Message ID | CAPWQB7Hbz8St3EHZBRvAbEhCLSg9JeOBnFkN=ijUnakGz0s1aA@mail.gmail.com |
---|---|
State | Not Applicable |
Headers | show |
On 12/12/16, 1:44 PM, "Joe Stringer" <joe@ovn.org> wrote: On 12 December 2016 at 13:24, Darrell Ball <dball@vmware.com> wrote: > > > On 12/12/16, 11:16 AM, "ovs-dev-bounces@openvswitch.org on behalf of Joe Stringer" <ovs-dev-bounces@openvswitch.org on behalf of joe@ovn.org> wrote: > > Automatic helper assignment was disabled in Linux 4.7 or later, in > upstream commit 3bb398d925ec ("netfilter: nf_ct_helper: disable > automatic helper assignment"). > > Signed-off-by: Joe Stringer <joe@ovn.org> > --- > Documentation/faq/openflow.rst | 14 ++++++++++++++ > 1 file changed, 14 insertions(+) > > diff --git a/Documentation/faq/openflow.rst b/Documentation/faq/openflow.rst > index d31bbef96c81..632f8e7190da 100644 > --- a/Documentation/faq/openflow.rst > +++ b/Documentation/faq/openflow.rst > @@ -535,3 +535,17 @@ Q: The "learn" action can't learn the action I want, can you improve it? > - At least some of the features described in T. A. Hoff, "Extending Open > vSwitch to Facilitate Creation of Stateful SDN Applications". > > +Q: When using the "ct" action with FTP connections, it doesn't seem to matter > +if I set the "alg=ftp" parameter in the action. Is this required? > + > + A: Before Linux 4.7, automatic helper assignment was enabled by default. > + This means is that even if you do not specify ALGs, the traffic will be put > + through that ALG. In such cases, it is possible to construct OpenFlow > + tables using conntrack actions that are missing the FTP option, and the > + conntrack action will still track that FTP connection and correlate its > + sessions. > > This is surprising behavior. As you mentioned offline, perhaps it is better to > recommend disabling thru. sysctl as a default ? Yeah. How about this as a replacement for the above patch: The new content looks ok to me. I am not sure about the placement “only” in ovs-ofctl.8.in. It seems like FAQ is also useful ? Ben’s suggestion of a cross-reference works for me. diff --git a/utilities/ovs-ofctl.8.in b/utilities/ovs-ofctl.8.in index af1eb2b7baf2..906af814851a 100644 --- a/utilities/ovs-ofctl.8.in +++ b/utilities/ovs-ofctl.8.in @@ -1856,6 +1856,15 @@ When committing related connections, the \fBct_mark\fR for that connection is inherited from the current \fBct_mark\fR stored with the original connection (ie, the connection created by \fBct(alg=...)\fR). . +.IP +Note that with the Linux datapath, global sysctl options affect the usage of +the \fBct\fR action. In particular, if \fInet.netfilter.nf_conntrack_helper\fR +is enabled then application layer gateway helpers may be executed even if the +\fBalg\fR option is not specified. This is the default setting until Linux 4.7. +For security reasons, the netfilter team recommends users to disable this +option. See this blog post for further details: +https://urldefense.proofpoint.com/v2/url?u=http-3A__www.netfilter.org_news.html-232012-2D04-2D03&d=DgIBaQ&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=3Mp7JEdZ-iY-2vn8mb2KqFwvqAxtuUGMNt_lffyk_-A&s=3CPh9_AHHEYFTsQlYYou_BtB0b6CIAhuGIR-Mg_wUaE&e= +. .IP \fBnat\fR[\fB(\fR(\fBsrc\fR|\fBdst\fR)\fB=\fIaddr1\fR[\fB-\fIaddr2\fR][\fB:\fIport1\fR[\fB-\fIport2\fR]][\fB,\fIflags\fR]\fB)\fR] . Specify address and port translation for the connection being tracked.
\fI should be \fB here since it's a literal name:
On Mon, Dec 12, 2016 at 01:44:02PM -0800, Joe Stringer wrote:
> +the \fBct\fR action. In particular, if \fInet.netfilter.nf_conntrack_helper\fR
Thanks,
Ben.
diff --git a/utilities/ovs-ofctl.8.in b/utilities/ovs-ofctl.8.in index af1eb2b7baf2..906af814851a 100644 --- a/utilities/ovs-ofctl.8.in +++ b/utilities/ovs-ofctl.8.in @@ -1856,6 +1856,15 @@ When committing related connections, the \fBct_mark\fR for that connection is inherited from the current \fBct_mark\fR stored with the original connection (ie, the connection created by \fBct(alg=...)\fR). . +.IP +Note that with the Linux datapath, global sysctl options affect the usage of +the \fBct\fR action. In particular, if \fInet.netfilter.nf_conntrack_helper\fR +is enabled then application layer gateway helpers may be executed even if the +\fBalg\fR option is not specified. This is the default setting until Linux 4.7. +For security reasons, the netfilter team recommends users to disable this +option. See this blog post for further details: +http://www.netfilter.org/news.html#2012-04-03 +. .IP \fBnat\fR[\fB(\fR(\fBsrc\fR|\fBdst\fR)\fB=\fIaddr1\fR[\fB-\fIaddr2\fR][\fB:\fIport1\fR[\fB-\fIport2\fR]][\fB,\fIflags\fR]\fB)\fR] .