提交 06844ccb 编写于 作者: S Stefan Berger 提交者: Stefan Berger

nwfilter: Use -m conntrack rather than -m state

Since iptables version 1.4.16 '-m state --state NEW' is converted to
'-m conntrack --ctstate NEW'. Therefore, when encountering this or later
versions of iptables use '-m conntrack --ctstate'.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
上级 3d0e3c1a
...@@ -188,6 +188,9 @@ static const char ebiptables_script_set_ifs[] = ...@@ -188,6 +188,9 @@ static const char ebiptables_script_set_ifs[] =
static const char *m_state_out_str = "-m state --state NEW,ESTABLISHED"; static const char *m_state_out_str = "-m state --state NEW,ESTABLISHED";
static const char *m_state_in_str = "-m state --state ESTABLISHED"; static const char *m_state_in_str = "-m state --state ESTABLISHED";
static const char *m_state_out_str_new = "-m conntrack --ctstate NEW,ESTABLISHED";
static const char *m_state_in_str_new = "-m conntrack --ctstate ESTABLISHED";
static const char *m_physdev_in_str = "-m physdev " PHYSDEV_IN; static const char *m_physdev_in_str = "-m physdev " PHYSDEV_IN;
static const char *m_physdev_out_str = "-m physdev " PHYSDEV_OUT; static const char *m_physdev_out_str = "-m physdev " PHYSDEV_OUT;
static const char *m_physdev_out_old_str = "-m physdev " PHYSDEV_OUT_OLD; static const char *m_physdev_out_old_str = "-m physdev " PHYSDEV_OUT_OLD;
...@@ -4338,6 +4341,49 @@ ebiptablesDriverProbeCtdir(void) ...@@ -4338,6 +4341,49 @@ ebiptablesDriverProbeCtdir(void)
iptables_ctdir_corrected = CTDIR_STATUS_OLD; iptables_ctdir_corrected = CTDIR_STATUS_OLD;
} }
static void
ebiptablesDriverProbeStateMatch(void)
{
virBuffer buf = VIR_BUFFER_INITIALIZER;
char *cmdout = NULL, *version;
unsigned long thisversion;
NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
virBufferAsprintf(&buf,
"$IPT --version");
if (ebiptablesExecCLI(&buf, NULL, &cmdout) < 0) {
VIR_ERROR(_("Testing of iptables command failed: %s"),
cmdout);
return;
}
/*
* we expect output in the format
* iptables v1.4.16
*/
if (!(version = strchr(cmdout, 'v')) ||
virParseVersionString(version + 1, &thisversion, true) < 0) {
VIR_ERROR(_("Could not determine iptables version from string %s"),
cmdout);
goto cleanup;
}
/*
* since version 1.4.16 '-m state --state ...' will be converted to
* '-m conntrack --ctstate ...'
*/
if (thisversion >= 1 * 1000000 + 4 * 1000 + 16) {
m_state_out_str = m_state_out_str_new;
m_state_in_str = m_state_in_str_new;
}
cleanup:
VIR_FREE(cmdout);
return;
}
static int static int
ebiptablesDriverInit(bool privileged) ebiptablesDriverInit(bool privileged)
{ {
...@@ -4375,8 +4421,10 @@ ebiptablesDriverInit(bool privileged) ...@@ -4375,8 +4421,10 @@ ebiptablesDriverInit(bool privileged)
return -ENOTSUP; return -ENOTSUP;
} }
if (iptables_cmd_path) if (iptables_cmd_path) {
ebiptablesDriverProbeCtdir(); ebiptablesDriverProbeCtdir();
ebiptablesDriverProbeStateMatch();
}
ebiptables_driver.flags = TECHDRV_FLAG_INITIALIZED; ebiptables_driver.flags = TECHDRV_FLAG_INITIALIZED;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册