Description of problem: The following mysterious messages obstinately shows up after an upgrade to F18: kernel: [ 81.133083] nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead. What this "CT target" may be is entirely unclear but presumbaly this may have something to do with '--ctstate ...' iptables option which is actually in use. For a reference I attach the whole output from 'iptables-save' as it got configured by a running firewalld. What gives? Version-Release number of selected component (if applicable): kernel-3.7.4-204.fc18.x86_64 firewalld-0.2.12-1.fc18 How reproducible: On every boot Additional info: At least once 3.7.4-204.fc18 oopsed in firewalld process as follows: [ 44.833523] BUG: unable to handle kernel paging request at ffffffff808216e8 [ 44.834005] IP: [<ffffffff8115e834>] remove_vma+0x24/0x70 [ 44.834005] PGD 1c0d067 PUD 1c11063 PMD 0 [ 44.834005] Oops: 0000 [#1] SMP OTOH so far this does not look like a repeatable event so I am not sure if my hardware is not messing up. 3.7.2-204.fc18 was oopsing regularly but somewhere else and these faults vanished after a kernel update.
Created attachment 690705 [details] an output from iptables-save
This message also happens when one uses firewalld to allow ftp. I hope that Fedora will fix firewalld's behavior before the nf_conntrack automatic helper assignment goes away.
This warning came in with the 3.5 kernel from the commit below. It's not really a kernel problem to fix though, so assigning to firewalld for now. commit a9006892643a8f4e885b692de0708bcb35a7d530 Author: Eric Leblond <eric> Date: Wed Apr 18 11:20:41 2012 +0200 netfilter: nf_ct_helper: allow to disable automatic helper assignment
(In reply to Michal Jaegermann from comment #0) > kernel: [ 81.133083] nf_conntrack: automatic helper assignment is > deprecated and it will be removed soon. Use the iptables CT target to attach > helpers instead. So as I understand [1], [2] we have to replace -t filter -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT with -t filter -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT and for example in case of ftp we have to add -t raw -A PREROUTING -p tcp --dport 21 -j CT --helper ftp From my experiments it also seems that using this CT target loads the helper module itself so we perhaps won't need to load it on our own. [1] https://home.regit.org/netfilter-en/secure-use-of-helpers/ [2] https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=a9006892643a8f4e885b692de0708bcb35a7d530
(In reply to Jiri Popelka from comment #4) > -t raw -A PREROUTING -p tcp --dport 21 -j CT --helper ftp also -t raw -A OUTPUT -p tcp --dport 21 -j CT --helper ftp
This message is a reminder that Fedora 18 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 18. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '18'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 18's end of life. Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 18 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 18's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Moving to rawhide. For being able to handle the non-automatic helper assignment, the information about the ports handled by the helper internally needs to be stored in some configuration file usable by firewalld to be able to add all the needed CT target rules in the raw table.
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle. Changing version to '23'. (As we did not run this process for some time, it could affect also pre-Fedora 23 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23
This message is a reminder that Fedora 23 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 23. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '23'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 23 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 23 changed to end-of-life (EOL) status on 2016-12-20. Fedora 23 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.