# firewalld: problem with nf_conntrack_helper

## equaeghe

When I look at the status of firewalld, I get

```
● firewalld.service - firewalld - dynamic firewall daemon

   Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)

   Active: active (running) since Thu 2018-07-19 15:23:50 CEST; 7h ago

     Docs: man:firewalld(1)

 Main PID: 3908 (firewalld)

   CGroup: /system.slice/firewalld.service

           └─3908 /usr/bin/python3.5 -Es /usr/lib/python-exec/python3.5/firewalld --nofork --nopid

jul 19 15:23:49 sysoppad systemd[1]: Starting firewalld - dynamic firewall daemon...

jul 19 15:23:50 sysoppad systemd[1]: Started firewalld - dynamic firewall daemon.

jul 19 15:23:51 sysoppad firewalld[3908]: WARNING: ipset not usable, disabling ipset usage in firewall.

jul 19 15:23:51 sysoppad firewalld[3908]: ERROR: Failed to read file "/proc/sys/net/netfilter/nf_conntrack_helper": [Errno 2] No such file or directory: '/proc/sys/net/netfilter/nf_conntrack_helper'

jul 19 15:23:51 sysoppad firewalld[3908]: WARNING: Failed to get and parse nf_conntrack_helper setting

jul 19 15:23:52 sysoppad firewalld[3908]: ERROR: '/sbin/iptables-restore -n' failed: iptables-restore v1.6.1: iptables-restore: unable to initialize table 'raw'

                                          

                                          Error occurred at line: 37

                                          Try `iptables-restore -h' or 'iptables-restore --help' for more information.

```

I have some firewall issues that may or may not be related to the errors mentioned. So I want to fix this before investigating other avenues.

I would be grateful if someone could point me in the right direction. Googling didn't bring me any useful leads.

----------

## Hu

This sysctl is defined in net/netfilter/nf_conntrack_helper.c.  That file is built as part of the nf_conntrack-y target.  I think the nf_conntrack-y target is built by enabling NF_CONNTRACK.  Have you enabled NF_CONNTRACK in your kernel configuration?

----------

## equaeghe

 *Hu wrote:*   

> This sysctl is defined in net/netfilter/nf_conntrack_helper.c.  That file is built as part of the nf_conntrack-y target.  I think the nf_conntrack-y target is built by enabling NF_CONNTRACK.  Have you enabled NF_CONNTRACK in your kernel configuration?

 

Yes, but have I got all the needed modules (I do not know which they are):

Network packet filtering framework (Netfilter)

```
--- Network packet filtering framework (Netfilter)

[*]   Advanced netfilter configuration

< >     Bridged IP/ARP packets filtering

      Core Netfilter Configuration  --->

< >   IP set support  ----

< >   IP virtual server support  ----

      IP: Netfilter Configuration  --->

      IPv6: Netfilter Configuration  --->

< >   Ethernet Bridge nf_tables support  ----

<M>   Ethernet Bridge tables (ebtables) support  --->
```

IP: Netfilter Configuration

```
<M> IPv4 connection tracking support (required for NAT)

< > IPv4 socket lookup support

< > IPv4 nf_tables support

< > ARP nf_tables support

< > Netfilter IPv4 packet duplication to alternate destination

< > ARP packet logging

{M} IPv4 packet logging

{M} IPv4 packet rejection

< > IPv4 NAT

<M> IP tables support (required for filtering/masq/NAT)

< >   "ah" match support

< >   "ecn" match support

< >   "rpfilter" reverse path filter match support

< >   "ttl" match support

<M>   Packet filtering

<M>     REJECT target support

< >   SYNPROXY target support

< >   iptables NAT support

<M>   Packet mangling

< >     CLUSTERIP target support

< >     ECN target support

< >     "TTL" target support

< >   raw table support (required for NOTRACK/TRACE)

< > ARP tables support
```

