diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c
index 3b283edec027..5e4f32abef3f 100644
--- a/net/netfilter/nfnetlink_cthelper.c
+++ b/net/netfilter/nfnetlink_cthelper.c
@@ -17,6 +17,7 @@
 #include <linux/types.h>
 #include <linux/list.h>
 #include <linux/errno.h>
+#include <linux/capability.h>
 #include <net/netlink.h>
 #include <net/sock.h>
 
@@ -287,6 +288,9 @@ nfnl_cthelper_new(struct sock *nfnl, struct sk_buff *skb,
 	struct nf_conntrack_tuple tuple;
 	int ret = 0, i;
 
+	if (!capable(CAP_NET_ADMIN))
+		return -EPERM;
+
 	if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE])
 		return -EINVAL;
 
@@ -501,6 +505,9 @@ nfnl_cthelper_get(struct sock *nfnl, struct sk_buff *skb,
 	struct nf_conntrack_tuple tuple;
 	bool tuple_set = false;
 
+	if (!capable(CAP_NET_ADMIN))
+		return -EPERM;
+
 	if (nlh->nlmsg_flags & NLM_F_DUMP) {
 		struct netlink_dump_control c = {
 			.dump = nfnl_cthelper_dump_table,
@@ -573,6 +580,9 @@ nfnl_cthelper_del(struct sock *nfnl, struct sk_buff *skb,
 	bool tuple_set = false, found = false;
 	int i, j = 0, ret;
 
+	if (!capable(CAP_NET_ADMIN))
+		return -EPERM;
+
 	if (tb[NFCTH_NAME])
 		helper_name = nla_data(tb[NFCTH_NAME]);