[ovs-discuss] What's the purpose of alg=ftp in the ct action?

Ben Pfaff blp at ovn.org
Mon Dec 12 19:33:58 UTC 2016


On Mon, Dec 12, 2016 at 11:17:37AM -0800, Joe Stringer wrote:
> On 6 December 2016 at 11:19, Ben Pfaff <blp at ovn.org> wrote:
> > On Tue, Dec 06, 2016 at 10:22:18AM -0800, Joe Stringer wrote:
> >> Until recently, Linux has turned on automatic helper assignment by
> >> default. What this means is that even if you do not specify ALGs, the
> >> traffic will be put through that ALG. In such cases, it is possible to
> >> construct OpenFlow tables using conntrack actions that are missing the
> >> FTP option, and the conntrack action will track that FTP connection
> >> and correlate its sessions.
> >>
> >> However, Linux 4.7 turned this off by default:
> >> https://github.com/torvalds/linux/commit/3bb398d925ec73e42b778cf823c8f4aecae359ea
> >>
> >> So, to ensure that this works in a future-proof way you should always
> >> specify the alg option for FTP control connections.
> >
> > Is this something we should document?
> 
> I sent a patch:
> https://mail.openvswitch.org/pipermail/ovs-dev/2016-December/326101.html

Thanks!


More information about the discuss mailing list