Bug#1031894: arno-iptables-firewall: Falling back to conntrack legacy automatic helper with kernel 6.0 and higher

Sven Geuer Fri, 24 Feb 2023 11:03:20 -0800

Package: arno-iptables-firewall
Version: 2.1.1-6
Severity: normal
Tags: upstream
Control: forwarded -1 https://github.com/arno-iptables-firewall/aif/issues/88


Reasons seems to be this change to the kernel:

    linux (5.19.11-1) unstable; urgency=medium
    [...]
        - netfilter: conntrack: NF_CONNTRACK_PROCFS should no longer default to
y
    [...]

In https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.19.7 I
found

    commit 7d4bfe34b9cbb0395cb9508fa64324d4a1379e00
    Author: Geert Uytterhoeven <ge...@linux-m68k.org>
    Date:   Mon Aug 15 12:39:20 2022 +0200

        netfilter: conntrack: NF_CONNTRACK_PROCFS should no longer default to y

        [ Upstream commit aa5762c34213aba7a72dc58e70601370805fa794 ]

        NF_CONNTRACK_PROCFS was marked obsolete in commit 54b07dca68557b09
        ("netfilter: provide config option to disable ancient procfs parts") in
        v3.3.


Excerpt from the logs of my personal machine:

    [...]
    Okt 30 09:49:12 e580sg systemd[1]: Starting Arno's Iptables
Firewall(AIF)...
    Okt 30 09:49:12 e580sg arno-iptables-firewall[2112]: Arno's Iptables
Firewall(AIF) v2.1.1
    Okt 30 09:49:12 e580sg arno-iptables-firewall[2112]:
-------------------------------------------------------------------------------
    Okt 30 09:49:12 e580sg arno-iptables-firewall[2112]: Platform: Linux
5.19.0-2-amd64 x86_64
    Okt 30 09:49:12 e580sg arno-iptables-firewall[2112]: Netfilter iptables
version: 1.8.8
    Okt 30 09:49:12 e580sg firewall[2412]: ** Starting Arno's Iptables
Firewall(AIF) v2.1.1 **
    Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Checking/probing
Iptables modules:
    Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module
ip_tables.
    Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module
ip6_tables.
    Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module
nf_conntrack.
    Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module
xt_conntrack.
    Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module
xt_limit.
    Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module
xt_state.
    Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module
xt_multiport.
    Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module
iptable_filter.
    Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module
ip6table_filter.
    Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module
iptable_mangle.
    Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module
ip6table_mangle.
    Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module
iptable_raw.
    Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module
ip6table_raw.
    Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module
ipt_REJECT.
    Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module
ip6t_REJECT.
    Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module
xt_LOG.
    Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module
xt_TCPMSS.
    Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module
iptable_nat.
    Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module
nf_nat.
    Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module
ipt_MASQUERADE.
    Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Module check done...
    Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Setting the kernel
ring buffer to only log panic messages to the console
    Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Configuring general
kernel parameters:
    Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:
net.netfilter.nf_conntrack_helper = 0
    Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Setting the max.
amount of simultaneous connections to 16384
    Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:   net.nf_conntrack_max
= 16384
    Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:
net.netfilter.nf_conntrack_udp_timeout = 60
    Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:
net.netfilter.nf_conntrack_acct = 1
    [...]
    Okt 30 10:02:54 e580sg systemd[1]: Starting Arno's Iptables
Firewall(AIF)...
    Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Arno's Iptables
Firewall(AIF) v2.1.1
    Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:
-------------------------------------------------------------------------------
    Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Platform: Linux
6.0.0-2-amd64 x86_64
    Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Netfilter iptables
version: 1.8.8
    Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Checking/probing
Iptables modules:
    Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module
ip_tables.
    Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module
ip6_tables.
    Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module
nf_conntrack.
    Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module
xt_conntrack.
    Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module
xt_limit.
    Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module
xt_state.
    Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module
xt_multiport.
    Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module
iptable_filter.
    Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module
ip6table_filter.
    Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module
iptable_mangle.
    Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module
ip6table_mangle.
    Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module
iptable_raw.
    Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module
ip6table_raw.
    Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module
ipt_REJECT.
    Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module
ip6t_REJECT.
    Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module
xt_LOG.
    Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module
xt_TCPMSS.
    Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module
iptable_nat.
    Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module
nf_nat.
    Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module
ipt_MASQUERADE.
    Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Module check done...
    Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Setting the kernel
ring buffer to only log panic messages to the console
    Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Configuring general
kernel parameters:
    Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Conntrack legacy
automatic helper assignment is ENABLED
    Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Setting the max.
amount of simultaneous connections to 16384
    Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:   net.nf_conntrack_max
= 16384
    Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:
net.netfilter.nf_conntrack_udp_timeout = 60
    Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:
net.netfilter.nf_conntrack_acct = 1
    [...]

