Bug 232838
| Summary: | iptstate doesn't work on kernel 2.6.20-1.2925.fc6 | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Eric Hopper <eric-bugs> | ||||
| Component: | iptstate | Assignee: | Thomas Woerner <twoerner> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |||||
| Severity: | urgent | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 6 | CC: | thoger, wtogami, zing | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | iptstate-2.2.1-1.fc7 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2008-01-08 13:36:25 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 210324 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
|
Description
Eric Hopper
2007-03-18 17:42:52 UTC
It's urgent for this package anyway, as it won't work at all with newer kernels until it's fixed. Version 2.2.0 was just released today. It fixes this problem (and several others) completely, though it still doesn't show IPv6 states. It likely will in a future version though. Latest verions of iptstate seems to prefer using libnetfilter_conntrack to direct access to /proc files. However: - libnetfilter_conntrack is in Extras - iptstate requires libnetfilter_conntrack version 0.0.50 or later (FC6 extras contain 0.0.31) libnetfilter_conntrack was updated to 0.0.50 in FC6 extras. Thanks to Paul P. Komkoff Jr. You mentioned this, but it seems to me that it bears more explicit mention... libnetfilter_conntrack needs to be moved into core, or iptstate needs to move into extras. The situation where iptstate is in Core in a library it depends on is in Extras isn't OK. Core vs. Extras should no longer be an issue for FC7. For FC6 and older, it may be possible to compile ipstate with deprecated "backwards compatability proc mode", but it won't solve ip_conntrack vs. nf_conntrack issue, as file path is hardcoded (#define-d) in source. Created attachment 150674 [details]
Compatibility mode extension
Attached patch extends iptstate compatibility mode in following ways:
- adds simple runtime detection of ip_conntrack vs. nf_conntrack
- fixes parsing of nf_conntrack file
Works for me, testers are welcome of course ;).
Core+Extras have merged for F7, so F7 will get iptables-2.2.x as an update shortly after release. iptables 2.1 has been built for FC6 - you can get test packages here: http://koji.fedoraproject.org/koji/buildinfo?buildID=1364 Please give those a try and see if they fix your problem. wwoods and I talked on IRC after this message. We have subsequently decided that iptstate can be updated prior to F7, but you need to get working build done within the next 12 hours or so. New version for FC6 seems to work with latest kernels, but it does *not* provide solution to the original problem. That problem was resolved by newer kernels, which again provide /proc/net/ip_conntrack file besides /proc/net/nf_conntrack. As a result, on latest FC6 kernels (tested with 2.6.20-1.2948.fc6), both old (iptstate-1.4-1.1.2.2) and new (iptstate-2.1-1) versions of iptstate work. On kernels with nf_conntrack only (e.g. kernel-2.6.20-1.2933.fc6), both versions fail. If ip_conntrack is back to stay, I guess there's no urgent need to push new iptstate to FC6. And if ip_conntrack is going to disappear again soon, new version will not help. iptstate works on Fedora 7 and older releases are not supported anymore, therefore I close this bug. |