On 12/12/16, 1:44 PM, "Joe Stringer" <[email protected]> wrote:
On 12 December 2016 at 13:24, Darrell Ball <[email protected]> wrote:
>
>
> On 12/12/16, 11:16 AM, "[email protected] on behalf of Joe
Stringer" <[email protected] on behalf of [email protected]> wrote:
>
> Automatic helper assignment was disabled in Linux 4.7 or later, in
> upstream commit 3bb398d925ec ("netfilter: nf_ct_helper: disable
> automatic helper assignment").
>
> Signed-off-by: Joe Stringer <[email protected]>
> ---
> Documentation/faq/openflow.rst | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
>
> diff --git a/Documentation/faq/openflow.rst
b/Documentation/faq/openflow.rst
> index d31bbef96c81..632f8e7190da 100644
> --- a/Documentation/faq/openflow.rst
> +++ b/Documentation/faq/openflow.rst
> @@ -535,3 +535,17 @@ Q: The "learn" action can't learn the action I
want, can you improve it?
> - At least some of the features described in T. A. Hoff,
"Extending Open
> vSwitch to Facilitate Creation of Stateful SDN Applications".
>
> +Q: When using the "ct" action with FTP connections, it doesn't seem
to matter
> +if I set the "alg=ftp" parameter in the action. Is this required?
> +
> + A: Before Linux 4.7, automatic helper assignment was enabled by
default.
> + This means is that even if you do not specify ALGs, the traffic
will be put
> + through that ALG. In such cases, it is possible to construct
OpenFlow
> + tables using conntrack actions that are missing the FTP option,
and the
> + conntrack action will still track that FTP connection and
correlate its
> + sessions.
>
> This is surprising behavior. As you mentioned offline, perhaps it is
better to
> recommend disabling thru. sysctl as a default ?
Yeah. How about this as a replacement for the above patch:
The new content looks ok to me. I am not sure about the placement “only” in
ovs-ofctl.8.in.
It seems like FAQ is also useful ?
Ben’s suggestion of a cross-reference works for me.
diff --git a/utilities/ovs-ofctl.8.in b/utilities/ovs-ofctl.8.in
index af1eb2b7baf2..906af814851a 100644
--- a/utilities/ovs-ofctl.8.in
+++ b/utilities/ovs-ofctl.8.in
@@ -1856,6 +1856,15 @@ When committing related connections, the
\fBct_mark\fR for that connection is
inherited from the current \fBct_mark\fR stored with the original connection
(ie, the connection created by \fBct(alg=...)\fR).
.
+.IP
+Note that with the Linux datapath, global sysctl options affect the usage
of
+the \fBct\fR action. In particular, if
\fInet.netfilter.nf_conntrack_helper\fR
+is enabled then application layer gateway helpers may be executed even if
the
+\fBalg\fR option is not specified. This is the default setting until Linux
4.7.
+For security reasons, the netfilter team recommends users to disable this
+option. See this blog post for further details:
+https://urldefense.proofpoint.com/v2/url?u=http-3A__www.netfilter.org_news.html-232012-2D04-2D03&d=DgIBaQ&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=3Mp7JEdZ-iY-2vn8mb2KqFwvqAxtuUGMNt_lffyk_-A&s=3CPh9_AHHEYFTsQlYYou_BtB0b6CIAhuGIR-Mg_wUaE&e=
+.
.IP
\fBnat\fR[\fB(\fR(\fBsrc\fR|\fBdst\fR)\fB=\fIaddr1\fR[\fB-\fIaddr2\fR][\fB:\fIport1\fR[\fB-\fIport2\fR]][\fB,\fIflags\fR]\fB)\fR]
.
Specify address and port translation for the connection being tracked.
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