Output of "sysctl -a | grep conntrack":

    net.netfilter.nf_conntrack_acct = 1
    net.netfilter.nf_conntrack_buckets = 262144
    net.netfilter.nf_conntrack_checksum = 1
    net.netfilter.nf_conntrack_count = 52
    net.netfilter.nf_conntrack_dccp_loose = 1
    net.netfilter.nf_conntrack_dccp_timeout_closereq = 64
    net.netfilter.nf_conntrack_dccp_timeout_closing = 64
    net.netfilter.nf_conntrack_dccp_timeout_open = 43200
    net.netfilter.nf_conntrack_dccp_timeout_partopen = 480
    net.netfilter.nf_conntrack_dccp_timeout_request = 240
    net.netfilter.nf_conntrack_dccp_timeout_respond = 480
    net.netfilter.nf_conntrack_dccp_timeout_timewait = 240
    net.netfilter.nf_conntrack_events = 2
    net.netfilter.nf_conntrack_expect_max = 4096
    net.netfilter.nf_conntrack_frag6_high_thresh = 4194304
    net.netfilter.nf_conntrack_frag6_low_thresh = 3145728
    net.netfilter.nf_conntrack_frag6_timeout = 60
    net.netfilter.nf_conntrack_generic_timeout = 600
    net.netfilter.nf_conntrack_gre_timeout = 30
    net.netfilter.nf_conntrack_gre_timeout_stream = 180
    net.netfilter.nf_conntrack_icmp_timeout = 30
    net.netfilter.nf_conntrack_icmpv6_timeout = 30
    net.netfilter.nf_conntrack_log_invalid = 0
    net.netfilter.nf_conntrack_max = 16384
    net.netfilter.nf_conntrack_sctp_timeout_closed = 10
    net.netfilter.nf_conntrack_sctp_timeout_cookie_echoed = 3
    net.netfilter.nf_conntrack_sctp_timeout_cookie_wait = 3
    net.netfilter.nf_conntrack_sctp_timeout_established = 432000
    net.netfilter.nf_conntrack_sctp_timeout_heartbeat_acked = 210
    net.netfilter.nf_conntrack_sctp_timeout_heartbeat_sent = 30
    net.netfilter.nf_conntrack_sctp_timeout_shutdown_ack_sent = 3
    net.netfilter.nf_conntrack_sctp_timeout_shutdown_recd = 0
    net.netfilter.nf_conntrack_sctp_timeout_shutdown_sent = 0
    net.netfilter.nf_conntrack_tcp_be_liberal = 0
    net.netfilter.nf_conntrack_tcp_ignore_invalid_rst = 0
    net.netfilter.nf_conntrack_tcp_loose = 1
    net.netfilter.nf_conntrack_tcp_max_retrans = 3
    net.netfilter.nf_conntrack_tcp_timeout_close = 10
    net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
    net.netfilter.nf_conntrack_tcp_timeout_established = 432000
    net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
    net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
    net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300
    net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
    net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120
    net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
    net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 300
    net.netfilter.nf_conntrack_timestamp = 0
    net.netfilter.nf_conntrack_udp_timeout = 60
    net.netfilter.nf_conntrack_udp_timeout_stream = 120
    net.nf_conntrack_max = 16384

At least nf_conntrack_helper is missing.


-- System Information:
Debian Release: bookworm/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-3-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages arno-iptables-firewall depends on:
ii  debconf [debconf-2.0]  1.5.82
ii  gawk                   1:5.1.0-1
ii  iproute2               6.1.0-1
ii  iptables               1.8.9-2
ii  kmod                   30+20221128-1
ii  procps                 2:4.0.2-3

Versions of packages arno-iptables-firewall recommends:
ii  bind9-dnsutils [dnsutils]  1:9.18.11-2
ii  curl                       7.87.0-2
ii  dnsutils                   1:9.18.11-2
ii  rsyslog                    8.2212.0-1

Versions of packages arno-iptables-firewall suggests:
pn  rpcbind  <none>

-- Configuration Files:
/etc/arno-iptables-firewall/custom-rules changed [not included]

-- debconf information excluded

Bug#1031894: arno-iptables-firewall: Falling back to conntrack legacy automatic helper with kernel 6.0 and higher

Reply via email to