| Message ID | CAPWQB7Hbz8St3EHZBRvAbEhCLSg9JeOBnFkN=ijUnakGz0s1aA@mail.gmail.com |
|---|---|
| State | Not Applicable |
| Headers | show |
On 12/12/16, 1:44 PM, "Joe Stringer" <joe@ovn.org> wrote:
On 12 December 2016 at 13:24, Darrell Ball <dball@vmware.com> wrote:
>
>
> On 12/12/16, 11:16 AM, "ovs-dev-bounces@openvswitch.org on behalf of Joe Stringer" <ovs-dev-bounces@openvswitch.org on behalf of joe@ovn.org> wrote:
>
> Automatic helper assignment was disabled in Linux 4.7 or later, in
> upstream commit 3bb398d925ec ("netfilter: nf_ct_helper: disable
> automatic helper assignment").
>
> Signed-off-by: Joe Stringer <joe@ovn.org>
> ---
> Documentation/faq/openflow.rst | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
>
> diff --git a/Documentation/faq/openflow.rst b/Documentation/faq/openflow.rst
> index d31bbef96c81..632f8e7190da 100644
> --- a/Documentation/faq/openflow.rst
> +++ b/Documentation/faq/openflow.rst
> @@ -535,3 +535,17 @@ Q: The "learn" action can't learn the action I want, can you improve it?
> - At least some of the features described in T. A. Hoff, "Extending Open
> vSwitch to Facilitate Creation of Stateful SDN Applications".
>
> +Q: When using the "ct" action with FTP connections, it doesn't seem to matter
> +if I set the "alg=ftp" parameter in the action. Is this required?
> +
> + A: Before Linux 4.7, automatic helper assignment was enabled by default.
> + This means is that even if you do not specify ALGs, the traffic will be put
> + through that ALG. In such cases, it is possible to construct OpenFlow
> + tables using conntrack actions that are missing the FTP option, and the
> + conntrack action will still track that FTP connection and correlate its
> + sessions.
>
> This is surprising behavior. As you mentioned offline, perhaps it is better to
> recommend disabling thru. sysctl as a default ?
Yeah. How about this as a replacement for the above patch:
The new content looks ok to me. I am not sure about the placement “only” in ovs-ofctl.8.in.
It seems like FAQ is also useful ?
Ben’s suggestion of a cross-reference works for me.
diff --git a/utilities/ovs-ofctl.8.in b/utilities/ovs-ofctl.8.in
index af1eb2b7baf2..906af814851a 100644
--- a/utilities/ovs-ofctl.8.in
+++ b/utilities/ovs-ofctl.8.in
@@ -1856,6 +1856,15 @@ When committing related connections, the
\fBct_mark\fR for that connection is
inherited from the current \fBct_mark\fR stored with the original connection
(ie, the connection created by \fBct(alg=...)\fR).
.
+.IP
+Note that with the Linux datapath, global sysctl options affect the usage of
+the \fBct\fR action. In particular, if \fInet.netfilter.nf_conntrack_helper\fR
+is enabled then application layer gateway helpers may be executed even if the
+\fBalg\fR option is not specified. This is the default setting until Linux 4.7.
+For security reasons, the netfilter team recommends users to disable this
+option. See this blog post for further details:
+https://urldefense.proofpoint.com/v2/url?u=http-3A__www.netfilter.org_news.html-232012-2D04-2D03&d=DgIBaQ&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=3Mp7JEdZ-iY-2vn8mb2KqFwvqAxtuUGMNt_lffyk_-A&s=3CPh9_AHHEYFTsQlYYou_BtB0b6CIAhuGIR-Mg_wUaE&e=
+.
.IP \fBnat\fR[\fB(\fR(\fBsrc\fR|\fBdst\fR)\fB=\fIaddr1\fR[\fB-\fIaddr2\fR][\fB:\fIport1\fR[\fB-\fIport2\fR]][\fB,\fIflags\fR]\fB)\fR]
.
Specify address and port translation for the connection being tracked.
\fI should be \fB here since it's a literal name:
On Mon, Dec 12, 2016 at 01:44:02PM -0800, Joe Stringer wrote:
> +the \fBct\fR action. In particular, if \fInet.netfilter.nf_conntrack_helper\fR
Thanks,
Ben.
diff --git a/utilities/ovs-ofctl.8.in b/utilities/ovs-ofctl.8.in index af1eb2b7baf2..906af814851a 100644 --- a/utilities/ovs-ofctl.8.in +++ b/utilities/ovs-ofctl.8.in @@ -1856,6 +1856,15 @@ When committing related connections, the \fBct_mark\fR for that connection is inherited from the current \fBct_mark\fR stored with the original connection (ie, the connection created by \fBct(alg=...)\fR). . +.IP +Note that with the Linux datapath, global sysctl options affect the usage of +the \fBct\fR action. In particular, if \fInet.netfilter.nf_conntrack_helper\fR +is enabled then application layer gateway helpers may be executed even if the +\fBalg\fR option is not specified. This is the default setting until Linux 4.7. +For security reasons, the netfilter team recommends users to disable this +option. See this blog post for further details: +http://www.netfilter.org/news.html#2012-04-03 +. .IP \fBnat\fR[\fB(\fR(\fBsrc\fR|\fBdst\fR)\fB=\fIaddr1\fR[\fB-\fIaddr2\fR][\fB:\fIport1\fR[\fB-\fIport2\fR]][\fB,\fIflags\fR]\fB)\fR] .