Fedora Account System
Red Hat Associate
Red Hat Customer
Description of problem: This program no longer displays any information at all. Version-Release number of selected component (if applicable): iptstate-1.4-1.1.2.2 How reproducible: Every time Steps to Reproduce: 1.Try to use it while having connection tracking loaded Actual results: Nothing shows up Expected results: A list of the tracked connections Additional info: This program is going for /proc/net/ip_conntrack and in kernel 2.6.20-1.2925.fc6 (and possibly earlier) this file does not exist. Instead the file /proc/net/nf_conntrack is used. Also, in kernel 2.6.20-1.2925.fc6 /proc/net/nf_conntrack may contain IPv6 information, and I do not know if iptstat yet has the code to handle this at all, much less display the IPv6 information.
It's urgent for this package anyway, as it won't work at all with newer kernels until it's fixed.
Version 2.2.0 was just released today. It fixes this problem (and several others) completely, though it still doesn't show IPv6 states. It likely will in a future version though.
Latest verions of iptstate seems to prefer using libnetfilter_conntrack to direct access to /proc files. However: - libnetfilter_conntrack is in Extras - iptstate requires libnetfilter_conntrack version 0.0.50 or later (FC6 extras contain 0.0.31)
libnetfilter_conntrack was updated to 0.0.50 in FC6 extras. Thanks to Paul P. Komkoff Jr.
You mentioned this, but it seems to me that it bears more explicit mention... libnetfilter_conntrack needs to be moved into core, or iptstate needs to move into extras. The situation where iptstate is in Core in a library it depends on is in Extras isn't OK.
Core vs. Extras should no longer be an issue for FC7. For FC6 and older, it may be possible to compile ipstate with deprecated "backwards compatability proc mode", but it won't solve ip_conntrack vs. nf_conntrack issue, as file path is hardcoded (#define-d) in source.
Created attachment 150674 [details] Compatibility mode extension Attached patch extends iptstate compatibility mode in following ways: - adds simple runtime detection of ip_conntrack vs. nf_conntrack - fixes parsing of nf_conntrack file Works for me, testers are welcome of course ;).
Core+Extras have merged for F7, so F7 will get iptables-2.2.x as an update shortly after release. iptables 2.1 has been built for FC6 - you can get test packages here: http://koji.fedoraproject.org/koji/buildinfo?buildID=1364 Please give those a try and see if they fix your problem.
wwoods and I talked on IRC after this message. We have subsequently decided that iptstate can be updated prior to F7, but you need to get working build done within the next 12 hours or so.
New version for FC6 seems to work with latest kernels, but it does *not* provide solution to the original problem. That problem was resolved by newer kernels, which again provide /proc/net/ip_conntrack file besides /proc/net/nf_conntrack. As a result, on latest FC6 kernels (tested with 2.6.20-1.2948.fc6), both old (iptstate-1.4-1.1.2.2) and new (iptstate-2.1-1) versions of iptstate work. On kernels with nf_conntrack only (e.g. kernel-2.6.20-1.2933.fc6), both versions fail. If ip_conntrack is back to stay, I guess there's no urgent need to push new iptstate to FC6. And if ip_conntrack is going to disappear again soon, new version will not help.
iptstate works on Fedora 7 and older releases are not supported anymore, therefore I close this bug.