[libvirt] [PATCH] net: use newer iptables syntax
Hi all, iptables-1.4.18 removed the long deprecated "state" match. Use "conntrack" instead in forwarding rules. Fixes openSUSE bug https://bugzilla.novell.com/811251 #811251. real patch is attached as I'm pretty sure that thunderbird will mess it up otherwise :( Basically it's s/--match state/--match conntrack/ s/--state /--ctstate/ in src/til/viriptables.c Best regards, Stefan -- Stefan Seyfried Linux Consultant & Developer Mail: seyfried@b1-systems.de GPG Key: 0x731B665B B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
On Mon, Mar 25, 2013 at 08:39:40PM +0100, Stefan Seyfried wrote:
Hi all,
iptables-1.4.18 removed the long deprecated "state" match. Use "conntrack" instead in forwarding rules. Fixes openSUSE bug https://bugzilla.novell.com/811251 #811251.
real patch is attached as I'm pretty sure that thunderbird will mess it up otherwise :(
Basically it's
s/--match state/--match conntrack/ s/--state /--ctstate/
This is supported by old iptables. (tested with 1.4.14)
in src/til/viriptables.c
Best regards,
Stefan -- Stefan Seyfried Linux Consultant & Developer Mail: seyfried@b1-systems.de GPG Key: 0x731B665B
B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
From 1aa2736263537e7856db9820bce835c1b3c2b51a Mon Sep 17 00:00:00 2001 From: Stefan Seyfried <seife+dev@b1-systems.com> Date: Mon, 25 Mar 2013 20:27:46 +0100 Subject: [PATCH] net: use newer iptables syntax
iptables-1.4.18 removed the long deprecated "state" match. Use "conntrack" instead in forwarding rules. Fixes openSUSE bug https://bugzilla.novell.com/811251 #811251. --- src/util/viriptables.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/util/viriptables.c b/src/util/viriptables.c index 8cfafc0..19d6161 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -480,8 +480,8 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx, "--destination", networkstr, "--in-interface", physdev, "--out-interface", iface, - "--match", "state", - "--state", "ESTABLISHED,RELATED", + "--match", "conntrack", + "--ctstate", "ESTABLISHED,RELATED", "--jump", "ACCEPT", NULL); } else { @@ -490,8 +490,8 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx, action, "--destination", networkstr, "--out-interface", iface, - "--match", "state", - "--state", "ESTABLISHED,RELATED", + "--match", "conntrack", + "--ctstate", "ESTABLISHED,RELATED", "--jump", "ACCEPT", NULL); } -- 1.8.2
ACK.
On 03/25/2013 09:24 PM, Hu Tao wrote:
On Mon, Mar 25, 2013 at 08:39:40PM +0100, Stefan Seyfried wrote:
Hi all,
iptables-1.4.18 removed the long deprecated "state" match. Use "conntrack" instead in forwarding rules. Fixes openSUSE bug https://bugzilla.novell.com/811251 #811251.
real patch is attached as I'm pretty sure that thunderbird will mess it up otherwise :(
Basically it's
s/--match state/--match conntrack/ s/--state /--ctstate/
This is supported by old iptables. (tested with 1.4.14)
The real question is RHEL 5, which shipped with iptables 1.3.5. But there, I see this in the man page: conntrack This module, when combined with connection tracking, allows access to more connection tracking information than the "state" match. (this module is present only if iptables was compiled under a kernel support- ing this feature) --ctstate state Where state is a comma separated list of the connection states to match. Possible states are INVALID meaning that the packet is associated with no known connection, ESTABLISHED meaning that the packet is associated with a connection which has seen pack- ets in both directions, NEW meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions, and RELATED mean- ing that the packet is starting a new connection, but is associ- ated with an existing connection, such as an FTP data transfer, or an ICMP error. SNAT A virtual state, matching if the origi- nal source address differs from the reply destination. DNAT A virtual state, matching if the original destination differs from the reply source. state This module, when combined with connection tracking, allows access to the connection tracking state for this packet. --state state Where state is a comma separated list of the connection states to match. Possible states are INVALID meaning that the packet could not be identified for some reason which includes running out of memory and ICMP errors which don’t correspond to any known connection, ESTABLISHED meaning that the packet is associ- ated with a connection which has seen packets in both direc- tions, NEW meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions, and RELATED meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error.
@@ -490,8 +490,8 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx, action, "--destination", networkstr, "--out-interface", iface, - "--match", "state", - "--state", "ESTABLISHED,RELATED", + "--match", "conntrack", + "--ctstate", "ESTABLISHED,RELATED", "--jump", "ACCEPT", NULL); } -- 1.8.2
ACK.
So I agree with this assessment, and I have pushed the patch. (And here's hoping --ctstate doesn't have the same problems as --ctdir at being unreliable across kernel versions - maybe you have an opinion there as well? https://www.redhat.com/archives/libvir-list/2013-March/msg01558.html). -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
On Wed, Mar 27, 2013 at 5:22 PM, Eric Blake <eblake@redhat.com> wrote:
On 03/25/2013 09:24 PM, Hu Tao wrote:
On Mon, Mar 25, 2013 at 08:39:40PM +0100, Stefan Seyfried wrote:
Hi all,
iptables-1.4.18 removed the long deprecated "state" match. Use "conntrack" instead in forwarding rules. Fixes openSUSE bug https://bugzilla.novell.com/811251 #811251.
real patch is attached as I'm pretty sure that thunderbird will mess it up otherwise :(
Basically it's
s/--match state/--match conntrack/ s/--state /--ctstate/
This is supported by old iptables. (tested with 1.4.14)
The real question is RHEL 5, which shipped with iptables 1.3.5. But there, I see this in the man page:
Reality is that this interface really relies on the nf-conntrack module, which RHEL 5 doesn't have. The older variant that RHEL 5 does have is xt_conntrack. I know from personal experience that its broken on IPv6 on RHEL5. But what changed between the two I don't remember. The backend providing the information was changed in the early 2.6.2x series, which is what I believe the change is related to. The reason why --state was removed from iptables 1.4.18 is that Linux 3.7 removed the corresponding kernel module. I'd hope that an older iptables running on a newer kernel would report an error with trying to use --state but with past experience with netfilter it a lot of times features you ask for result in a no-op when the kernel doesn't support it by the userland does. This might require a bit more finesse with the detection and choosing whether to use --conntrack or --state for RHEL 5 era systems. -- Doug Goldstein
On Wed, Mar 27, 2013 at 04:22:26PM -0600, Eric Blake wrote:
On 03/25/2013 09:24 PM, Hu Tao wrote:
On Mon, Mar 25, 2013 at 08:39:40PM +0100, Stefan Seyfried wrote:
Hi all,
iptables-1.4.18 removed the long deprecated "state" match. Use "conntrack" instead in forwarding rules. Fixes openSUSE bug https://bugzilla.novell.com/811251 #811251.
real patch is attached as I'm pretty sure that thunderbird will mess it up otherwise :(
Basically it's
s/--match state/--match conntrack/ s/--state /--ctstate/
This is supported by old iptables. (tested with 1.4.14)
The real question is RHEL 5, which shipped with iptables 1.3.5.
I don't think we ever tried to make the nwfilter code work with RHEL-5 - I recall other problems, but can't remember wat they are offhand. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
participants (5)
-
Daniel P. Berrange -
Doug Goldstein -
Eric Blake -
Hu Tao -
Stefan Seyfried