| Message ID | 20220907131538.6792-1-aconole@redhat.com |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | [ovs-dev,v2] system-kmod-testsuite: allow for missing nf_conntrack_helper key | expand |
| Context | Check | Description |
|---|---|---|
| ovsrobot/apply-robot | success | apply and check: success |
| ovsrobot/github-robot-_Build_and_Test | success | github build: passed |
| ovsrobot/intel-ovs-compilation | success | test: success |
On 9/7/22 15:15, Aaron Conole wrote: > With 'netfilter: remove nf_conntrack_helper sysctl toggle' applied, the > nf_conntrack_helper sysctl knob is removed. The testsuite has been forcibly > disabling this knob anyway, but the use of sysctl will still error out > on an invalid key. By adding 'e' flag, sysctl command will ignore missing > keys. > > Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2022-August/397399.html > Signed-off-by: Aaron Conole <aconole@redhat.com> > --- > Documentation/ref/ovs-actions.7.rst | 11 +++++------ > tests/system-kmod-macros.at | 2 +- > 2 files changed, 6 insertions(+), 7 deletions(-) > > diff --git a/Documentation/ref/ovs-actions.7.rst b/Documentation/ref/ovs-actions.7.rst > index b59b7634fa..0e9faee416 100644 > --- a/Documentation/ref/ovs-actions.7.rst > +++ b/Documentation/ref/ovs-actions.7.rst > @@ -1635,12 +1635,11 @@ The following options are available only with ``commit``: > Related connections inherit ``ct_mark`` from that stored with the original > connection (i.e. the connection created by ``ct(alg=...)``. > > -With the Linux datapath, global sysctl options affect ``ct`` behavior. In > -particular, if ``net.netfilter.nf_conntrack_helper`` is enabled, which it is > -by default until Linux 4.7, then application layer gateway helpers may be > -executed even if *alg* is not specified. For security reasons, the netfilter > -team recommends users disable this option. For further details, please see > -http://www.netfilter.org/news.html#2012-04-03 . > +With the Linux datapath, global sysctl options affect ``ct`` behavior. Prior > +to Linux kernel 6.0, the ``net.netfilter.nf_conntrack_helper`` sysctl option > +could be used to force helper assignment, even if the ``alg=`` option was not > +added to a flow. This setting has been removed in newer versions of the > +kernel. > > The ``ct`` action may be used as a primitive to construct stateful firewalls by > selectively committing some traffic, then matching ``ct_state`` to allow > diff --git a/tests/system-kmod-macros.at b/tests/system-kmod-macros.at > index 9ee1b1059d..f0f61d42ca 100644 > --- a/tests/system-kmod-macros.at > +++ b/tests/system-kmod-macros.at > @@ -66,7 +66,7 @@ m4_define([CHECK_CONNTRACK], > [modprobe mod || echo "Module mod not loaded." > on_exit 'modprobe -r mod' > ]) > - sysctl -w net.netfilter.nf_conntrack_helper=0 > + sysctl -ew net.netfilter.nf_conntrack_helper=0 > on_exit 'ovstest test-netlink-conntrack flush' > ] > ) There is one more place where we set this option - implementation of the ADD_NAMESPACES macro. Best regards, Ilya Maximets.
diff --git a/Documentation/ref/ovs-actions.7.rst b/Documentation/ref/ovs-actions.7.rst index b59b7634fa..0e9faee416 100644 --- a/Documentation/ref/ovs-actions.7.rst +++ b/Documentation/ref/ovs-actions.7.rst @@ -1635,12 +1635,11 @@ The following options are available only with ``commit``: Related connections inherit ``ct_mark`` from that stored with the original connection (i.e. the connection created by ``ct(alg=...)``. -With the Linux datapath, global sysctl options affect ``ct`` behavior. In -particular, if ``net.netfilter.nf_conntrack_helper`` is enabled, which it is -by default until Linux 4.7, then application layer gateway helpers may be -executed even if *alg* is not specified. For security reasons, the netfilter -team recommends users disable this option. For further details, please see -http://www.netfilter.org/news.html#2012-04-03 . +With the Linux datapath, global sysctl options affect ``ct`` behavior. Prior +to Linux kernel 6.0, the ``net.netfilter.nf_conntrack_helper`` sysctl option +could be used to force helper assignment, even if the ``alg=`` option was not +added to a flow. This setting has been removed in newer versions of the +kernel. The ``ct`` action may be used as a primitive to construct stateful firewalls by selectively committing some traffic, then matching ``ct_state`` to allow diff --git a/tests/system-kmod-macros.at b/tests/system-kmod-macros.at index 9ee1b1059d..f0f61d42ca 100644 --- a/tests/system-kmod-macros.at +++ b/tests/system-kmod-macros.at @@ -66,7 +66,7 @@ m4_define([CHECK_CONNTRACK], [modprobe mod || echo "Module mod not loaded." on_exit 'modprobe -r mod' ]) - sysctl -w net.netfilter.nf_conntrack_helper=0 + sysctl -ew net.netfilter.nf_conntrack_helper=0 on_exit 'ovstest test-netlink-conntrack flush' ] )
With 'netfilter: remove nf_conntrack_helper sysctl toggle' applied, the nf_conntrack_helper sysctl knob is removed. The testsuite has been forcibly disabling this knob anyway, but the use of sysctl will still error out on an invalid key. By adding 'e' flag, sysctl command will ignore missing keys. Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2022-August/397399.html Signed-off-by: Aaron Conole <aconole@redhat.com> --- Documentation/ref/ovs-actions.7.rst | 11 +++++------ tests/system-kmod-macros.at | 2 +- 2 files changed, 6 insertions(+), 7 deletions(-)