[libvirt] [PATCH] net: use newer iptables syntax

Hu Tao hutao at cn.fujitsu.com
Tue Mar 26 03:24:18 UTC 2013 

On Mon, Mar 25, 2013 at 08:39:40PM +0100, Stefan Seyfried wrote:
> Hi all,
> 
> iptables-1.4.18 removed the long deprecated "state" match.
> Use "conntrack" instead in forwarding rules.
> Fixes openSUSE bug https://bugzilla.novell.com/811251 #811251.
> 
> real patch is attached as I'm pretty sure that thunderbird will mess it
> up otherwise :(
> 
> Basically it's
> 
> 	s/--match state/--match conntrack/
> 	s/--state /--ctstate/

This is supported by old iptables. (tested with 1.4.14)

> 
> in src/til/viriptables.c
> 
> Best regards,
> 
> 	Stefan
> -- 
> Stefan Seyfried
> Linux Consultant & Developer
> Mail: seyfried at b1-systems.de GPG Key: 0x731B665B
> 
> B1 Systems GmbH
> Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
> GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537

> >From 1aa2736263537e7856db9820bce835c1b3c2b51a Mon Sep 17 00:00:00 2001
> From: Stefan Seyfried <seife+dev at b1-systems.com>
> Date: Mon, 25 Mar 2013 20:27:46 +0100
> Subject: [PATCH] net: use newer iptables syntax
> 
> iptables-1.4.18 removed the long deprecated "state" match.
> Use "conntrack" instead in forwarding rules.
> Fixes openSUSE bug https://bugzilla.novell.com/811251 #811251.
> ---
>  src/util/viriptables.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/src/util/viriptables.c b/src/util/viriptables.c
> index 8cfafc0..19d6161 100644
> --- a/src/util/viriptables.c
> +++ b/src/util/viriptables.c
> @@ -480,8 +480,8 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx,
>                                      "--destination", networkstr,
>                                      "--in-interface", physdev,
>                                      "--out-interface", iface,
> -                                    "--match", "state",
> -                                    "--state", "ESTABLISHED,RELATED",
> +                                    "--match", "conntrack",
> +                                    "--ctstate", "ESTABLISHED,RELATED",
>                                      "--jump", "ACCEPT",
>                                      NULL);
>      } else {
> @@ -490,8 +490,8 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx,
>                                      action,
>                                      "--destination", networkstr,
>                                      "--out-interface", iface,
> -                                    "--match", "state",
> -                                    "--state", "ESTABLISHED,RELATED",
> +                                    "--match", "conntrack",
> +                                    "--ctstate", "ESTABLISHED,RELATED",
>                                      "--jump", "ACCEPT",
>                                      NULL);
>      }
> -- 
> 1.8.2
> 

ACK.

More information about the libvir-list mailing list