From patchwork Tue Jan  3 18:16:05 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Joe Stringer <joe@ovn.org>
X-Patchwork-Id: 710580
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from mail.linuxfoundation.org (mail.linuxfoundation.org
	[140.211.169.12])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3ttMbV42XWz9t0P
	for <incoming@patchwork.ozlabs.org>;
	Wed,  4 Jan 2017 05:16:54 +1100 (AEDT)
Received: from mail.linux-foundation.org (localhost [127.0.0.1])
	by mail.linuxfoundation.org (Postfix) with ESMTP id 23BE7BCF;
	Tue,  3 Jan 2017 18:16:51 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@mail.linuxfoundation.org
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id D518FB3E
	for <dev@openvswitch.org>; Tue,  3 Jan 2017 18:16:48 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net
	[217.70.183.196])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id C9C50206
	for <dev@openvswitch.org>; Tue,  3 Jan 2017 18:16:47 +0000 (UTC)
Received: from mfilter10-d.gandi.net (mfilter10-d.gandi.net [217.70.178.139])
	by relay4-d.mail.gandi.net (Postfix) with ESMTP id 48E4D1720A3;
	Tue,  3 Jan 2017 19:16:46 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mfilter10-d.gandi.net
Received: from relay4-d.mail.gandi.net ([IPv6:::ffff:217.70.183.196])
	by mfilter10-d.gandi.net (mfilter10-d.gandi.net [::ffff:10.0.15.180])
	(amavisd-new, port 10024)
	with ESMTP id gRqSUA1P0e11; Tue,  3 Jan 2017 19:16:44 +0100 (CET)
X-Originating-IP: 208.91.1.34
Received: from carno.eng.vmware.com (unknown [208.91.1.34])
	(Authenticated sender: joe@ovn.org)
	by relay4-d.mail.gandi.net (Postfix) with ESMTPSA id 1EF6217209C;
	Tue,  3 Jan 2017 19:16:43 +0100 (CET)
From: Joe Stringer <joe@ovn.org>
To: dev@openvswitch.org
Date: Tue,  3 Jan 2017 10:16:05 -0800
Message-Id: <20170103181605.10301-1-joe@ovn.org>
X-Mailer: git-send-email 2.10.2
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_LOW
	autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Subject: [ovs-dev] [PATCHv2] ovs-ofctl.8: Document automatic helper
	assignment.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
MIME-Version: 1.0
Sender: ovs-dev-bounces@openvswitch.org
Errors-To: ovs-dev-bounces@openvswitch.org

Due to upstream Linux feature "automatic helper assignment", up until
recently when using ct() action with FTP traffic, it has not been
necessary to specify the ALG parameter. However, automatic helper
assignment was disabled in Linux 4.7 or later, in upstream commit
3bb398d925ec ("netfilter: nf_ct_helper: disable automatic helper
assignment"). Document the need for this.

Signed-off-by: Joe Stringer <joe@ovn.org>
Acked-by: Jarno Rajahalme <jarno@ovn.org>
---
v2: Document in both FAQ and ovs-ofctl(8).
---
 Documentation/faq/openflow.rst |  9 +++++++++
 utilities/ovs-ofctl.8.in       | 10 ++++++++++
 2 files changed, 19 insertions(+)

diff --git a/Documentation/faq/openflow.rst b/Documentation/faq/openflow.rst
index abe89c6af123..529e3f50aadf 100644
--- a/Documentation/faq/openflow.rst
+++ b/Documentation/faq/openflow.rst
@@ -534,3 +534,12 @@ Q: The "learn" action can't learn the action I want, can you improve it?
     - At least some of the features described in T. A. Hoff, "Extending Open
       vSwitch to Facilitate Creation of Stateful SDN Applications".
 
+Q: When using the "ct" action with FTP connections, it doesn't seem to matter
+if I set the "alg=ftp" parameter in the action. Is this required?
+
+    A: It is advisable to use this option. Some platforms may automatically
+    detect and apply ALGs in the "ct" action regardless of the parameters you
+    provide, however this is not consistent across all implementations. The
+    `ovs-ofctl(8) <http://openvswitch.org/support/dist-docs/ovs-ofctl.8.html>`_
+    man pages contain further details in the description of the ALG parameter.
+
diff --git a/utilities/ovs-ofctl.8.in b/utilities/ovs-ofctl.8.in
index 49b3aa5f7dc4..03986421c9c3 100644
--- a/utilities/ovs-ofctl.8.in
+++ b/utilities/ovs-ofctl.8.in
@@ -1863,6 +1863,16 @@ When committing related connections, the \fBct_mark\fR for that connection is
 inherited from the current \fBct_mark\fR stored with the original connection
 (ie, the connection created by \fBct(alg=...)\fR).
 .
+.IP
+Note that with the Linux datapath, global sysctl options affect the usage of
+the \fBct\fR action. In particular, if \fBnet.netfilter.nf_conntrack_helper\fR
+is enabled then application layer gateway helpers may be executed even if the
+\fBalg\fR option is not specified. This is the default setting until Linux 4.7.
+For security reasons, the netfilter team recommends users to disable this
+option. See this blog post for further details:
+.
+http://www.netfilter.org/news.html#2012-04-03
+.
 .IP \fBnat\fR[\fB(\fR(\fBsrc\fR|\fBdst\fR)\fB=\fIaddr1\fR[\fB-\fIaddr2\fR][\fB:\fIport1\fR[\fB-\fIport2\fR]][\fB,\fIflags\fR]\fB)\fR]
 .
 Specify address and port translation for the connection being tracked.