| View previous topic :: View next topic |
| Author |
Message |
equaeghe
l33t
Joined: 22 Feb 2005
Posts: 637
|
 Posted: Thu Jul 19, 2018 8:39 pm Post subject: firewalld: problem with nf_conntrack_helper |
 |
|
When I look at the status of firewalld, I get
| Code: | ● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2018-07-19 15:23:50 CEST; 7h ago
Docs: man:firewalld(1)
Main PID: 3908 (firewalld)
CGroup: /system.slice/firewalld.service
└─3908 /usr/bin/python3.5 -Es /usr/lib/python-exec/python3.5/firewalld --nofork --nopid
jul 19 15:23:49 sysoppad systemd[1]: Starting firewalld - dynamic firewall daemon...
jul 19 15:23:50 sysoppad systemd[1]: Started firewalld - dynamic firewall daemon.
jul 19 15:23:51 sysoppad firewalld[3908]: WARNING: ipset not usable, disabling ipset usage in firewall.
jul 19 15:23:51 sysoppad firewalld[3908]: ERROR: Failed to read file "/proc/sys/net/netfilter/nf_conntrack_helper": [Errno 2] No such file or directory: '/proc/sys/net/netfilter/nf_conntrack_helper'
jul 19 15:23:51 sysoppad firewalld[3908]: WARNING: Failed to get and parse nf_conntrack_helper setting
jul 19 15:23:52 sysoppad firewalld[3908]: ERROR: '/sbin/iptables-restore -n' failed: iptables-restore v1.6.1: iptables-restore: unable to initialize table 'raw'
Error occurred at line: 37
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
|
I have some firewall issues that may or may not be related to the errors mentioned. So I want to fix this before investigating other avenues.
I would be grateful if someone could point me in the right direction. Googling didn't bring me any useful leads. |
|
| Back to top |
|
 |
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21635
|
| Posted: Fri Jul 20, 2018 2:00 am Post subject: |
|
|
| This sysctl is defined in net/netfilter/nf_conntrack_helper.c. That file is built as part of the nf_conntrack-y target. I think the nf_conntrack-y target is built by enabling NF_CONNTRACK. Have you enabled NF_CONNTRACK in your kernel configuration? |
|
| Back to top |
|
|
equaeghe
l33t
Joined: 22 Feb 2005
Posts: 637
|
| Posted: Fri Jul 20, 2018 7:20 am Post subject: |
|
|
| Hu wrote: | | This sysctl is defined in net/netfilter/nf_conntrack_helper.c. That file is built as part of the nf_conntrack-y target. I think the nf_conntrack-y target is built by enabling NF_CONNTRACK. Have you enabled NF_CONNTRACK in your kernel configuration? |
Yes, but have I got all the needed modules (I do not know which they are):
Network packet filtering framework (Netfilter)
| Code: | --- Network packet filtering framework (Netfilter)
[*] Advanced netfilter configuration
< > Bridged IP/ARP packets filtering
Core Netfilter Configuration --->
< > IP set support ----
< > IP virtual server support ----
IP: Netfilter Configuration --->
IPv6: Netfilter Configuration --->
< > Ethernet Bridge nf_tables support ----
<M> Ethernet Bridge tables (ebtables) support ---> |
IP: Netfilter Configuration
| Code: | <M> IPv4 connection tracking support (required for NAT)
< > IPv4 socket lookup support
< > IPv4 nf_tables support
< > ARP nf_tables support
< > Netfilter IPv4 packet duplication to alternate destination
< > ARP packet logging
{M} IPv4 packet logging
{M} IPv4 packet rejection
< > IPv4 NAT
<M> IP tables support (required for filtering/masq/NAT)
< > "ah" match support
< > "ecn" match support
< > "rpfilter" reverse path filter match support
< > "ttl" match support
<M> Packet filtering
<M> REJECT target support
< > SYNPROXY target support
< > iptables NAT support
<M> Packet mangling
< > CLUSTERIP target support
< > ECN target support
< > "TTL" target support
< > raw table support (required for NOTRACK/TRACE)
< > ARP tables support |
IPv6: Netfilter Configuration
| Code: | <M> IPv6 connection tracking support
< > IPv6 socket lookup support
< > IPv6 nf_tables support
< > Netfilter IPv6 packet duplication to alternate destination
{M} IPv6 packet rejection
{M} IPv6 packet logging
< > IPv6 NAT
<M> IP6 tables support (required for filtering)
< > "ah" match support
< > "eui64" address check
< > "frag" Fragmentation header match support
< > "hbh" hop-by-hop and "dst" opts header match support
<M> "hl" hoplimit match support
< > "ipv6header" IPv6 Extension Headers Match
< > "mh" match support
<M> "rt" Routing header match support
<M> Packet filtering
<M> REJECT target support
< > SYNPROXY target support
< > Packet mangling
< > raw table support (required for TRACE)
< > ip6tables NAT support |
I'll add raw table and IP set support for starters (but which IP set submodules?), but that seems unrelated to the connection tracking issue I have. |
|
| Back to top |
|
|
bunder
Bodhisattva
Joined: 10 Apr 2004
Posts: 5934
|
| Posted: Fri Jul 20, 2018 11:46 am Post subject: |
|
|
add all of the ipset modules, they're (mostly) all useful. 
