On 9/7/22 15:15, Aaron Conole wrote: > With 'netfilter: remove nf_conntrack_helper sysctl toggle' applied, the > nf_conntrack_helper sysctl knob is removed. The testsuite has been forcibly > disabling this knob anyway, but the use of sysctl will still error out > on an invalid key. By adding 'e' flag, sysctl command will ignore missing > keys. > > Reported-at: > https://mail.openvswitch.org/pipermail/ovs-dev/2022-August/397399.html > Signed-off-by: Aaron Conole <[email protected]> > --- > Documentation/ref/ovs-actions.7.rst | 11 +++++------ > tests/system-kmod-macros.at | 2 +- > 2 files changed, 6 insertions(+), 7 deletions(-) > > diff --git a/Documentation/ref/ovs-actions.7.rst > b/Documentation/ref/ovs-actions.7.rst > index b59b7634fa..0e9faee416 100644 > --- a/Documentation/ref/ovs-actions.7.rst > +++ b/Documentation/ref/ovs-actions.7.rst > @@ -1635,12 +1635,11 @@ The following options are available only with > ``commit``: > Related connections inherit ``ct_mark`` from that stored with the > original > connection (i.e. the connection created by ``ct(alg=...)``. > > -With the Linux datapath, global sysctl options affect ``ct`` behavior. In > -particular, if ``net.netfilter.nf_conntrack_helper`` is enabled, which it is > -by default until Linux 4.7, then application layer gateway helpers may be > -executed even if *alg* is not specified. For security reasons, the netfilter > -team recommends users disable this option. For further details, please see > -http://www.netfilter.org/news.html#2012-04-03 . > +With the Linux datapath, global sysctl options affect ``ct`` behavior. Prior > +to Linux kernel 6.0, the ``net.netfilter.nf_conntrack_helper`` sysctl option > +could be used to force helper assignment, even if the ``alg=`` option was not > +added to a flow. This setting has been removed in newer versions of the > +kernel. > > The ``ct`` action may be used as a primitive to construct stateful firewalls > by > selectively committing some traffic, then matching ``ct_state`` to allow > diff --git a/tests/system-kmod-macros.at b/tests/system-kmod-macros.at > index 9ee1b1059d..f0f61d42ca 100644 > --- a/tests/system-kmod-macros.at > +++ b/tests/system-kmod-macros.at > @@ -66,7 +66,7 @@ m4_define([CHECK_CONNTRACK], > [modprobe mod || echo "Module mod not loaded." > on_exit 'modprobe -r mod' > ]) > - sysctl -w net.netfilter.nf_conntrack_helper=0 > + sysctl -ew net.netfilter.nf_conntrack_helper=0 > on_exit 'ovstest test-netlink-conntrack flush' > ] > )
There is one more place where we set this option - implementation of the ADD_NAMESPACES macro. Best regards, Ilya Maximets. _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
