1 |
Michael Orlitzky <michael@××××××××.com> writes: |
2 |
|
3 |
> The 'conntrack' module is supposed to be a superset of 'state', so most |
4 |
> things should be compatible. You really have two warnings there; the |
5 |
> first is for the state -> conntrack switch, and the second is because |
6 |
> you're missing the --state flag in your rules. |
7 |
> |
8 |
> In your example, you turn on the state matching, |
9 |
> |
10 |
> iptables -A TCP_IN -p tcp -m state -m tcp -j UNSOLICITED |
11 |
> |
12 |
> but you don't specify *which* state(s) you want to match. It wants you |
13 |
> to specify --state SOMETHING. I'd guess that it used to interpret "no |
14 |
> state" as "any state." |
15 |
|
16 |
The problem is not really the OP's fault. The problem is that if you |
17 |
have tables with the form "-m state --state XXX" at the point you |
18 |
upgrade, iptables-save (quite possibly called automatically by |
19 |
/etc/init.d/iptables stop) will save it as "-m state --state" - ie |
20 |
'forgetting' which state(s) the rule applies to. |
21 |
|
22 |
The solution is to either change all your rules to use "-m conntrack |
23 |
--ctstate XXX" before upgrading or editing /var/lib/iptables/rules-save |
24 |
to globally replace '-m state' by '-m conntrack' and '--state' by |
25 |
'--ctstate' prior to the upgrade and (at least temporarily) edit |
26 |
/etc/conf.d/iptables to set SAVE_ON_STOP="no". The same will also need |
27 |
to be done with ip6tables if you use that. |
28 |
|
29 |
I think that this is a serious enough change in behaviour that an elog |
30 |
warning should have been issued. |