[80423.989764] conntrack: generic helper won't handle protocol 47. Please consider loading the specific helper module.
1 Like
- Is this a request for help?
- This simply means that your WAN received an IP Protocol No. 47 (GRE) packet and you don't have that conntrack helper module loaded (likely since you're not using GRE).
Do you have a concern about this log message?
1 Like
I have the same message and I would like to ask if it is something I should be worried about or just ignore.
Model
Xiaomi Mi Router 3G v2
Architecture
MediaTek MT7621 ver:1 eco:3
Firmware Version
OpenWrt 19.07.3 r11063-85e04e9f46 / LuCI openwrt-19.07 branch git-20.146.54255-39d5f2e
Kernel Version
4.14.180
Thanks
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan wg0'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option src '*'
option target 'ACCEPT'
option proto 'udp'
option dest_port '1234'
option name 'Allow-Wireguard-Inbound'
config zone
option name 'wg'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option masq '1'
config forwarding
option src 'wg'
option dest 'wan'
config forwarding
option src 'wg'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'wg'
config forwarding
option src 'wan'
option dest 'wg'
config redirect
option dest_port '1234'
option src 'wan'
option name 'WireGuard'
option src_dport '1234'
option target 'DNAT'
option dest_ip '172.28.10.75'
option dest 'lan'
list proto 'udp'
config redirect 'adblock_dns_53'
option name 'Adblock DNS, port 53'
option src 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
config redirect 'adblock_dns_853'
option name 'Adblock DNS, port 853'
option src 'lan'
option proto 'tcp udp'
option src_dport '853'
option dest_port '853'
option target 'DNAT'
config redirect 'adblock_dns_5353'
option name 'Adblock DNS, port 5353'
option src 'lan'
option proto 'tcp udp'
option src_dport '5353'
option dest_port '5353'
option target 'DNAT'
And after one year, the same questions still apply for those receiving the message:
And my same response applies:
And after a lot of time, Ive also saw this warning on my Kernel Log too, then I started to look around for this message.
I think that what the user who posted this, was asking in some sort of way, how to get rid of this message.
What I have found is that, first this isn't a real error its just saying that the router has received a GRE request connection that is unable to figure it out since the package who handles this is missing. The package in question I think its kmod-nf-nathelper-extra, also, by the way if you have configured a TunnelBroaker IPV6 tunnel, you may get this kind of requests since its how they natively manage youre registerd tunnel.
1 Like
The latest post will result in an info message on the kernel log saying: "nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead."
So what's asking is either enable the old fashioned and unsecure conntrack automatic helpers by adding the line 'net.netfilter.nf_conntrack_helper=1' to the file /etc/sysctl.conf or configure the iptables in such way that its constantly checking this requests and create a set of rules to handle it, I have found this article on this matter that led me to OpenWrt official article on nftables that I don't know if Im wrong but it will do pretty much the same functionality as what it says in the first article.