# Lost CONNTRACK with hardened-sources-4.7.x [SOLVED]

## hanj

Upgrading the kernel this morning to 4.7.10-hardened, I noticed that I was no longer able to FTP to passive FTP servers. I immediately thought it was related to CONNTRACK options in netfilter, but they're all enabled and built into the kernel (no modules). I rolled back to 4.7.6.. same thing. When I rolled back to 4.4.8 I was able to FTP again.

```
cat config-4.4.8-hardened-r1  | grep CONN | grep -v \#

CONFIG_NF_CONNTRACK=y

CONFIG_NF_CONNTRACK_MARK=y

CONFIG_NF_CONNTRACK_PROCFS=y

CONFIG_NF_CONNTRACK_EVENTS=y

CONFIG_NF_CONNTRACK_FTP=y

CONFIG_NF_CONNTRACK_IRC=y

CONFIG_NF_CONNTRACK_TFTP=y

CONFIG_NETFILTER_XT_CONNMARK=y

CONFIG_NETFILTER_XT_TARGET_CONNMARK=y

CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y

CONFIG_NETFILTER_XT_MATCH_CONNMARK=y

CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y

CONFIG_NF_CONNTRACK_IPV4=y

CONFIG_NF_CONNTRACK_PROC_COMPAT=y
```

```
cat config-4.7.6-hardened  | grep CONN | grep -v \#

CONFIG_NF_CONNTRACK=y

CONFIG_NF_CONNTRACK_MARK=y

CONFIG_NF_CONNTRACK_PROCFS=y

CONFIG_NF_CONNTRACK_EVENTS=y

CONFIG_NF_CONNTRACK_FTP=y

CONFIG_NF_CONNTRACK_IRC=y

CONFIG_NF_CONNTRACK_TFTP=y

CONFIG_NETFILTER_XT_CONNMARK=y

CONFIG_NETFILTER_XT_TARGET_CONNMARK=y

CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y

CONFIG_NETFILTER_XT_MATCH_CONNMARK=y

CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y

CONFIG_NF_CONNTRACK_IPV4=y

CONFIG_NF_CONNTRACK_PROC_COMPAT=y
```

I'm wondering if something to do with established, related logic.. but I have no other network related issues. The only thing that appears to be affected is FTP connections. I re-emerged iptables with different versions.. just in case.

Any ideas?

Thanks!

hanji

----------

## hanj

I removed the following that were set by default...

```
CONFIG_NETFILTER_XT_NAT is not set

CONFIG_NETFILTER_XT_TARGET_NETMAP is not set

CONFIG_NF_NAT_MASQUERADE_IPV4 is not set

CONFIG_IP_NF_NAT is not set
```

Not sure why that was causing problem.. but noticed they weren't set in 4.4 and set in 4.7 

Thanks!

hanji

----------

## hanj

Correction.. my 'fix' broke NAT and iptables didn't start.. so it appeared to 'work'. Restoring NAT, and I'm back to the same problem.

----------

## cord

Try nftables (why nftables? - read here).

----------

## toralf

 *hanj wrote:*   

> Upgrading the kernel this morning to 4.7.10-hardened, I noticed that I was no longer able to FTP to passive FTP servers.

 Do you have an example link of a public passive FTP server ? I do run 4.7.10 - so I could test from here too.

----------

## hanj

I added some more information on this bug. I tried with 4.8.10 and problem persists. I saw references to PAX/GRSEC in change log for 4.8.10 so I thought we were on to something. I disabled GRSEC, and I'm still experiencing the same issue..

https://bugs.gentoo.org/show_bug.cgi?id=599354

Thanks!

hanji

----------

## hanj

I got it to work. I did add USE=conntrack to iptables. I also added CT target support in the kernel and was working on CT targeting with ftp helper, but it's working now. My guess that USE flag is what I needed. I'll reference some links here just in case others run into this problem. Basically 4.7 and up, Automatic Helpers have been removed.

Original bug:

https://bugs.gentoo.org/show_bug.cgi?id=599354

Helpful site with CT Targeting

https://home.regit.org/netfilter-en/secure-use-of-helpers/

Good information on Helpers

http://shorewall.net/Helpers.html

hanji

----------