IPv6: Netfilter Configuration

```
<M> IPv6 connection tracking support

< > IPv6 socket lookup support

< > IPv6 nf_tables support

< > Netfilter IPv6 packet duplication to alternate destination

{M} IPv6 packet rejection

{M} IPv6 packet logging

< > IPv6 NAT

<M> IP6 tables support (required for filtering)

< >   "ah" match support

< >   "eui64" address check

< >   "frag" Fragmentation header match support

< >   "hbh" hop-by-hop and "dst" opts header match support

<M>   "hl" hoplimit match support

< >   "ipv6header" IPv6 Extension Headers Match

< >   "mh" match support

<M>   "rt" Routing header match support

<M>   Packet filtering

<M>     REJECT target support

< >   SYNPROXY target support

< >   Packet mangling

< >   raw table support (required for TRACE)

< >   ip6tables NAT support
```

I'll add raw table and IP set support for starters (but which IP set submodules?), but that seems unrelated to the connection tracking issue I have.

----------

## bunder

add all of the ipset modules, they're (mostly) all useful.   :Wink: 

----------

## Hu

Instead of posting menuconfig output, please post the relevant fragment from /proc/config.gz so that we can be sure that the options you quote are the ones actually active on the system.  Your menuconfig output seems to say you enabled the symbol I mentioned, but your original error output suggests you did not enable that symbol.

----------

## equaeghe

 *Hu wrote:*   

> Instead of posting menuconfig output, please post the relevant fragment from /proc/config.gz so that we can be sure that the options you quote are the ones actually active on the system.  Your menuconfig output seems to say you enabled the symbol I mentioned, but your original error output suggests you did not enable that symbol.

 

```
~ # zgrep CONNTRACK /proc/config.gz

CONFIG_NF_CONNTRACK=m

# CONFIG_NF_CONNTRACK_MARK is not set

# CONFIG_NF_CONNTRACK_PROCFS is not set

# CONFIG_NF_CONNTRACK_EVENTS is not set

# CONFIG_NF_CONNTRACK_TIMEOUT is not set

# CONFIG_NF_CONNTRACK_TIMESTAMP is not set

# CONFIG_NF_CONNTRACK_AMANDA is not set

CONFIG_NF_CONNTRACK_FTP=m

# CONFIG_NF_CONNTRACK_H323 is not set

# CONFIG_NF_CONNTRACK_IRC is not set

CONFIG_NF_CONNTRACK_BROADCAST=m

CONFIG_NF_CONNTRACK_NETBIOS_NS=m

# CONFIG_NF_CONNTRACK_SNMP is not set

# CONFIG_NF_CONNTRACK_PPTP is not set

# CONFIG_NF_CONNTRACK_SANE is not set

# CONFIG_NF_CONNTRACK_SIP is not set

# CONFIG_NF_CONNTRACK_TFTP is not set

CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m

CONFIG_NF_CONNTRACK_IPV4=m

CONFIG_NF_CONNTRACK_IPV6=m
```

```
# lsmod | grep -i conn

nf_conntrack_ipv6      16384  15

nf_defrag_ipv6         32768  1 nf_conntrack_ipv6

nf_conntrack_ipv4      16384  13

nf_defrag_ipv4         16384  1 nf_conntrack_ipv4

xt_conntrack           16384  28

nf_conntrack           73728  3 xt_conntrack,nf_conntrack_ipv6,nf_conntrack_ipv4

x_tables               32768  13 ebtables,ip6table_filter,xt_conntrack,ip6table_raw,iptable_filter,ip6t_rpfilter,xt_tcpudp,ip6_tables,ipt_REJECT,iptable_raw,ip_tables,ip6t_REJECT,iptable_mangle
```

----------

## Hu

Strange.  If you have SYSCTL=y and NF_CONNTRACK is enabled, then you should have the pseudo-file nf_conntrack_helper.  I do not know why firewalld could not access it.

For your other problem, your saved rules use the raw table, but you no longer build it.  Do you need the raw table?  If not, you can remove it from your saved rules instead of changing the kernel configuration.

----------

