Re: [ovs-dev] [PATCH] FAQ: Document the necessity of ct(alg=ftp).

Mon, 12 Dec 2016 13:26:06 -0800 


On 12/12/16, 11:16 AM, "[email protected] on behalf of Joe 
Stringer" <[email protected] on behalf of [email protected]> wrote:

    Automatic helper assignment was disabled in Linux 4.7 or later, in
    upstream commit 3bb398d925ec ("netfilter: nf_ct_helper: disable
    automatic helper assignment").
    
    Signed-off-by: Joe Stringer <[email protected]>
    ---
     Documentation/faq/openflow.rst | 14 ++++++++++++++
     1 file changed, 14 insertions(+)
    
    diff --git a/Documentation/faq/openflow.rst b/Documentation/faq/openflow.rst
    index d31bbef96c81..632f8e7190da 100644
    --- a/Documentation/faq/openflow.rst
    +++ b/Documentation/faq/openflow.rst
    @@ -535,3 +535,17 @@ Q: The "learn" action can't learn the action I want, 
can you improve it?
         - At least some of the features described in T. A. Hoff, "Extending 
Open
           vSwitch to Facilitate Creation of Stateful SDN Applications".
     
    +Q: When using the "ct" action with FTP connections, it doesn't seem to 
matter
    +if I set the "alg=ftp" parameter in the action. Is this required?
    +
    +    A: Before Linux 4.7, automatic helper assignment was enabled by 
default.
    +    This means is that even if you do not specify ALGs, the traffic will 
be put
    +    through that ALG. In such cases, it is possible to construct OpenFlow
    +    tables using conntrack actions that are missing the FTP option, and the
    +    conntrack action will still track that FTP connection and correlate its
    +    sessions. 

This is surprising behavior. As you mentioned offline, perhaps it is better to 
recommend disabling thru. sysctl as a default ?


When using kernels 4.7 or higher, or if the "nf_conntrack_helper"
    +    sysctl is disabled, you should always specify the alg option for FTP
    +    control connections.
    +
    +    For more context, see the blog post from the netfilter team:
    +    
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.netfilter.org_news.html-232012-2D04-2D03&d=DgICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=0POoOw3La7-Pq7vNSCDTYbV1Uy3kvqte-NKVmyr21wQ&s=ofbMfIRsn-W4gae0qMp5m8d_SvWRwyGwg7hCDCQBQ5k&e=
 
    -- 
    2.10.2
    
    _______________________________________________
    dev mailing list
    [email protected]
    
https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev&d=DgICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=0POoOw3La7-Pq7vNSCDTYbV1Uy3kvqte-NKVmyr21wQ&s=pQgtplkZpvEI-bd4QqVlYAVFEJhmp-LnbvF9aKgpiJY&e=
 
    

_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to