net: use newer iptables syntax

iptables-1.4.18 removed the long deprecated "state" match.
Use "conntrack" instead in forwarding rules.
Fixes openSUSE bug https://bugzilla.novell.com/811251 #811251.

diff --git a/src/util/viriptables.c b/src/util/viriptables.c
index 8cfafc0f173bac07aa207a3e024b1aa826dfdab0..19d61610c8c49d6d2d0d3ed62709d15d6f17354d 100644 (file)
--- a/src/util/viriptables.c
+++ b/src/util/viriptables.c
@@ -480,8 +480,8 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx,
                                     "--destination", networkstr,
                                     "--in-interface", physdev,
                                     "--out-interface", iface,
-                                    "--match", "state",
-                                    "--state", "ESTABLISHED,RELATED",
+                                    "--match", "conntrack",
+                                    "--ctstate", "ESTABLISHED,RELATED",
                                     "--jump", "ACCEPT",
                                     NULL);
     } else {
@@ -490,8 +490,8 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx,
                                     action,
                                     "--destination", networkstr,
                                     "--out-interface", iface,
-                                    "--match", "state",
-                                    "--state", "ESTABLISHED,RELATED",
+                                    "--match", "conntrack",
+                                    "--ctstate", "ESTABLISHED,RELATED",
                                     "--jump", "ACCEPT",
                                     NULL);
     }