nf_conntrack warnings in log

Bug #1782969 reported by Dominic Raferd on 2018-07-22
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Jamie Strandboge

Bug Description

With Ubuntu 18.04 (unlike 16.04) a default setting for nf_conntrack_helper has changed:
$ cat /proc/sys/net/netfilter/nf_conntrack_helper
(in Ubuntu 16.04: 1)

This means that when using ufw I start seeing frequent messages like this in syslog:

kernel:[ 2796.374300] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.

I believe (but can't prove) that these are caused by iptables rules set by ufw - checking with 'iptables -nL' shows there are several in ufw chains involving 'ctstate' (and no rules in other chains that have this). A workaround is to restore the previous setting of /proc/sys/net/netfilter/nf_conntrack_helper but this is apparently insecure? (see https://www.raspberrypi.org/forums/viewtopic.php?t=195736). Anyway it looks to me like a ufw bug...

ufw version: 0.35
Ubuntu 18.04

Jamie Strandboge (jdstrand) wrote :

This is known when you have IPT_MODULES set in /etc/default/ufw, which is the default in Ubuntu. You can get rid of the messages by using this in /etc/default/ufw:


I'm working on a new ufw update that will do this by default and add additional functionality to properly use netfilter helpers rather than the deprecated method currently used by ufw. Note, by unsetting IPT_MODULES, you may break connection tracking when using protocols that require them.

Changed in ufw:
status: New → Triaged
status: Triaged → In Progress
importance: Undecided → High
assignee: nobody → Jamie Strandboge (jdstrand)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers