nwfilter: drop support for legacy iptables match syntax

Long ago we adapted to iptables changes by introducing support for '-m conntrack': commit 06844ccbaa Author: Stefan Berger <stefanb@us.ibm.com> Date: Tue Aug 6 20:30:46 2013 -0400 nwfilter: Use -m conntrack rather than -m state Since iptables version 1.4.16 '-m state --state NEW' is converted to '-m conntrack --ctstate NEW'. Therefore, when encountering this or later versions of iptables use '-m conntrack --ctstate'. Given our supported platform targets, we no longer need to consider a version of iptables before 1.4.16, so can drop support for the old syntax. The test suite updates are triggered because that never probed for the new syntax, and so unconditionally generated the old syntax. Reviewed-by: Laine Stump <laine@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2025-02-25 18:55:26 -06:00 · 2022-02-25 16:24:21 +00:00
parent 7aec69b7fb
commit 02b8045517
32 changed files with 806 additions and 871 deletions
--- a/tests/nwfilterxml2firewalldata/ipset-linux.args
+++ b/tests/nwfilterxml2firewalldata/ipset-linux.args
@@ -2,8 +2,8 @@ iptables \
 -w \
 -A FJ-vnet0 \
 -p all \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -m set \
 --match-set tck_test src,dst \
 -j RETURN
@@ -11,8 +11,8 @@ iptables \
 -w \
 -A FP-vnet0 \
 -p all \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -m set \
 --match-set tck_test dst,src \
 -j ACCEPT
@@ -20,8 +20,8 @@ iptables \
 -w \
 -A HJ-vnet0 \
 -p all \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -m set \
 --match-set tck_test src,dst \
 -j RETURN
@@ -56,8 +56,8 @@ iptables \
 -w \
 -A FJ-vnet0 \
 -p all \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -m set \
 --match-set tck_test dst,src,dst \
 -j RETURN
@@ -65,8 +65,8 @@ iptables \
 -w \
 -A FP-vnet0 \
 -p all \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -m set \
 --match-set tck_test src,dst,src \
 -j ACCEPT
@@ -74,8 +74,8 @@ iptables \
 -w \
 -A HJ-vnet0 \
 -p all \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -m set \
 --match-set tck_test dst,src,dst \
 -j RETURN
@@ -83,8 +83,8 @@ iptables \
 -w \
 -A FJ-vnet0 \
 -p all \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -m set \
 --match-set tck_test dst,src,dst \
 -j RETURN
@@ -92,8 +92,8 @@ iptables \
 -w \
 -A FP-vnet0 \
 -p all \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -m set \
 --match-set tck_test src,dst,src \
 -j ACCEPT
@@ -101,8 +101,8 @@ iptables \
 -w \
 -A HJ-vnet0 \
 -p all \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -m set \
 --match-set tck_test dst,src,dst \
 -j RETURN
@@ -110,8 +110,8 @@ iptables \
 -w \
 -A FJ-vnet0 \
 -p all \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -m set \
 --match-set tck_test dst,src \
 -j RETURN
@@ -119,8 +119,8 @@ iptables \
 -w \
 -A FP-vnet0 \
 -p all \
-m state \
--state NEW,ESTABLISHED \
+-m conntrack \
+--ctstate NEW,ESTABLISHED \
 -m set \
 --match-set tck_test src,dst \
 -j ACCEPT
@@ -128,8 +128,8 @@ iptables \
 -w \
 -A HJ-vnet0 \
 -p all \
-m state \
--state ESTABLISHED \
+-m conntrack \
+--ctstate ESTABLISHED \
 -m set \
 --match-set tck_test dst,src \
 -j RETURN