View previous topic :: View next topic |
Author |
Message |
FizzyWidget Veteran
Joined: 21 Nov 2008 Posts: 1133 Location: 127.0.0.1
|
Posted: Tue Dec 18, 2012 9:45 am Post subject: nf_conntrack: automatic helper assignment is deprecated |
|
|
Quote: | nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead. |
Is the message I am seeing, and seeing as I know little to nothing about iptables, and google isn't being of much use, I was wondering if someone here might know what this means and how I can correct it _________________ I know 43 ways to kill with a SKITTLE, so taste my rainbow bitch. |
|
Back to top |
|
|
hydrapolic Tux's lil' helper
Joined: 07 Feb 2008 Posts: 126
|
Posted: Tue Dec 18, 2012 3:36 pm Post subject: |
|
|
I think this has something to do with state module being obsoleted by conntrack.
conntrack:
This module, when combined with connection tracking, allows access to the connection tracking state for this packet/connection.
state:
The "state" module is an obsolete version of "conntrack". "state" allows access to the connection tracking state for this packet.
Since CONFIG_NETFILTER_XT_MATCH_STATE is by default included in the kernel, this can trigger the warning you are seeing. If you use iptables, enable the conntrack module and rewrite your rules and/or remove the state module from iptables. |
|
Back to top |
|
|
bxm n00b
Joined: 23 May 2013 Posts: 1
|
Posted: Thu May 23, 2013 5:58 pm Post subject: |
|
|
I'm also receiving the same message.
According to https://home.regit.org/netfilter-en/secure-use-of-helpers/, the helper is a security risk and can disabled in the /proc (> kernels 3.5) by executing :
echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper
(or by appending to /etc/sysctl.conf: net.netfilter.nf_conntrack_helper = 0)
If nf_conntract is configured as a module, it can be loaded with the helper disabled:
modprobe nf_conntrack nf_conntrack_helper=0
Otherwise, if the module is built in the kernel, according to http://wiki.soekris.info/Gentoo_3.6.6, it can be disabled in grub by appending to the kernel options:
nf_conntrack.nf_conntrack_helper=0 |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|