Bug 1369489 - Kernel 4.7 and net.netfilter.nf_conntrack_helper = 0 as new default
Kernel 4.7 and net.netfilter.nf_conntrack_helper = 0 as new default
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
24
All Linux
unspecified Severity medium
: ---
: ---
Assigned To: Kernel Maintainer List
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-08-23 10:27 EDT by Harald Reindl
Modified: 2017-04-28 13:41 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-04-28 13:28:18 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Harald Reindl 2016-08-23 10:27:50 EDT
i would call that a regression within a stable release and this default should be changed in the fedora kernel!

looks like iwth kernel 4.7 you need "net.netfilter.nf_conntrack_helper = 1" in sysctl.conf to continue things like PASV FTP or Hylafax (which uses FTP as procotocol) working like before

there are warnings over years now at boot but nobody was able to tell until today how you are supposed to solve "the kernel needs to be aware about the prococol and open the data port for the client IP" - all you find is that the current way is unsecure - well - open the port range for any IP would be much more unsecure as any magic
_______________________________________

in case of a server providing hylafax and ftp services for specific machines (controlled by iptables allow 21/4559 only for them) the config until now looks like:

/etc/sysconfig/iptables-config:
IPTABLES_MODULES="nf_conntrack_ftp"

/etc/modprobe.d/iptables-conntrack.conf:
options nf_conntrack_ftp ports=21,4559
Comment 1 Harald Reindl 2016-08-24 05:49:53 EDT
that way it works with "net.netfilter.nf_conntrack_helper = 0" and /etc/modprobe.d/iptables-conntrack.conf is obsolete, however - still a regression within a stable fedora release

iptables -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp
iptables -A PREROUTING -t raw -p tcp --dport 4559 -j CT --helper ftp
Comment 2 Justin M. Forbes 2017-04-11 11:02:56 EDT
*********** MASS BUG UPDATE **************

We apologize for the inconvenience.  There are a large number of bugs to go through and several of them have gone stale.  Due to this, we are doing a mass bug update across all of the Fedora 24 kernel bugs.

Fedora 25 has now been rebased to 4.10.9-100.fc24.  Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel.

If you have moved on to Fedora 26, and are still experiencing this issue, please change the version to Fedora 26.

If you experience different issues, please open a new bug report for those.
Comment 3 Justin M. Forbes 2017-04-28 13:28:18 EDT
*********** MASS BUG UPDATE **************
This bug is being closed with INSUFFICIENT_DATA as there has not been a response in 2 weeks. If you are still experiencing this issue, please reopen and attach the 
relevant data from the latest kernel you are running and any data that might have been requested previously.
Comment 4 Harald Reindl 2017-04-28 13:41:04 EDT
WTF did you expect as "data" you can not seriously change such a default within a GA release because you have to expect users with much less clue i have (hence the solution in the bug subject) with from their point of view suddenly broken setups 

Besides that the depreciation warning I face for years now in the syslog was written by a moron since it's not helpful without a proper link

Note You need to log in before you can comment on or make changes to this bug.