Hello, thanks for the sysctl tip. It is wokring. The iptables-nft does not configure the nftables kernel in the same way? Because I did not see the problem when using it. Marek 2020-06-21 12:45 GMT+02:00, Florian Westphal <fw@xxxxxxxxx>: > Marek Greško <mgresko8@xxxxxxxxx> wrote: >> Hello, >> >> unfortunately the helper is not there: >> >> conntrack -L | grep sip -> no output >> >> It is strange, that if I use iptables-nft it is working. Some userspace >> problem? > > No, looks more like a kernel bug to me, I will have a look on > Monday. > > In mean time, you can work around this bug by removing the entire "ip > raw" / "ct set" stuff. > > and then use: > sysctl net.netfilter.nf_conntrack_helper=1 > > to re-enable the old auto-assign behaviour. >
