On 12/27/12 06:28, Graham Murray wrote:
> Michael Orlitzky <mich...@orlitzky.com> writes:
>
>> The 'conntrack' module is supposed to be a superset of 'state', so most
>> things should be compatible. You really have two warnings there; the
>> first is for the state -> conntrack switch, and the second is because
>> you're missing the --state flag in your rules.
>>
>> In your example, you turn on the state matching,
>>
>> iptables -A TCP_IN -p tcp -m state -m tcp -j UNSOLICITED
>>
>> but you don't specify *which* state(s) you want to match. It wants you
>> to specify --state SOMETHING. I'd guess that it used to interpret "no
>> state" as "any state."
>
> The problem is not really the OP's fault. The problem is that if you
> have tables with the form "-m state --state XXX" at the point you
> upgrade, iptables-save (quite possibly called automatically by
> /etc/init.d/iptables stop) will save it as "-m state --state" - ie
> 'forgetting' which state(s) the rule applies to.
>
Youch, thanks, I'll keep an eye out for this when iptables wants a bump.
I already keep the rules in a script, but it sounds like this will
clobber the running rules after e.g. a reboot.
My first -m state rule is,
iptables -A INPUT -p ALL -m state \
--state ESTABLISHED,RELATED -j ACCEPT
And if what you say is true, I'd be in deep shit if it reset to,
iptables -A INPUT -p ALL -m state -j ACCEPT
without a warning.
>
> I think that this is a serious enough change in behaviour that an elog
> warning should have been issued.
It's not stable yet, right? File a bug (and CC me, please).
