With 'netfilter: remove nf_conntrack_helper sysctl toggle' applied, the nf_conntrack_helper sysctl knob is removed. The testsuite has been forcibly disabling this knob anyway, but the use of sysctl will still error out on an invalid key. By adding 'e' flag, sysctl command will ignore missing keys.
Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2022-August/397399.html Signed-off-by: Aaron Conole <[email protected]> --- Documentation/ref/ovs-actions.7.rst | 11 +++++------ tests/system-kmod-macros.at | 2 +- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/Documentation/ref/ovs-actions.7.rst b/Documentation/ref/ovs-actions.7.rst index b59b7634fa..0e9faee416 100644 --- a/Documentation/ref/ovs-actions.7.rst +++ b/Documentation/ref/ovs-actions.7.rst @@ -1635,12 +1635,11 @@ The following options are available only with ``commit``: Related connections inherit ``ct_mark`` from that stored with the original connection (i.e. the connection created by ``ct(alg=...)``. -With the Linux datapath, global sysctl options affect ``ct`` behavior. In -particular, if ``net.netfilter.nf_conntrack_helper`` is enabled, which it is -by default until Linux 4.7, then application layer gateway helpers may be -executed even if *alg* is not specified. For security reasons, the netfilter -team recommends users disable this option. For further details, please see -http://www.netfilter.org/news.html#2012-04-03 . +With the Linux datapath, global sysctl options affect ``ct`` behavior. Prior +to Linux kernel 6.0, the ``net.netfilter.nf_conntrack_helper`` sysctl option +could be used to force helper assignment, even if the ``alg=`` option was not +added to a flow. This setting has been removed in newer versions of the +kernel. The ``ct`` action may be used as a primitive to construct stateful firewalls by selectively committing some traffic, then matching ``ct_state`` to allow diff --git a/tests/system-kmod-macros.at b/tests/system-kmod-macros.at index 9ee1b1059d..f0f61d42ca 100644 --- a/tests/system-kmod-macros.at +++ b/tests/system-kmod-macros.at @@ -66,7 +66,7 @@ m4_define([CHECK_CONNTRACK], [modprobe mod || echo "Module mod not loaded." on_exit 'modprobe -r mod' ]) - sysctl -w net.netfilter.nf_conntrack_helper=0 + sysctl -ew net.netfilter.nf_conntrack_helper=0 on_exit 'ovstest test-netlink-conntrack flush' ] ) -- 2.34.3 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
