I have a port forward for FTP on port 21, and it seems to trigger a warning whenever the firewall is restarted:

...
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guest'
 * Populating IPv4 raw table
   * Redirect 'FTP'
     - Auto-selected conntrack helper 'ftp' based on proto/port
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guest'
Warning: iptc_commit(): No chain/target/match by that name   <----------
 * Populating IPv6 filter table
...

The port forward seems to work fine despite the warning, so I'm not sure exactly what is triggering it. A similar port forward for SFTP on port 22 doesn't trigger this warning, so I suspect it might be something to do with the FTP conntrack helper, but I've tried modifying all the options in that area and nothing gets rid of the warning apart from completely disabling this port forward.

Does anyone have any idea what is causing this warning, and how I might fix it?

I've just noticed a message in the system log which appears whenever I restart the firewall, which seems to confirm the link to the conntrack helper:

Wed Oct 21 09:42:25 2020 kern.info kernel: [152031.506346] xt_CT: No such helper "ftp"

Ok, installing this module fixed the problem:

kmod-nf-nathelper

I'm left wondering why this isn't installed by default though, when OpenWrt seems to automatically try to use this helper?

In fact, none of the helpers listed in the GUI seem to be installed by default:

image821×608 30 KB

The other helpers listed above are in the kmod-nf-nathelper-extra module, but I don't have that installed. And it seems that the default option of "any" will automatically try to use one of these non-existent helpers based on the port/protocol, which will then trigger a warning when restarting the firewall.

This is, at best, very unintuitive.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.