Michael Orlitzky <mich...@orlitzky.com> writes: > The 'conntrack' module is supposed to be a superset of 'state', so most > things should be compatible. You really have two warnings there; the > first is for the state -> conntrack switch, and the second is because > you're missing the --state flag in your rules. > > In your example, you turn on the state matching, > > iptables -A TCP_IN -p tcp -m state -m tcp -j UNSOLICITED > > but you don't specify *which* state(s) you want to match. It wants you > to specify --state SOMETHING. I'd guess that it used to interpret "no > state" as "any state."
The problem is not really the OP's fault. The problem is that if you have tables with the form "-m state --state XXX" at the point you upgrade, iptables-save (quite possibly called automatically by /etc/init.d/iptables stop) will save it as "-m state --state" - ie 'forgetting' which state(s) the rule applies to. The solution is to either change all your rules to use "-m conntrack --ctstate XXX" before upgrading or editing /var/lib/iptables/rules-save to globally replace '-m state' by '-m conntrack' and '--state' by '--ctstate' prior to the upgrade and (at least temporarily) edit /etc/conf.d/iptables to set SAVE_ON_STOP="no". The same will also need to be done with ip6tables if you use that. I think that this is a serious enough change in behaviour that an elog warning should have been issued.
