From patchwork Wed Sep 7 13:15:38 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Aaron Conole X-Patchwork-Id: 1675275 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=fail (SPF fail - not authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010:0:a800:ff:fe97:d076; helo=smtp1.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=afY//hM5; dkim-atps=neutral Received: from smtp1.osuosl.org (unknown [IPv6:2605:bc80:3010:0:a800:ff:fe97:d076]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4MN2nN6JFWz1yhd for ; Wed, 7 Sep 2022 23:15:49 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id A55E68176B; Wed, 7 Sep 2022 13:15:46 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org A55E68176B Authentication-Results: smtp1.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=afY//hM5 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k_r0RwOjyG3E; Wed, 7 Sep 2022 13:15:45 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp1.osuosl.org (Postfix) with ESMTPS id CF8FF81497; Wed, 7 Sep 2022 13:15:44 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org CF8FF81497 Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 96EA5C0032; Wed, 7 Sep 2022 13:15:44 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 077F6C002D for ; Wed, 7 Sep 2022 13:15:43 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id C9AD1814C9 for ; Wed, 7 Sep 2022 13:15:42 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org C9AD1814C9 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YK_XVVRu2her for ; Wed, 7 Sep 2022 13:15:41 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 93FF181497 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp1.osuosl.org (Postfix) with ESMTPS id 93FF181497 for ; Wed, 7 Sep 2022 13:15:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1662556540; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=qeqUoUza2hpt9NXW52W9JY3qq2bHtplHEBAu/l90e90=; b=afY//hM5jG34LjYvNbOGsCXZT+VElZ5EjdQUb5Zy8XHL/pJ39k2dZPjUW5ncvOYkxFou3z pXRJf61kCfbBDl+veDtcA9UcM18m2amB8eNNzC+MuK3PZIUSguYW6h/6Pc6mrEO0fDCQXK lODII5cS/8KQ2/+QDJJiaLCkNkBpYYk= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-461-0rtF4fK6M1STWJLGpdAUjA-1; Wed, 07 Sep 2022 09:15:39 -0400 X-MC-Unique: 0rtF4fK6M1STWJLGpdAUjA-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 110D72999B49; Wed, 7 Sep 2022 13:15:39 +0000 (UTC) Received: from RHTPC1VM0NT.lan (unknown [10.22.34.87]) by smtp.corp.redhat.com (Postfix) with ESMTP id 93E23C15BB3; Wed, 7 Sep 2022 13:15:38 +0000 (UTC) From: Aaron Conole To: dev@openvswitch.org Date: Wed, 7 Sep 2022 09:15:38 -0400 Message-Id: <20220907131538.6792-1-aconole@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.85 on 10.11.54.8 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Cc: pablo@netfilter.org, i.maximets@ovn.org Subject: [ovs-dev] [PATCH v2] system-kmod-testsuite: allow for missing nf_conntrack_helper key X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" With 'netfilter: remove nf_conntrack_helper sysctl toggle' applied, the nf_conntrack_helper sysctl knob is removed. The testsuite has been forcibly disabling this knob anyway, but the use of sysctl will still error out on an invalid key. By adding 'e' flag, sysctl command will ignore missing keys. Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2022-August/397399.html Signed-off-by: Aaron Conole --- Documentation/ref/ovs-actions.7.rst | 11 +++++------ tests/system-kmod-macros.at | 2 +- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/Documentation/ref/ovs-actions.7.rst b/Documentation/ref/ovs-actions.7.rst index b59b7634fa..0e9faee416 100644 --- a/Documentation/ref/ovs-actions.7.rst +++ b/Documentation/ref/ovs-actions.7.rst @@ -1635,12 +1635,11 @@ The following options are available only with ``commit``: Related connections inherit ``ct_mark`` from that stored with the original connection (i.e. the connection created by ``ct(alg=...)``. -With the Linux datapath, global sysctl options affect ``ct`` behavior. In -particular, if ``net.netfilter.nf_conntrack_helper`` is enabled, which it is -by default until Linux 4.7, then application layer gateway helpers may be -executed even if *alg* is not specified. For security reasons, the netfilter -team recommends users disable this option. For further details, please see -http://www.netfilter.org/news.html#2012-04-03 . +With the Linux datapath, global sysctl options affect ``ct`` behavior. Prior +to Linux kernel 6.0, the ``net.netfilter.nf_conntrack_helper`` sysctl option +could be used to force helper assignment, even if the ``alg=`` option was not +added to a flow. This setting has been removed in newer versions of the +kernel. The ``ct`` action may be used as a primitive to construct stateful firewalls by selectively committing some traffic, then matching ``ct_state`` to allow diff --git a/tests/system-kmod-macros.at b/tests/system-kmod-macros.at index 9ee1b1059d..f0f61d42ca 100644 --- a/tests/system-kmod-macros.at +++ b/tests/system-kmod-macros.at @@ -66,7 +66,7 @@ m4_define([CHECK_CONNTRACK], [modprobe mod || echo "Module mod not loaded." on_exit 'modprobe -r mod' ]) - sysctl -w net.netfilter.nf_conntrack_helper=0 + sysctl -ew net.netfilter.nf_conntrack_helper=0 on_exit 'ovstest test-netlink-conntrack flush' ] )