You are not logged in.

#1 2012-09-04 11:50:44

R00KIE
Forum Moderator
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 3,216

nf_conntrack: automatic helper assignment.... message in dmesg

I have seen the following message in the output of dmesg:

nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead.

My searches on google return only a few matches of dmesg outputs posted to help solve unrelated problems and source files. The only related topic I could find was [1].

I have no idea of what triggers this message since I don't always get it. It seems that I might have to change something in my iptables rules sooner or later but so far I couldn't find much about this, does anyone know more about it that can provide some info or pointers?

[1] http://sourceforge.net/mailarchive/foru … wall-users


R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

#2 2012-09-04 13:43:29

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,277

Re: nf_conntrack: automatic helper assignment.... message in dmesg

I also have just seen it recently. It seems to be related to this patch.

Creating a /etc/modprobe.d/nf_conntrack.conf with "options nf_conntrack nf_conntrack_helper=0" seems to make it go away.
After the next boot /proc/sys/net/netfilter/nf_conntrack_helper is 0 then (see here).

But same as you I wonder what other changes are coming up and if anything else has to be done to the rules at some point.

Offline

#3 2012-09-30 10:17:23

R00KIE
Forum Moderator
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 3,216

Re: nf_conntrack: automatic helper assignment.... message in dmesg

It has been a while but I had a go at this, my objective was to keep ftp(1) and sip clients working, this is from a client machine perspective. I did create a new .conf file in /etc/modprobe.d/ and confirmed ftp stopped working, so no automatic helper assignment anymore. After that I just needed to add an entry to the netfilter tables with:

iptables -t raw -A OUTPUT -p tcp --dport 21 -j CT --helper ftp

The rule I already had in place to accept related connections picked up the related connection from the ftp helper and things work, I could probably be locked down a bit more but for now I'm happy with this setup.

Sip clients (tested only with twinkle) seem to work fine without any special rules in the firewall (not even open ports for incoming connections), I was surprised I was able to do and receive calls just fine using the ekiga echo and call back tests.

I'd say most people will not even notice this change and no action will be required to keep things working.

(1) I know ftp should have been taken out back and shot a long time ago but it is still used in some places and no better alternatives are provided


R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

Board footer

Powered by FluxBB