nf_conntrack: automatic helper assignment is deprecated

This change was made by a bot.

​https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=a9006892643a8f4e885b692de0708bcb35a7d530
netfilter: nf_ct_helper: allow to disable automatic helper assignment

This patch allows you to disable automatic conntrack helper lookup based on TCP/UDP ports, eg. echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper [ Note: flows that already got a helper will keep using it even if automatic helper assignment has been disabled ] Once this behaviour has been disabled, you have to explicitly use the iptables CT target to attach helper to flows. There are good reasons to stop supporting automatic helper assignment, for further information, please read: ​http://www.netfilter.org/news.html#2012-04-03 This patch also adds one message to inform that automatic helper assignment is deprecated and it will be removed soon (this is spotted only once, with the first flow that gets a helper attached to make it as less annoying as possible).

​https://home.regit.org/netfilter-en/secure-use-of-helpers/

Kernel build settings & iptables entries:

http://www.odi.ch/weblog/posting.php?posting=663

Did this issue start happening after an update/upgrade? Was there a prior kernel version where you were not having this particular problem?

Would it be possible for you to test the latest upstream kernel? Refer to https://wiki.ubuntu.com/KernelMainlineBuilds . Please test the latest v4.5 kernel[0].

If this bug is fixed in the mainline kernel, please add the following tag 'kernel-fixed-upstream'.

If the mainline kernel does not fix this bug, please add the tag: 'kernel-bug-exists-upstream'.

Once testing of the upstream kernel is complete, please mark this bug as "Confirmed".

Thanks in advance.

[0] http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.5-wily/

FYI, this is not a new issue.

Tested the final 4.5 kernel; and the error is not shown:

*******
kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
kernel: nf_conntrack version 0.5.0 (16384 buckets, 65536 max)
ureadahead[281]: ureadahead: Error while tracing: No such file or directory
**********
(note: the "ureadahead" error seeems related to the recent "ltrace" changes, as the package has not been rebuilt. But ubuntu-minimal should not pull that oldish package as systemd is now used)

(note2: the post #4 above explain how to compile the kernel to avoid the reported error; looks like the ubuntu kernel does not use these settings for compilation)

Feedback:

i've checked the log again with a 4.5 kernel boot, and the error still exist; so #7 is not fully exact: maybe some race or some other reason.

Status changed to 'Confirmed' because the bug affects multiple users.

Hi. The same problem here. Release 16.04.2 LTS, iptables 1.6.0-2ubuntu3 etc. I noticed this one in dmesg entry:

$ sudo dmesg |grep iptables
[ 1168.282586] nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead.

I have one more problem with this release; when iptables is in use (with very simple rules) there is not internet connection. But using ufw firewall, everything seems to work OK.

Thanks.

Hello, I just started seeing this on Ubuntu 17.10.

nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.

Shows up in dmesg on Ubuntu 18.04 with UFW.

The linux task can be marked as Fix Released since net/netfilter/nf_conntrack_helper has defaulted to 0 since 4.7.

Users seeing this issue should modify IPT_MODULES in /etc/defaults/ufw to be empty. Ubuntu 20.04 will do this be default and future releases of ufw will introduce rule syntax for working with helper rules.

This bug was fixed in the package ufw - 0.36-6

---------------
ufw (0.36-6) unstable; urgency=medium

  * 0009-empty-non-functioning-ipt-modules.patch: empty out IPT_MODULES and
    update documentation regarding modern use of connection tracking modules.
    ufw historically used IPT_MODULES in /etc/defaults/ufw to
    load various connection tracking modules, but use of this mechanism has
    been deprecated for some time. These days, the kernel defaults to
    deactivating flows for various connection tracking modules so users have
    to perform an extra sysctl step to use this old mechanism anyway, so empty
    IPT_MODULES and better document use of connection tracking modules. A
    future upload will introduce rule syntax for working with connection
    tracking helper rules. (LP: #1556419)
  * 0010-add-other-firewall-checks.patch: adjust the check-requirements
    diagnostic tool to warn about other installed firewall software
  * 0011-suppress-legacy-warnings-in-tests.patch: suppress iptables warnings
    about legacy rules being present in root functional tests

 -- Jamie Strandboge <email address hidden> Thu, 02 Apr 2020 12:05:30 +0000