Support conntrack stateful firewall matching #257
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Since Linux 3.7+ the "state" module has been removed from the kernel, leaving only the "conntrack" module. This patch adds support for the conntrack module in iptables by adding a new parameter to the firewall type, 'ctstate'. Updates the README to demonstrate using the ctstate parameter instead of state to nudge people to use it instead. This is safe as far as back to Linux kernel 2.6.18, so long as CONFIG_NF_CONNTRACK is enabled.
|
Ideally we'd convert any state rule to a ctstate if the kernel is higher than 3.7 as a stopgap measure, and I'd definitely support a PR that does that! I know we've been a bit lax with the firewall module and I want to apologize, we have a small team of two taking care of all the modules and neither of us has the deep expertise with this to feel comfortable doing a lot with it right now! |
apenney
pushed a commit
that referenced
this pull request
Oct 16, 2013
Support conntrack stateful firewall matching
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Since Linux 3.7+ the "state" module has been removed from the kernel, leaving
only the "conntrack" module. This patch adds support for the conntrack module in
iptables by adding a new parameter to the firewall type, 'ctstate'.
Updates the README to demonstrate using the ctstate parameter instead of state
to nudge people to use it instead. This is safe as far as back to Linux kernel
2.6.18, so long as CONFIG_NF_CONNTRACK is enabled.
Closes #231 and #142.
And a question, since the state trules are no longer working, should they be automatically converted to ctstate rules? What happens when both types of rules are applied? I'd think the state rules should be dropped (perhaps with a warning if it doesn't match ctstate).