nf_conntrack warnings in log
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| ufw |
In Progress
|
High
|
Jamie Strandboge | ||
Bug Description
With Ubuntu 18.04 (unlike 16.04) a default setting for nf_conntrack_helper has changed:
$ cat /proc/sys/
0
(in Ubuntu 16.04: 1)
This means that when using ufw I start seeing frequent messages like this in syslog:
kernel:[ 2796.374300] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.
I believe (but can't prove) that these are caused by iptables rules set by ufw - checking with 'iptables -nL' shows there are several in ufw chains involving 'ctstate' (and no rules in other chains that have this). A workaround is to restore the previous setting of /proc/sys/
ufw version: 0.35
Ubuntu 18.04
| Jamie Strandboge (jdstrand) wrote | #1 |
| Changed in ufw: | |
| status: | New → Triaged |
| status: | Triaged → In Progress |
| importance: | Undecided → High |
| assignee: | nobody → Jamie Strandboge (jdstrand) |
| Jim MacKenzie (jim-photojim) wrote | #2 |
| Jamie Strandboge (jdstrand) wrote | #3 |
This is known when you have IPT_MODULES set in /etc/default/ufw, which is the default in Ubuntu. You can get rid of the messages by using this in /etc/default/ufw:
IPT_MODULES=
I'm working on a new ufw update that will do this by default and add additional functionality to properly use netfilter helpers rather than the deprecated method currently used by ufw. Note, by unsetting IPT_MODULES, you may break connection tracking when using protocols that require them.