Bug 906156 - kernel is producing "nf_conntrack: automatic helper assignment is deprecated" messages
Summary: kernel is producing "nf_conntrack: automatic helper assignment is deprecated"...
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: firewalld
Version: 23
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-01-31 02:18 UTC by Michal Jaegermann
Modified: 2016-12-20 12:33 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-12-20 12:33:46 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
an output from iptables-save (6.14 KB, text/plain)
2013-01-31 02:20 UTC, Michal Jaegermann
no flags Details

Description Michal Jaegermann 2013-01-31 02:18:43 UTC
Description of problem:

The following mysterious messages obstinately shows up after an upgrade to F18:

kernel: [   81.133083] nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead.

What this "CT target" may be is entirely unclear but presumbaly this may have something to do with '--ctstate ...' iptables option which is actually in use. For a reference I attach the whole output from 'iptables-save' as it got configured by a running firewalld.  What gives?

Version-Release number of selected component (if applicable):
kernel-3.7.4-204.fc18.x86_64
firewalld-0.2.12-1.fc18

How reproducible:
On every boot

Additional info:
At least once 3.7.4-204.fc18 oopsed in firewalld process as follows:

[   44.833523] BUG: unable to handle kernel paging request at ffffffff808216e8
[   44.834005] IP: [<ffffffff8115e834>] remove_vma+0x24/0x70
[   44.834005] PGD 1c0d067 PUD 1c11063 PMD 0 
[   44.834005] Oops: 0000 [#1] SMP 

OTOH so far this does not look like a repeatable event so I am not sure if my hardware is not messing up. 3.7.2-204.fc18 was oopsing regularly but somewhere else and these faults vanished after a kernel update.

Comment 1 Michal Jaegermann 2013-01-31 02:20:22 UTC
Created attachment 690705 [details]
an output from iptables-save

Comment 2 Jonathan Abbey 2013-03-21 21:13:09 UTC
This message also happens when one uses firewalld to allow ftp.

I hope that Fedora will fix firewalld's behavior before the nf_conntrack automatic helper assignment goes away.

Comment 3 Josh Boyer 2013-04-03 17:27:11 UTC
This warning came in with the 3.5 kernel from the commit below.  It's not really a kernel problem to fix though, so assigning to firewalld for now.

commit a9006892643a8f4e885b692de0708bcb35a7d530
Author: Eric Leblond <eric>
Date:   Wed Apr 18 11:20:41 2012 +0200

    netfilter: nf_ct_helper: allow to disable automatic helper assignment

Comment 4 Jiri Popelka 2013-06-18 16:52:24 UTC
(In reply to Michal Jaegermann from comment #0)
> kernel: [   81.133083] nf_conntrack: automatic helper assignment is
> deprecated and it will be removed soon. Use the iptables CT target to attach
> helpers instead.

So as I understand [1], [2] we have to replace
-t filter -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
with
-t filter -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

and for example in case of ftp we have to add
-t raw -A PREROUTING -p tcp --dport 21 -j CT --helper ftp

From my experiments it also seems that using this CT target loads the helper module itself so we perhaps won't need to load it on our own.

[1] https://home.regit.org/netfilter-en/secure-use-of-helpers/
[2] https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=a9006892643a8f4e885b692de0708bcb35a7d530

Comment 5 Jiri Popelka 2013-06-18 16:54:20 UTC
(In reply to Jiri Popelka from comment #4)
> -t raw -A PREROUTING -p tcp --dport 21 -j CT --helper ftp

also
-t raw -A OUTPUT -p tcp --dport 21 -j CT --helper ftp

Comment 6 Fedora End Of Life 2013-12-21 11:01:17 UTC
This message is a reminder that Fedora 18 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 18. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '18'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 18's end of life.

Thank you for reporting this issue and we are sorry that we may not be 
able to fix it before Fedora 18 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior to Fedora 18's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 7 Thomas Woerner 2014-01-03 13:06:37 UTC
Moving to rawhide.

For being able to handle the non-automatic helper assignment, the information about the ports handled by the helper internally needs to be stored in some configuration file usable by firewalld to be able to add all the needed CT target rules in the raw table.

Comment 8 Jan Kurik 2015-07-15 14:52:23 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle.
Changing version to '23'.

(As we did not run this process for some time, it could affect also pre-Fedora 23 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23

Comment 9 Fedora End Of Life 2016-11-24 10:54:52 UTC
This message is a reminder that Fedora 23 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 23. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '23'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 23 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 10 Fedora End Of Life 2016-12-20 12:33:46 UTC
Fedora 23 changed to end-of-life (EOL) status on 2016-12-20. Fedora 23 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.