mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-07-06 09:55:46 +00:00
02b8045517
Long ago we adapted to iptables changes by introducing support
for '-m conntrack':
commit 06844ccbaa
Author: Stefan Berger <stefanb@us.ibm.com>
Date: Tue Aug 6 20:30:46 2013 -0400
nwfilter: Use -m conntrack rather than -m state
Since iptables version 1.4.16 '-m state --state NEW' is converted to
'-m conntrack --ctstate NEW'. Therefore, when encountering this or later
versions of iptables use '-m conntrack --ctstate'.
Given our supported platform targets, we no longer need to
consider a version of iptables before 1.4.16, so can drop
support for the old syntax.
The test suite updates are triggered because that never
probed for the new syntax, and so unconditionally
generated the old syntax.
Reviewed-by: Laine Stump <laine@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
163 lines
2.3 KiB
Plaintext
163 lines
2.3 KiB
Plaintext
iptables \
|
|
-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
-m conntrack \
|
|
--ctstate NEW,ESTABLISHED \
|
|
-m set \
|
|
--match-set tck_test src,dst \
|
|
-j RETURN
|
|
iptables \
|
|
-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-m conntrack \
|
|
--ctstate ESTABLISHED \
|
|
-m set \
|
|
--match-set tck_test dst,src \
|
|
-j ACCEPT
|
|
iptables \
|
|
-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
-m conntrack \
|
|
--ctstate NEW,ESTABLISHED \
|
|
-m set \
|
|
--match-set tck_test src,dst \
|
|
-j RETURN
|
|
iptables \
|
|
-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-m set \
|
|
--match-set tck_test src,dst \
|
|
-m comment \
|
|
--comment in+NONE \
|
|
-j ACCEPT
|
|
iptables \
|
|
-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
-m set \
|
|
--match-set tck_test src,dst \
|
|
-m comment \
|
|
--comment out+NONE \
|
|
-j RETURN
|
|
iptables \
|
|
-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
-m set \
|
|
--match-set tck_test src,dst \
|
|
-m comment \
|
|
--comment out+NONE \
|
|
-j RETURN
|
|
iptables \
|
|
-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
-m conntrack \
|
|
--ctstate ESTABLISHED \
|
|
-m set \
|
|
--match-set tck_test dst,src,dst \
|
|
-j RETURN
|
|
iptables \
|
|
-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-m conntrack \
|
|
--ctstate NEW,ESTABLISHED \
|
|
-m set \
|
|
--match-set tck_test src,dst,src \
|
|
-j ACCEPT
|
|
iptables \
|
|
-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
-m conntrack \
|
|
--ctstate ESTABLISHED \
|
|
-m set \
|
|
--match-set tck_test dst,src,dst \
|
|
-j RETURN
|
|
iptables \
|
|
-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
-m conntrack \
|
|
--ctstate ESTABLISHED \
|
|
-m set \
|
|
--match-set tck_test dst,src,dst \
|
|
-j RETURN
|
|
iptables \
|
|
-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-m conntrack \
|
|
--ctstate NEW,ESTABLISHED \
|
|
-m set \
|
|
--match-set tck_test src,dst,src \
|
|
-j ACCEPT
|
|
iptables \
|
|
-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
-m conntrack \
|
|
--ctstate ESTABLISHED \
|
|
-m set \
|
|
--match-set tck_test dst,src,dst \
|
|
-j RETURN
|
|
iptables \
|
|
-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
-m conntrack \
|
|
--ctstate ESTABLISHED \
|
|
-m set \
|
|
--match-set tck_test dst,src \
|
|
-j RETURN
|
|
iptables \
|
|
-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-m conntrack \
|
|
--ctstate NEW,ESTABLISHED \
|
|
-m set \
|
|
--match-set tck_test src,dst \
|
|
-j ACCEPT
|
|
iptables \
|
|
-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
-m conntrack \
|
|
--ctstate ESTABLISHED \
|
|
-m set \
|
|
--match-set tck_test dst,src \
|
|
-j RETURN
|
|
iptables \
|
|
-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
-m set \
|
|
--match-set tck_test dst,src \
|
|
-m comment \
|
|
--comment inout \
|
|
-j RETURN
|
|
iptables \
|
|
-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-m set \
|
|
--match-set tck_test src,dst \
|
|
-m comment \
|
|
--comment inout \
|
|
-j ACCEPT
|
|
iptables \
|
|
-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
-m set \
|
|
--match-set tck_test dst,src \
|
|
-m comment \
|
|
--comment inout \
|
|
-j RETURN
|