_________________
| Neddyseagoon wrote: | | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017 |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21635
|
| Posted: Sat Jul 21, 2018 5:37 pm Post subject: |
|
|
| Instead of posting menuconfig output, please post the relevant fragment from /proc/config.gz so that we can be sure that the options you quote are the ones actually active on the system. Your menuconfig output seems to say you enabled the symbol I mentioned, but your original error output suggests you did not enable that symbol. |
|
| Back to top |
|
|
equaeghe
l33t
Joined: 22 Feb 2005
Posts: 637
|
| Posted: Sat Jul 21, 2018 8:05 pm Post subject: |
|
|
| Hu wrote: | | Instead of posting menuconfig output, please post the relevant fragment from /proc/config.gz so that we can be sure that the options you quote are the ones actually active on the system. Your menuconfig output seems to say you enabled the symbol I mentioned, but your original error output suggests you did not enable that symbol. |
| Code: | ~ # zgrep CONNTRACK /proc/config.gz
CONFIG_NF_CONNTRACK=m
# CONFIG_NF_CONNTRACK_MARK is not set
# CONFIG_NF_CONNTRACK_PROCFS is not set
# CONFIG_NF_CONNTRACK_EVENTS is not set
# CONFIG_NF_CONNTRACK_TIMEOUT is not set
# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
# CONFIG_NF_CONNTRACK_AMANDA is not set
CONFIG_NF_CONNTRACK_FTP=m
# CONFIG_NF_CONNTRACK_H323 is not set
# CONFIG_NF_CONNTRACK_IRC is not set
CONFIG_NF_CONNTRACK_BROADCAST=m
CONFIG_NF_CONNTRACK_NETBIOS_NS=m
# CONFIG_NF_CONNTRACK_SNMP is not set
# CONFIG_NF_CONNTRACK_PPTP is not set
# CONFIG_NF_CONNTRACK_SANE is not set
# CONFIG_NF_CONNTRACK_SIP is not set
# CONFIG_NF_CONNTRACK_TFTP is not set
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NF_CONNTRACK_IPV4=m
CONFIG_NF_CONNTRACK_IPV6=m |
| Code: | # lsmod | grep -i conn
nf_conntrack_ipv6 16384 15
nf_defrag_ipv6 32768 1 nf_conntrack_ipv6
nf_conntrack_ipv4 16384 13
nf_defrag_ipv4 16384 1 nf_conntrack_ipv4
xt_conntrack 16384 28
nf_conntrack 73728 3 xt_conntrack,nf_conntrack_ipv6,nf_conntrack_ipv4
x_tables 32768 13 ebtables,ip6table_filter,xt_conntrack,ip6table_raw,iptable_filter,ip6t_rpfilter,xt_tcpudp,ip6_tables,ipt_REJECT,iptable_raw,ip_tables,ip6t_REJECT,iptable_mangle |
|
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21635
|
| Posted: Sat Jul 21, 2018 8:54 pm Post subject: |
|
|
Strange. If you have SYSCTL=y and NF_CONNTRACK is enabled, then you should have the pseudo-file nf_conntrack_helper. I do not know why firewalld could not access it.
For your other problem, your saved rules use the raw table, but you no longer build it. Do you need the raw table? If not, you can remove it from your saved rules instead of changing the kernel configuration. |
|
| Back to top |
|
|
|
Networking & Security
