Use the iptables CT target to attach connection tracking helpers
My system with linux-3.6.6 now contains the following in dmesg:
nf_conntrack: automatic helper assignment is deprecated and it will be
removed soon. Use the iptables CT target to attach helpers instead.
This is also discussed in e.g. https://bbs.archlinux.org/viewtopic.php?id=148345
Basically, for each protocol for which we want to do content inspection/mangling, we need to add something like:
iptables -t raw -A OUTPUT -p tcp --dport 21 -j CT --helper ftp
To create explicit mapping with the port number and the protocol expected.
(from redmine: issue id 1540, created on 2013-01-16, closed on 2013-05-07)
- Changesets:
- Revision 2f489cc6 by Kaarle Ritvanen on 2013-02-19T12:27:36Z:
secure use of connection tracking helpers
enable connection tracking helpers when required, fixes #1540
service-specific RELATED rules