[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] net: use newer iptables syntax



On 03/25/2013 09:24 PM, Hu Tao wrote:
> On Mon, Mar 25, 2013 at 08:39:40PM +0100, Stefan Seyfried wrote:
>> Hi all,
>>
>> iptables-1.4.18 removed the long deprecated "state" match.
>> Use "conntrack" instead in forwarding rules.
>> Fixes openSUSE bug https://bugzilla.novell.com/811251 #811251.
>>
>> real patch is attached as I'm pretty sure that thunderbird will mess it
>> up otherwise :(
>>
>> Basically it's
>>
>> 	s/--match state/--match conntrack/
>> 	s/--state /--ctstate/
> 
> This is supported by old iptables. (tested with 1.4.14)

The real question is RHEL 5, which shipped with iptables 1.3.5.  But
there, I see this in the man page:


   conntrack
       This  module,  when combined with connection tracking, allows
access to
       more connection tracking information than  the  "state"  match.
 (this
       module is present only if iptables was compiled under a kernel
support-
       ing this feature)

       --ctstate state
              Where state is a comma separated list of the  connection
states
              to  match.   Possible states are INVALID meaning that the
packet
              is associated with no known connection, ESTABLISHED
meaning that
              the  packet is associated with a connection which has seen
pack-
              ets in both directions, NEW meaning that the packet has
started
              a  new  connection,  or  otherwise  associated with a
connection
              which has not seen packets in both directions, and RELATED
mean-
              ing that the packet is starting a new connection, but is
associ-
              ated with an existing connection, such as an FTP data
transfer,
              or  an ICMP error.  SNAT A virtual state, matching if the
origi-
              nal source address differs from the reply destination.
DNAT  A
              virtual state, matching if the original destination
differs from
              the reply source.



   state
       This module, when combined with connection tracking, allows
access  to
       the connection tracking state for this packet.

       --state state
              Where  state  is a comma separated list of the connection
states
              to match.  Possible states are INVALID meaning that  the
packet
              could  not  be identified for some reason which includes
running
              out of memory and ICMP errors  which  don’t  correspond
to  any
              known connection, ESTABLISHED meaning that the packet is
associ-
              ated with a connection which has seen  packets  in  both
direc-
              tions, NEW meaning that the packet has started a new
connection,
              or otherwise associated with a connection  which  has  not
 seen
              packets  in both directions, and RELATED meaning that the
packet
              is starting a new connection, but is associated with an
existing
              connection, such as an FTP data transfer, or an ICMP error.

>> @@ -490,8 +490,8 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx,
>>                                      action,
>>                                      "--destination", networkstr,
>>                                      "--out-interface", iface,
>> -                                    "--match", "state",
>> -                                    "--state", "ESTABLISHED,RELATED",
>> +                                    "--match", "conntrack",
>> +                                    "--ctstate", "ESTABLISHED,RELATED",
>>                                      "--jump", "ACCEPT",
>>                                      NULL);
>>      }
>> -- 
>> 1.8.2
>>
> 
> ACK.

So I agree with this assessment, and I have pushed the patch.  (And
here's hoping --ctstate doesn't have the same problems as --ctdir at
being unreliable across kernel versions - maybe you have an opinion
there as well?
https://www.redhat.com/archives/libvir-list/2013-March/msg01558.html).

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]