From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id A7D171381FB for ; Thu, 27 Dec 2012 23:52:21 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 6F4C021C07F; Thu, 27 Dec 2012 23:52:03 +0000 (UTC) Received: from mail2.viabit.com (mail2.viabit.com [65.246.80.16]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 4AD0E21C077 for ; Thu, 27 Dec 2012 23:50:12 +0000 (UTC) Received: from [172.17.29.6] (vpn1.metro-data.com [65.213.236.242]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail2.viabit.com (Postfix) with ESMTPSA id 3YXSTb2Grbz1hfM for ; Thu, 27 Dec 2012 18:50:11 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=orlitzky.com; s=mail2; t=1356652211; bh=pv9A4ZrHvKo4VvdLPdS9YFWNae6BOAYr4SMcJlW2Ef0=; h=Date:From:To:Subject:References:In-Reply-To; b=bqYEKf7GXkQmujtSK7/+SzTeW/c4pZlC96bNTOYmTOdZA9aKGeLRpz95DF+CwDrO8 sWVBf0pQUq9RKl4LP/gANMsVdEMP50JuA7G2Jti3nFMm7UV3ADRaTh2TDH4Mcjw5FT 3uG0xWxX25rhm/isJh+uXMqcYOxnFpkEF/8L2dic= Message-ID: <50DCDEAF.9020002@orlitzky.com> Date: Thu, 27 Dec 2012 18:50:07 -0500 From: Michael Orlitzky User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.10) Gecko/20121104 Thunderbird/10.0.10 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] IPTABLES syntax change? References: <20121227004732.GB5854@waltdnes.org> <50DBA7D0.4060800@orlitzky.com> <87zk0zivjk.fsf@einstein.gmurray.org.uk> <20121227231150.GA9864@waltdnes.org> In-Reply-To: <20121227231150.GA9864@waltdnes.org> X-Enigmail-Version: 1.3.5 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: 06fa44a7-52c5-4fc8-a613-b3c63cd6e7c2 X-Archives-Hash: fe2bf21b5c2ec4556d40310159bb2840 On 12/27/2012 06:11 PM, Walter Dnes wrote: > On Thu, Dec 27, 2012 at 11:28:15AM +0000, Graham Murray wrote > >> The problem is not really the OP's fault. The problem is that if you >> have tables with the form "-m state --state XXX" at the point you >> upgrade, iptables-save (quite possibly called automatically by >> /etc/init.d/iptables stop) will save it as "-m state --state" - ie >> 'forgetting' which state(s) the rule applies to. > > Thanks for pointing that out. I looked back at an archived version, > and it had stuff like... > > -A ICMP_IN -p icmp -m state --state NEW -j UNSOLICITED > -A TCP_IN -p tcp -m state --state NEW -m tcp -j UNSOLICITED > -A UDP_IN -p udp -m state --state NEW -j UNSOLICITED > > I.e. new external connection attempts were rejected, except for my > lan which bypasses this rule so I can scp/ssh etc between my machines. > No wonder I was puzzled by what I saw. > Ah, yes, the original problem. Once you've upgraded, you should be able to add all of your old --state rules normally, albeit with a warning. The new iptables will translate them to conntrack rules, and you can `/etc/init.d/iptables save` the result. The upgrade just fails in a horrible way.