On 12 December 2016 at 13:24, Darrell Ball <[email protected]> wrote: > > > On 12/12/16, 11:16 AM, "[email protected] on behalf of Joe > Stringer" <[email protected] on behalf of [email protected]> wrote: > > Automatic helper assignment was disabled in Linux 4.7 or later, in > upstream commit 3bb398d925ec ("netfilter: nf_ct_helper: disable > automatic helper assignment"). > > Signed-off-by: Joe Stringer <[email protected]> > --- > Documentation/faq/openflow.rst | 14 ++++++++++++++ > 1 file changed, 14 insertions(+) > > diff --git a/Documentation/faq/openflow.rst > b/Documentation/faq/openflow.rst > index d31bbef96c81..632f8e7190da 100644 > --- a/Documentation/faq/openflow.rst > +++ b/Documentation/faq/openflow.rst > @@ -535,3 +535,17 @@ Q: The "learn" action can't learn the action I want, > can you improve it? > - At least some of the features described in T. A. Hoff, "Extending > Open > vSwitch to Facilitate Creation of Stateful SDN Applications". > > +Q: When using the "ct" action with FTP connections, it doesn't seem to > matter > +if I set the "alg=ftp" parameter in the action. Is this required? > + > + A: Before Linux 4.7, automatic helper assignment was enabled by > default. > + This means is that even if you do not specify ALGs, the traffic will > be put > + through that ALG. In such cases, it is possible to construct OpenFlow > + tables using conntrack actions that are missing the FTP option, and > the > + conntrack action will still track that FTP connection and correlate > its > + sessions. > > This is surprising behavior. As you mentioned offline, perhaps it is better to > recommend disabling thru. sysctl as a default ?
Yeah. How about this as a replacement for the above patch: diff --git a/utilities/ovs-ofctl.8.in b/utilities/ovs-ofctl.8.in index af1eb2b7baf2..906af814851a 100644 --- a/utilities/ovs-ofctl.8.in +++ b/utilities/ovs-ofctl.8.in @@ -1856,6 +1856,15 @@ When committing related connections, the \fBct_mark\fR for that connection is inherited from the current \fBct_mark\fR stored with the original connection (ie, the connection created by \fBct(alg=...)\fR). . +.IP +Note that with the Linux datapath, global sysctl options affect the usage of +the \fBct\fR action. In particular, if \fInet.netfilter.nf_conntrack_helper\fR +is enabled then application layer gateway helpers may be executed even if the +\fBalg\fR option is not specified. This is the default setting until Linux 4.7. +For security reasons, the netfilter team recommends users to disable this +option. See this blog post for further details: +http://www.netfilter.org/news.html#2012-04-03 +. .IP \fBnat\fR[\fB(\fR(\fBsrc\fR|\fBdst\fR)\fB=\fIaddr1\fR[\fB-\fIaddr2\fR][\fB:\fIport1\fR[\fB-\fIport2\fR]][\fB,\fIflags\fR]\fB)\fR] . Specify address and port translation for the connection being tracked. _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
