#5478 Webmin 1.973 ipv4 firewall rule incorrectly defined when upgrading
Hi,
When upgrading a SUSE SLES 12 system with Webmin 1.850 to a SUSE SLES 15 system with Webmin 1.973 and carrying over existing webmin iptables ipv4 firewall rules that were initially defined by Webmin 1.850 as:
Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
When the firewall GUI is looked at in Webmin 1.973, these two rules show up as 'Always' under the condition column and when you try to apply this configuration, you receive error message:
iptables-restore v1.8.3 (legacy): unknown option "--state"
Error occurred at line: 27
This is apparently caused because we now should use -m conntrack and --ctstate ESTABLISHED instead. However, if you edit the existing broken rules and correctly set the connection state back to existing (or related) and then save the same rule, the resulting rule that is added looks like this:
-A INPUT -m conntrack --state ESTABLISHED --ctstate ESTABLISHED -j ACCEPT
which is still wrong because of the extra --state ESTABLISHED. The correct rule should be:
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
Thanks,
Aria
Thanks for pointing this out - we'll fix this error in the next release.