Bug 1399775

Summary: FirewallD error INVALID_HELPER: nf_conntrack_tftp not available in kernel
Product: [Fedora] Fedora Reporter: Louis van Dyk <louis>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 24CC: cz172638, dave.nerd, gansalmon, ichavero, itamar, jonathan, kernel-maint, madhu.chinakonda, mchehab
Target Milestone: ---Flags: jforbes: needinfo?
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-04-28 17:19:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Louis van Dyk 2016-11-29 17:28:42 UTC 
Description of problem:
I run tftp-server via xinetd, but lately firewalld cannot permit inbound traffic to it from the LAN.  When I click "tftp" in the firewalld services, I get the error:  INVALID_HELPER:  nf_conntrack_tftp not available in kernel
If I run a "locate conntrack" I also no longer see a file named nf_conntrack_tftp in the kernel's /usr/include/linux/netfilter folder.

Version-Release number of selected component (if applicable):
kernel-4.8.8-200.fc24.x86_64
firewalld-0.4.4.1-1.fc24.noarch
tftp-server-5.2-18.fc24.x86_64
xinetd-2.3.15-17.fc24.x86_64



How reproducible:
Always

Steps to Reproduce:
1. Run firewall-config
2. Access the Services panel for your network card's zone
3. Select tftp

Actual results:
Popup message with
INVALID_HELPER:  nf_conntrack_tftp not available in kernel

Expected results:
tftp should be permitted through the firewall.

Additional info:
The daemon is running, as I can run the tftp client on the same device and get and put files to the tftp server folder.
Comment 1 Louis van Dyk 2016-11-30 13:34:45 UTC 
It seems it's actually worse than just TFTP ....

When I restarted my laptop today and looked at the logs I got this:

[root@lenovo ~]# service firewalld status
Redirecting to /bin/systemctl status  firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2016-11-30 13:17:50 SAST; 1h 5min ago
     Docs: man:firewalld(1)
 Main PID: 1116 (firewalld)
    Tasks: 3 (limit: 512)
   CGroup: /system.slice/firewalld.service
           └─1116 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork --nopid

Nov 30 13:17:30 lenovo.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
Nov 30 13:17:50 lenovo.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
Nov 30 13:18:02 lenovo.localdomain firewalld[1116]: WARNING: internal: INVALID_HELPER: 'nf_conntrack_ftp' not available in kernel
Nov 30 13:18:02 lenovo.localdomain firewalld[1116]: WARNING: internal: INVALID_HELPER: 'nf_conntrack_netbios_ns' not available in kernel
Nov 30 13:18:02 lenovo.localdomain firewalld[1116]: WARNING: internal: INVALID_HELPER: 'nf_conntrack_tftp' not available in kernel
Nov 30 13:18:02 lenovo.localdomain firewalld[1116]: WARNING: internal: INVALID_HELPER: 'nf_conntrack_netbios_ns' not available in kernel
Nov 30 13:18:02 lenovo.localdomain firewalld[1116]: WARNING: INVALID_HELPER: 'nf_conntrack_netbios_ns' not available in kernel
Nov 30 13:18:02 lenovo.localdomain firewalld[1116]: WARNING: INVALID_HELPER: 'nf_conntrack_netbios_ns' not available in kernel
Nov 30 13:18:15 lenovo.localdomain firewalld[1116]: WARNING: INVALID_HELPER: 'nf_conntrack_tftp' not available in kernel
Nov 30 13:18:15 lenovo.localdomain firewalld[1116]: WARNING: INVALID_HELPER: 'nf_conntrack_ftp' not available in kernel
Comment 2 Dave M 2017-03-02 09:10:18 UTC 
On Fedora 25 and I still see this error message.  Is there a fix or workaround?  There is no firewalld logging so long as this error message occurs.

Thanks,
Comment 3 Justin M. Forbes 2017-04-11 14:57:01 UTC 
*********** MASS BUG UPDATE **************

We apologize for the inconvenience.  There are a large number of bugs to go through and several of them have gone stale.  Due to this, we are doing a mass bug update across all of the Fedora 24 kernel bugs.

Fedora 25 has now been rebased to 4.10.9-100.fc24.  Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel.

If you have moved on to Fedora 26, and are still experiencing this issue, please change the version to Fedora 26.

If you experience different issues, please open a new bug report for those.
Comment 4 Justin M. Forbes 2017-04-28 17:19:31 UTC 
*********** MASS BUG UPDATE **************
This bug is being closed with INSUFFICIENT_DATA as there has not been a response in 2 weeks. If you are still experiencing this issue, please reopen and attach the 
relevant data from the latest kernel you are running and any data that might have been requested previously.