Brian Schang
2011-Sep-19 11:16 UTC
Extended Connection Tracking Match Support - not available
Hello: Last night I upgraded from ''iptables 1.4.10'' to ''iptables 1.4.12.1''. When doing so, I encountered a possible regression: Extended Connection Tracking Match Support within shorewall was "Available" with v1.4.10, but is "Not available" with v1.4.12.1. Note that I am using ''shorewall 4.4.23.3'' and openSuSE 11.4 with its stock kernal 2.6.37.6-0.7-default. I dug into this a little bit and discovered: # iptables -A test -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT iptables v1.4.12.1: conntrack rev 2 does not support port ranges Try `iptables -h'' or ''iptables --help'' for more information. With some Googling, I discovered that Tom Eastep had encountered the same issue. He submitted a patch for iptables and Jan Engelhardt ultimately released ''iptables 1.4.12.1''. For some reason, iptables v1.4.12.1 does not seem to have fixed the issue for me. Has anyone else seen this problem? Any suggestions? Thanks. -- Brian ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA Learn about the latest advances in developing for the BlackBerry® mobile platform with sessions, labs & more. See new tools and technologies. Register for BlackBerry® DevCon today! http://p.sf.net/sfu/rim-devcon-copy1
Tom Eastep
2011-Sep-19 13:14 UTC
Re: Extended Connection Tracking Match Support - not available
On Mon, 2011-09-19 at 07:16 -0400, Brian Schang wrote:> Hello: > > Last night I upgraded from ''iptables 1.4.10'' to ''iptables 1.4.12.1''. > When doing so, I encountered a possible regression: Extended Connection > Tracking Match Support within shorewall was "Available" with v1.4.10, > but is "Not available" with v1.4.12.1. Note that I am using ''shorewall > 4.4.23.3'' and openSuSE 11.4 with its stock kernal 2.6.37.6-0.7-default. > > I dug into this a little bit and discovered: > # iptables -A test -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT > iptables v1.4.12.1: conntrack rev 2 does not support port ranges > Try `iptables -h'' or ''iptables --help'' for more information. > > With some Googling, I discovered that Tom Eastep had encountered the > same issue. He submitted a patch for iptables and Jan Engelhardt > ultimately released ''iptables 1.4.12.1''. > > For some reason, iptables v1.4.12.1 does not seem to have fixed the > issue for me. Has anyone else seen this problem? Any suggestions?Brian, The problem was not corrected in 1.4.12.1. The 1.4.12.1 release and Jan''s acceptance of the patch happened on the same day but were unrelated. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA Learn about the latest advances in developing for the BlackBerry® mobile platform with sessions, labs & more. See new tools and technologies. Register for BlackBerry® DevCon today! http://p.sf.net/sfu/rim-devcon-copy1