[ovs-dev] [PATCH] FAQ: Document the necessity of ct(alg=ftp).
joe at ovn.org
Mon Dec 12 20:54:50 UTC 2016
On 12 December 2016 at 11:33, Ben Pfaff <blp at ovn.org> wrote:
> On Mon, Dec 12, 2016 at 11:16:50AM -0800, Joe Stringer wrote:
>> Automatic helper assignment was disabled in Linux 4.7 or later, in
>> upstream commit 3bb398d925ec ("netfilter: nf_ct_helper: disable
>> automatic helper assignment").
>> Signed-off-by: Joe Stringer <joe at ovn.org>
>> Documentation/faq/openflow.rst | 14 ++++++++++++++
>> 1 file changed, 14 insertions(+)
>> diff --git a/Documentation/faq/openflow.rst b/Documentation/faq/openflow.rst
>> index d31bbef96c81..632f8e7190da 100644
>> --- a/Documentation/faq/openflow.rst
>> +++ b/Documentation/faq/openflow.rst
>> @@ -535,3 +535,17 @@ Q: The "learn" action can't learn the action I want, can you improve it?
>> - At least some of the features described in T. A. Hoff, "Extending Open
>> vSwitch to Facilitate Creation of Stateful SDN Applications".
>> +Q: When using the "ct" action with FTP connections, it doesn't seem to matter
>> +if I set the "alg=ftp" parameter in the action. Is this required?
>> + A: Before Linux 4.7, automatic helper assignment was enabled by default.
>> + This means is that even if you do not specify ALGs, the traffic will be put
>> + through that ALG. In such cases, it is possible to construct OpenFlow
>> + tables using conntrack actions that are missing the FTP option, and the
>> + conntrack action will still track that FTP connection and correlate its
>> + sessions. When using kernels 4.7 or higher, or if the "nf_conntrack_helper"
>> + sysctl is disabled, you should always specify the alg option for FTP
>> + control connections.
>> + For more context, see the blog post from the netfilter team:
>> + http://www.netfilter.org/news.html#2012-04-03
> This is nice but what about also documenting it alongside the option
> itself, e.g. add this:
> diff --git a/utilities/ovs-ofctl.8.in b/utilities/ovs-ofctl.8.in
> index af1eb2b..0be4e0c 100644
> --- a/utilities/ovs-ofctl.8.in
> +++ b/utilities/ovs-ofctl.8.in
> @@ -1839,8 +1839,10 @@ tracker with the \fBtable\fR specified.
> The \fBcommit\fR parameter must be specified to use \fBexec(...)\fR.
> .IP \fBalg=\fIalg\fR
> -Specify application layer gateway \fIalg\fR to track specific connection
> -types. Supported types include:
> +With Linux kernels before 4.7, automatic helper assignment was enabled
> +by default and this option has no effect. With later kernels, this
> +option enables particular application level gateway \fIalg\fR. Supported
> +\fIalg\fR types include:
> .IP \fBftp\fR
> Look for negotiation of FTP data connections. If a subsequent FTP data
> Acked-by: Ben Pfaff <blp at ovn.org>
It's a little more subtle than that, since even on earlier kernels the
sysctl exists and may be disabled. Furthermore, even if it's enabled,
if for instance you have FTP control traffic going over an unusual
port then I'm not sure that the automatic helpers will kick in. This
is also Linux datapath specific, so it doesn't apply to the proposed
windows datapath support and wouldn't apply to userspace datapath on
Linux either, if/when it is introduced. The proposed patch here should
be updated with this in mind too.
I think that this is really just a platform-specific debugging tip
which complicates the explanation in ovs-ofctl(8). Ideally people
using this feature should always specify the ALG, even if it has no
effect on some platforms since over time it's going to be required on
all platforms anyway.
More information about the dev