Bug 1369489 - Kernel 4.7 and net.netfilter.nf_conntrack_helper = 0 as new default
Summary: Kernel 4.7 and net.netfilter.nf_conntrack_helper = 0 as new default
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 24
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Kernel Maintainer List
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-23 14:27 UTC by Harald Reindl
Modified: 2017-04-28 17:41 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-04-28 17:28:18 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1373689 0 unspecified CLOSED PPTP broken after kernel update 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 1375006 0 unspecified CLOSED NM-PPTP VPN Connection Fails 2021-02-22 00:41:40 UTC

Internal Links: 1373689 1375006

Description Harald Reindl 2016-08-23 14:27:50 UTC 
i would call that a regression within a stable release and this default should be changed in the fedora kernel!

looks like iwth kernel 4.7 you need "net.netfilter.nf_conntrack_helper = 1" in sysctl.conf to continue things like PASV FTP or Hylafax (which uses FTP as procotocol) working like before

there are warnings over years now at boot but nobody was able to tell until today how you are supposed to solve "the kernel needs to be aware about the prococol and open the data port for the client IP" - all you find is that the current way is unsecure - well - open the port range for any IP would be much more unsecure as any magic
_______________________________________

in case of a server providing hylafax and ftp services for specific machines (controlled by iptables allow 21/4559 only for them) the config until now looks like:

/etc/sysconfig/iptables-config:
IPTABLES_MODULES="nf_conntrack_ftp"

/etc/modprobe.d/iptables-conntrack.conf:
options nf_conntrack_ftp ports=21,4559
Comment 1 Harald Reindl 2016-08-24 09:49:53 UTC 
that way it works with "net.netfilter.nf_conntrack_helper = 0" and /etc/modprobe.d/iptables-conntrack.conf is obsolete, however - still a regression within a stable fedora release

iptables -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp
iptables -A PREROUTING -t raw -p tcp --dport 4559 -j CT --helper ftp
Comment 2 Justin M. Forbes 2017-04-11 15:02:56 UTC 
*********** MASS BUG UPDATE **************

We apologize for the inconvenience.  There are a large number of bugs to go through and several of them have gone stale.  Due to this, we are doing a mass bug update across all of the Fedora 24 kernel bugs.

Fedora 25 has now been rebased to 4.10.9-100.fc24.  Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel.

If you have moved on to Fedora 26, and are still experiencing this issue, please change the version to Fedora 26.

If you experience different issues, please open a new bug report for those.
Comment 3 Justin M. Forbes 2017-04-28 17:28:18 UTC 
*********** MASS BUG UPDATE **************
This bug is being closed with INSUFFICIENT_DATA as there has not been a response in 2 weeks. If you are still experiencing this issue, please reopen and attach the 
relevant data from the latest kernel you are running and any data that might have been requested previously.
Comment 4 Harald Reindl 2017-04-28 17:41:04 UTC 
WTF did you expect as "data" you can not seriously change such a default within a GA release because you have to expect users with much less clue i have (hence the solution in the bug subject) with from their point of view suddenly broken setups 

Besides that the depreciation warning I face for years now in the syslog was written by a moron since it's not helpful without a proper link
Note You need to log in before you can comment on or make changes to this bug.