--
Stefan Seyfried
Linux Consultant & Developer
Mail: seyfried(a)b1-systems.de GPG Key: 0x731B665B
B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
10:24 p.m.
On Mon, Mar 25, 2013 at 08:39:40PM +0100, Stefan Seyfried wrote:
Hi all,
iptables-1.4.18 removed the long deprecated "state" match.
Use "conntrack" instead in forwarding rules.
Fixes openSUSE bug https://bugzilla.novell.com/811251 #811251.
real patch is attached as I'm pretty sure that thunderbird will mess it
up otherwise :(
Basically it's
s/--match state/--match conntrack/
s/--state /--ctstate/
This is supported by old iptables. (tested with 1.4.14)
in src/til/viriptables.c
Best regards,
Stefan
--
Stefan Seyfried
Linux Consultant & Developer
Mail: seyfried(a)b1-systems.de GPG Key: 0x731B665B
B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
>From 1aa2736263537e7856db9820bce835c1b3c2b51a Mon Sep 17 00:00:00
2001
From: Stefan Seyfried <seife+dev(a)b1-systems.com>
Date: Mon, 25 Mar 2013 20:27:46 +0100
Subject: [PATCH] net: use newer iptables syntax
iptables-1.4.18 removed the long deprecated "state" match.
Use "conntrack" instead in forwarding rules.
Fixes openSUSE bug https://bugzilla.novell.com/811251 #811251.
---
src/util/viriptables.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/util/viriptables.c b/src/util/viriptables.c
index 8cfafc0..19d6161 100644
--- a/src/util/viriptables.c
+++ b/src/util/viriptables.c
@@ -480,8 +480,8 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx,
"--destination", networkstr,
"--in-interface", physdev,
"--out-interface", iface,
- "--match", "state",
- "--state",
"ESTABLISHED,RELATED",
+ "--match", "conntrack",
+ "--ctstate",
"ESTABLISHED,RELATED",
"--jump", "ACCEPT",
NULL);
} else {
@@ -490,8 +490,8 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx,
action,
"--destination", networkstr,
"--out-interface", iface,
- "--match", "state",
- "--state",
"ESTABLISHED,RELATED",
+ "--match", "conntrack",
+ "--ctstate",
"ESTABLISHED,RELATED",
"--jump", "ACCEPT",
NULL);
}
--
1.8.2
ACK.
5:22 p.m.
On 03/25/2013 09:24 PM, Hu Tao wrote:
On Mon, Mar 25, 2013 at 08:39:40PM +0100, Stefan Seyfried wrote:
> Hi all,
>
> iptables-1.4.18 removed the long deprecated "state" match.
> Use "conntrack" instead in forwarding rules.
> Fixes openSUSE bug https://bugzilla.novell.com/811251 #811251.
>
> real patch is attached as I'm pretty sure that thunderbird will mess it
> up otherwise :(
>
> Basically it's
>
> s/--match state/--match conntrack/
> s/--state /--ctstate/
This is supported by old iptables. (tested with 1.4.14)
The real question is RHEL 5, which shipped with iptables 1.3.5. But
there, I see this in the man page:
conntrack
This module, when combined with connection tracking, allows
access to
more connection tracking information than the "state" match.
(this
module is present only if iptables was compiled under a kernel
support-
ing this feature)
--ctstate state
Where state is a comma separated list of the connection
states
to match. Possible states are INVALID meaning that the
packet
is associated with no known connection, ESTABLISHED
meaning that
the packet is associated with a connection which has seen
pack-
ets in both directions, NEW meaning that the packet has
started
a new connection, or otherwise associated with a
connection
which has not seen packets in both directions, and RELATED
mean-
ing that the packet is starting a new connection, but is
associ-
ated with an existing connection, such as an FTP data
transfer,
or an ICMP error. SNAT A virtual state, matching if the
origi-
nal source address differs from the reply destination.
DNAT A
virtual state, matching if the original destination
differs from
the reply source.
state
This module, when combined with connection tracking, allows
access to
the connection tracking state for this packet.
