On Mon, Dec 12, 2016 at 12:54:50PM -0800, Joe Stringer wrote: > On 12 December 2016 at 11:33, Ben Pfaff <[email protected]> wrote: > > On Mon, Dec 12, 2016 at 11:16:50AM -0800, Joe Stringer wrote: > >> Automatic helper assignment was disabled in Linux 4.7 or later, in > >> upstream commit 3bb398d925ec ("netfilter: nf_ct_helper: disable > >> automatic helper assignment"). > >> > >> Signed-off-by: Joe Stringer <[email protected]> > >> --- > >> Documentation/faq/openflow.rst | 14 ++++++++++++++ > >> 1 file changed, 14 insertions(+) > >> > >> diff --git a/Documentation/faq/openflow.rst > >> b/Documentation/faq/openflow.rst > >> index d31bbef96c81..632f8e7190da 100644 > >> --- a/Documentation/faq/openflow.rst > >> +++ b/Documentation/faq/openflow.rst > >> @@ -535,3 +535,17 @@ Q: The "learn" action can't learn the action I want, > >> can you improve it? > >> - At least some of the features described in T. A. Hoff, "Extending > >> Open > >> vSwitch to Facilitate Creation of Stateful SDN Applications". > >> > >> +Q: When using the "ct" action with FTP connections, it doesn't seem to > >> matter > >> +if I set the "alg=ftp" parameter in the action. Is this required? > >> + > >> + A: Before Linux 4.7, automatic helper assignment was enabled by > >> default. > >> + This means is that even if you do not specify ALGs, the traffic will > >> be put > >> + through that ALG. In such cases, it is possible to construct OpenFlow > >> + tables using conntrack actions that are missing the FTP option, and > >> the > >> + conntrack action will still track that FTP connection and correlate > >> its > >> + sessions. When using kernels 4.7 or higher, or if the > >> "nf_conntrack_helper" > >> + sysctl is disabled, you should always specify the alg option for FTP > >> + control connections. > >> + > >> + For more context, see the blog post from the netfilter team: > >> + http://www.netfilter.org/news.html#2012-04-03 > > > > This is nice but what about also documenting it alongside the option > > itself, e.g. add this: > > > > diff --git a/utilities/ovs-ofctl.8.in b/utilities/ovs-ofctl.8.in > > index af1eb2b..0be4e0c 100644 > > --- a/utilities/ovs-ofctl.8.in > > +++ b/utilities/ovs-ofctl.8.in > > @@ -1839,8 +1839,10 @@ tracker with the \fBtable\fR specified. > > The \fBcommit\fR parameter must be specified to use \fBexec(...)\fR. > > . > > .IP \fBalg=\fIalg\fR > > -Specify application layer gateway \fIalg\fR to track specific connection > > -types. Supported types include: > > +With Linux kernels before 4.7, automatic helper assignment was enabled > > +by default and this option has no effect. With later kernels, this > > +option enables particular application level gateway \fIalg\fR. Supported > > +\fIalg\fR types include: > > .RS > > .IP \fBftp\fR > > Look for negotiation of FTP data connections. If a subsequent FTP data > > > > Acked-by: Ben Pfaff <[email protected]> > > It's a little more subtle than that, since even on earlier kernels the > sysctl exists and may be disabled. Furthermore, even if it's enabled, > if for instance you have FTP control traffic going over an unusual > port then I'm not sure that the automatic helpers will kick in. This > is also Linux datapath specific, so it doesn't apply to the proposed > windows datapath support and wouldn't apply to userspace datapath on > Linux either, if/when it is introduced. The proposed patch here should > be updated with this in mind too. > > I think that this is really just a platform-specific debugging tip > which complicates the explanation in ovs-ofctl(8). Ideally people > using this feature should always specify the ALG, even if it has no > effect on some platforms since over time it's going to be required on > all platforms anyway.
Maybe the FAQ entry should give this additional information and advice, and then ovs-ofctl(8) could refer to it. _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
