| 1 |
Michael Orlitzky <michael@××××××××.com> writes: |
| 2 |
|
| 3 |
> The 'conntrack' module is supposed to be a superset of 'state', so most |
| 4 |
> things should be compatible. You really have two warnings there; the |
| 5 |
> first is for the state -> conntrack switch, and the second is because |
| 6 |
> you're missing the --state flag in your rules. |
| 7 |
> |
| 8 |
> In your example, you turn on the state matching, |
| 9 |
> |
| 10 |
> iptables -A TCP_IN -p tcp -m state -m tcp -j UNSOLICITED |
| 11 |
> |
| 12 |
> but you don't specify *which* state(s) you want to match. It wants you |
| 13 |
> to specify --state SOMETHING. I'd guess that it used to interpret "no |
| 14 |
> state" as "any state." |
| 15 |
|
| 16 |
The problem is not really the OP's fault. The problem is that if you |
| 17 |
have tables with the form "-m state --state XXX" at the point you |
| 18 |
upgrade, iptables-save (quite possibly called automatically by |
| 19 |
/etc/init.d/iptables stop) will save it as "-m state --state" - ie |
| 20 |
'forgetting' which state(s) the rule applies to. |
| 21 |
|
| 22 |
The solution is to either change all your rules to use "-m conntrack |
| 23 |
--ctstate XXX" before upgrading or editing /var/lib/iptables/rules-save |
| 24 |
to globally replace '-m state' by '-m conntrack' and '--state' by |
| 25 |
'--ctstate' prior to the upgrade and (at least temporarily) edit |
| 26 |
/etc/conf.d/iptables to set SAVE_ON_STOP="no". The same will also need |
| 27 |
to be done with ip6tables if you use that. |
| 28 |
|
| 29 |
I think that this is a serious enough change in behaviour that an elog |
| 30 |
warning should have been issued. |
Archives