--state state
Where state is a comma separated list of the connection
states
to match. Possible states are INVALID meaning that the
packet
could not be identified for some reason which includes
running
out of memory and ICMP errors which don’t correspond
to any
known connection, ESTABLISHED meaning that the packet is
associ-
ated with a connection which has seen packets in both
direc-
tions, NEW meaning that the packet has started a new
connection,
or otherwise associated with a connection which has not
seen
packets in both directions, and RELATED meaning that the
packet
is starting a new connection, but is associated with an
existing
connection, such as an FTP data transfer, or an ICMP error.
> @@ -490,8 +490,8 @@ iptablesForwardAllowRelatedIn(iptablesContext
*ctx,
> action,
> "--destination", networkstr,
> "--out-interface", iface,
> - "--match", "state",
> - "--state",
"ESTABLISHED,RELATED",
> + "--match", "conntrack",
> + "--ctstate",
"ESTABLISHED,RELATED",
> "--jump", "ACCEPT",
> NULL);
> }
> --
> 1.8.2
>
ACK.
So I agree with this assessment, and I have pushed the patch. (And
here's hoping --ctstate doesn't have the same problems as --ctdir at
being unreliable across kernel versions - maybe you have an opinion
there as well?
https://www.redhat.com/archives/libvir-list/2013-March/msg01558.html).
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
10:08 p.m.
On Wed, Mar 27, 2013 at 5:22 PM, Eric Blake <eblake(a)redhat.com> wrote:
On 03/25/2013 09:24 PM, Hu Tao wrote:
> On Mon, Mar 25, 2013 at 08:39:40PM +0100, Stefan Seyfried wrote:
>> Hi all,
>>
>> iptables-1.4.18 removed the long deprecated "state" match.
>> Use "conntrack" instead in forwarding rules.
>> Fixes openSUSE bug https://bugzilla.novell.com/811251 #811251.
>>
>> real patch is attached as I'm pretty sure that thunderbird will mess it
>> up otherwise :(
>>
>> Basically it's
>>
>> s/--match state/--match conntrack/
>> s/--state /--ctstate/
>
> This is supported by old iptables. (tested with 1.4.14)
The real question is RHEL 5, which shipped with iptables 1.3.5. But
there, I see this in the man page:
Reality is that this interface really relies on the nf-conntrack
module, which RHEL 5 doesn't have. The older variant that RHEL 5 does
have is xt_conntrack. I know from personal experience that its broken
on IPv6 on RHEL5. But what changed between the two I don't remember.
The backend providing the information was changed in the early 2.6.2x
series, which is what I believe the change is related to.
The reason why --state was removed from iptables 1.4.18 is that Linux
3.7 removed the corresponding kernel module. I'd hope that an older
iptables running on a newer kernel would report an error with trying
to use --state but with past experience with netfilter it a lot of
times features you ask for result in a no-op when the kernel doesn't
support it by the userland does.
This might require a bit more finesse with the detection and choosing
whether to use --conntrack or --state for RHEL 5 era systems.
--
Doug Goldstein
4:30 a.m.
On Wed, Mar 27, 2013 at 04:22:26PM -0600, Eric Blake wrote:
On 03/25/2013 09:24 PM, Hu Tao wrote:
> On Mon, Mar 25, 2013 at 08:39:40PM +0100, Stefan Seyfried wrote:
>> Hi all,
>>
>> iptables-1.4.18 removed the long deprecated "state" match.
>> Use "conntrack" instead in forwarding rules.
>> Fixes openSUSE bug https://bugzilla.novell.com/811251 #811251.
>>
>> real patch is attached as I'm pretty sure that thunderbird will mess it
>> up otherwise :(
>>
>> Basically it's
>>
>> s/--match state/--match conntrack/
>> s/--state /--ctstate/
>
> This is supported by old iptables. (tested with 1.4.14)
The real question is RHEL 5, which shipped with iptables 1.3.5.
I don't think we ever tried to make the nwfilter code work with
RHEL-5 - I recall other problems, but can't remember wat they
are offhand.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
4258
days inactive
4261
days old
4 comments
5 participants
participants (5)
-
Daniel P. Berrange -
Doug Goldstein -
Eric Blake -
Hu Tao -
Stefan Seyfried