[ovs-discuss] What's the purpose of alg=ftp in the ct action?

Joe Stringer joe at ovn.org
Tue Dec 6 18:22:18 UTC 2016


On 6 December 2016 at 08:03, Samuel Jean via discuss
<ovs-discuss at openvswitch.org> wrote:
> Howdy folks,
>
> Yesterday, I was playing with the conntrack stuff available since 2.5 and I
> my assumption was that OVS relies on nf_conntrack for tracking tuples and
> states.  So for FTP to work, I assumed all I need is to make sure the
> nf_conntrack_ftp module is loaded to perform its duty.  It proved to work
> just fine.  However, the ovs-ofctl man page suggests to use the alg=ftp
> argument to the ct() action.  That puzzles me a bit since it seems all it
> does is to load the nf_conntrack_ftp module on my behalf.
>
> One of the few thoughts I had to justify that sugar syntax is to allow FTP
> session tracking regardless of the port on which the server is listening.
>
> Can anyone clarify the purpose of this argument and wether it is reliable to
> not use alg= at all but rather load the conntrack helpers and allow the
> ports on which the services are listening to?

Until recently, Linux has turned on automatic helper assignment by
default. What this means is that even if you do not specify ALGs, the
traffic will be put through that ALG. In such cases, it is possible to
construct OpenFlow tables using conntrack actions that are missing the
FTP option, and the conntrack action will track that FTP connection
and correlate its sessions.

However, Linux 4.7 turned this off by default:
https://github.com/torvalds/linux/commit/3bb398d925ec73e42b778cf823c8f4aecae359ea

So, to ensure that this works in a future-proof way you should always
specify the alg option for FTP control connections.

For more context, see the blog post from the netfilter team:
http://www.netfilter.org/news.html#2012-04-03


More information about the discuss mailing list