[ovs-dev] [PATCH] FAQ: Document the necessity of ct(alg=ftp).

Darrell Ball dball at vmware.com
Mon Dec 12 21:55:10 UTC 2016 


On 12/12/16, 1:44 PM, "Joe Stringer" <joe at ovn.org> wrote:

    On 12 December 2016 at 13:24, Darrell Ball <dball at vmware.com> wrote:
    >
    >
    > On 12/12/16, 11:16 AM, "ovs-dev-bounces at openvswitch.org on behalf of Joe Stringer" <ovs-dev-bounces at openvswitch.org on behalf of joe at ovn.org> wrote:
    >
    >     Automatic helper assignment was disabled in Linux 4.7 or later, in
    >     upstream commit 3bb398d925ec ("netfilter: nf_ct_helper: disable
    >     automatic helper assignment").
    >
    >     Signed-off-by: Joe Stringer <joe at ovn.org>
    >     ---
    >      Documentation/faq/openflow.rst | 14 ++++++++++++++
    >      1 file changed, 14 insertions(+)
    >
    >     diff --git a/Documentation/faq/openflow.rst b/Documentation/faq/openflow.rst
    >     index d31bbef96c81..632f8e7190da 100644
    >     --- a/Documentation/faq/openflow.rst
    >     +++ b/Documentation/faq/openflow.rst
    >     @@ -535,3 +535,17 @@ Q: The "learn" action can't learn the action I want, can you improve it?
    >          - At least some of the features described in T. A. Hoff, "Extending Open
    >            vSwitch to Facilitate Creation of Stateful SDN Applications".
    >
    >     +Q: When using the "ct" action with FTP connections, it doesn't seem to matter
    >     +if I set the "alg=ftp" parameter in the action. Is this required?
    >     +
    >     +    A: Before Linux 4.7, automatic helper assignment was enabled by default.
    >     +    This means is that even if you do not specify ALGs, the traffic will be put
    >     +    through that ALG. In such cases, it is possible to construct OpenFlow
    >     +    tables using conntrack actions that are missing the FTP option, and the
    >     +    conntrack action will still track that FTP connection and correlate its
    >     +    sessions.
    >
    > This is surprising behavior. As you mentioned offline, perhaps it is better to
    > recommend disabling thru. sysctl as a default ?
    
    Yeah. How about this as a replacement for the above patch:

The new content looks ok to me. I am not sure about the placement “only” in ovs-ofctl.8.in.
It seems like FAQ is also useful ?
Ben’s suggestion of a cross-reference works for me.
    
    diff --git a/utilities/ovs-ofctl.8.in b/utilities/ovs-ofctl.8.in
    index af1eb2b7baf2..906af814851a 100644
    --- a/utilities/ovs-ofctl.8.in
    +++ b/utilities/ovs-ofctl.8.in
    @@ -1856,6 +1856,15 @@ When committing related connections, the
    \fBct_mark\fR for that connection is
    inherited from the current \fBct_mark\fR stored with the original connection
    (ie, the connection created by \fBct(alg=...)\fR).
    .
    +.IP
    +Note that with the Linux datapath, global sysctl options affect the usage of
    +the \fBct\fR action. In particular, if \fInet.netfilter.nf_conntrack_helper\fR
    +is enabled then application layer gateway helpers may be executed even if the
    +\fBalg\fR option is not specified. This is the default setting until Linux 4.7.
    +For security reasons, the netfilter team recommends users to disable this
    +option. See this blog post for further details:
    +https://urldefense.proofpoint.com/v2/url?u=http-3A__www.netfilter.org_news.html-232012-2D04-2D03&d=DgIBaQ&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=3Mp7JEdZ-iY-2vn8mb2KqFwvqAxtuUGMNt_lffyk_-A&s=3CPh9_AHHEYFTsQlYYou_BtB0b6CIAhuGIR-Mg_wUaE&e= 
    +.
    .IP \fBnat\fR[\fB(\fR(\fBsrc\fR|\fBdst\fR)\fB=\fIaddr1\fR[\fB-\fIaddr2\fR][\fB:\fIport1\fR[\fB-\fIport2\fR]][\fB,\fIflags\fR]\fB)\fR]
    .
    Specify address and port translation for the connection being tracked.

More information about the dev mailing list