[ovs-dev] [PATCH] FAQ: Document the necessity of ct(alg=ftp).
Joe Stringer
joe at ovn.org
Mon Dec 12 21:44:02 UTC 2016
On 12 December 2016 at 13:24, Darrell Ball <dball at vmware.com> wrote:
>
>
> On 12/12/16, 11:16 AM, "ovs-dev-bounces at openvswitch.org on behalf of Joe Stringer" <ovs-dev-bounces at openvswitch.org on behalf of joe at ovn.org> wrote:
>
> Automatic helper assignment was disabled in Linux 4.7 or later, in
> upstream commit 3bb398d925ec ("netfilter: nf_ct_helper: disable
> automatic helper assignment").
>
> Signed-off-by: Joe Stringer <joe at ovn.org>
> ---
> Documentation/faq/openflow.rst | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
>
> diff --git a/Documentation/faq/openflow.rst b/Documentation/faq/openflow.rst
> index d31bbef96c81..632f8e7190da 100644
> --- a/Documentation/faq/openflow.rst
> +++ b/Documentation/faq/openflow.rst
> @@ -535,3 +535,17 @@ Q: The "learn" action can't learn the action I want, can you improve it?
> - At least some of the features described in T. A. Hoff, "Extending Open
> vSwitch to Facilitate Creation of Stateful SDN Applications".
>
> +Q: When using the "ct" action with FTP connections, it doesn't seem to matter
> +if I set the "alg=ftp" parameter in the action. Is this required?
> +
> + A: Before Linux 4.7, automatic helper assignment was enabled by default.
> + This means is that even if you do not specify ALGs, the traffic will be put
> + through that ALG. In such cases, it is possible to construct OpenFlow
> + tables using conntrack actions that are missing the FTP option, and the
> + conntrack action will still track that FTP connection and correlate its
> + sessions.
>
> This is surprising behavior. As you mentioned offline, perhaps it is better to
> recommend disabling thru. sysctl as a default ?
Yeah. How about this as a replacement for the above patch:
diff --git a/utilities/ovs-ofctl.8.in b/utilities/ovs-ofctl.8.in
index af1eb2b7baf2..906af814851a 100644
--- a/utilities/ovs-ofctl.8.in
+++ b/utilities/ovs-ofctl.8.in
@@ -1856,6 +1856,15 @@ When committing related connections, the
\fBct_mark\fR for that connection is
inherited from the current \fBct_mark\fR stored with the original connection
(ie, the connection created by \fBct(alg=...)\fR).
.
+.IP
+Note that with the Linux datapath, global sysctl options affect the usage of
+the \fBct\fR action. In particular, if \fInet.netfilter.nf_conntrack_helper\fR
+is enabled then application layer gateway helpers may be executed even if the
+\fBalg\fR option is not specified. This is the default setting until Linux 4.7.
+For security reasons, the netfilter team recommends users to disable this
+option. See this blog post for further details:
+http://www.netfilter.org/news.html#2012-04-03
+.
.IP \fBnat\fR[\fB(\fR(\fBsrc\fR|\fBdst\fR)\fB=\fIaddr1\fR[\fB-\fIaddr2\fR][\fB:\fIport1\fR[\fB-\fIport2\fR]][\fB,\fIflags\fR]\fB)\fR]
.
Specify address and port translation for the connection being tracked.
More information about the dev
mailing list