[ovs-dev] FAQ: Document the necessity of ct(alg=ftp).

Automatic helper assignment was disabled in Linux 4.7 or later, in
upstream commit 3bb398d925ec ("netfilter: nf_ct_helper: disable
automatic helper assignment").

Signed-off-by: Joe Stringer <joe@ovn.org>
---
 Documentation/faq/openflow.rst | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

On 12 December 2016 at 11:33, Ben Pfaff <blp@ovn.org> wrote:
> On Mon, Dec 12, 2016 at 11:16:50AM -0800, Joe Stringer wrote:
>> Automatic helper assignment was disabled in Linux 4.7 or later, in
>> upstream commit 3bb398d925ec ("netfilter: nf_ct_helper: disable
>> automatic helper assignment").
>>
>> Signed-off-by: Joe Stringer <joe@ovn.org>
>> ---
>>  Documentation/faq/openflow.rst | 14 ++++++++++++++
>>  1 file changed, 14 insertions(+)
>>
>> diff --git a/Documentation/faq/openflow.rst b/Documentation/faq/openflow.rst
>> index d31bbef96c81..632f8e7190da 100644
>> --- a/Documentation/faq/openflow.rst
>> +++ b/Documentation/faq/openflow.rst
>> @@ -535,3 +535,17 @@ Q: The "learn" action can't learn the action I want, can you improve it?
>>      - At least some of the features described in T. A. Hoff, "Extending Open
>>        vSwitch to Facilitate Creation of Stateful SDN Applications".
>>
>> +Q: When using the "ct" action with FTP connections, it doesn't seem to matter
>> +if I set the "alg=ftp" parameter in the action. Is this required?
>> +
>> +    A: Before Linux 4.7, automatic helper assignment was enabled by default.
>> +    This means is that even if you do not specify ALGs, the traffic will be put
>> +    through that ALG. In such cases, it is possible to construct OpenFlow
>> +    tables using conntrack actions that are missing the FTP option, and the
>> +    conntrack action will still track that FTP connection and correlate its
>> +    sessions. When using kernels 4.7 or higher, or if the "nf_conntrack_helper"
>> +    sysctl is disabled, you should always specify the alg option for FTP
>> +    control connections.
>> +
>> +    For more context, see the blog post from the netfilter team:
>> +    http://www.netfilter.org/news.html#2012-04-03
>
> This is nice but what about also documenting it alongside the option
> itself, e.g. add this:
>
> diff --git a/utilities/ovs-ofctl.8.in b/utilities/ovs-ofctl.8.in
> index af1eb2b..0be4e0c 100644
> --- a/utilities/ovs-ofctl.8.in
> +++ b/utilities/ovs-ofctl.8.in
> @@ -1839,8 +1839,10 @@ tracker with the \fBtable\fR specified.
>  The \fBcommit\fR parameter must be specified to use \fBexec(...)\fR.
>  .
>  .IP \fBalg=\fIalg\fR
> -Specify application layer gateway \fIalg\fR to track specific connection
> -types. Supported types include:
> +With Linux kernels before 4.7, automatic helper assignment was enabled
> +by default and this option has no effect.  With later kernels, this
> +option enables particular application level gateway \fIalg\fR.  Supported
> +\fIalg\fR types include:
>  .RS
>  .IP \fBftp\fR
>  Look for negotiation of FTP data connections. If a subsequent FTP data
>
> Acked-by: Ben Pfaff <blp@ovn.org>

It's a little more subtle than that, since even on earlier kernels the
sysctl exists and may be disabled. Furthermore, even if it's enabled,
if for instance you have FTP control traffic going over an unusual
port then I'm not sure that the automatic helpers will kick in. This
is also Linux datapath specific, so it doesn't apply to the proposed
windows datapath support and wouldn't apply to userspace datapath on
Linux either, if/when it is introduced. The proposed patch here should
be updated with this in mind too.

I think that this is really just a platform-specific debugging tip
which complicates the explanation in ovs-ofctl(8). Ideally people
using this feature should always specify the ALG, even if it has no
effect on some platforms since over time it's going to be required on
all platforms anyway.

On Mon, Dec 12, 2016 at 12:54:50PM -0800, Joe Stringer wrote:
> On 12 December 2016 at 11:33, Ben Pfaff <blp@ovn.org> wrote:
> > On Mon, Dec 12, 2016 at 11:16:50AM -0800, Joe Stringer wrote:
> >> Automatic helper assignment was disabled in Linux 4.7 or later, in
> >> upstream commit 3bb398d925ec ("netfilter: nf_ct_helper: disable
> >> automatic helper assignment").
> >>
> >> Signed-off-by: Joe Stringer <joe@ovn.org>
> >> ---
> >>  Documentation/faq/openflow.rst | 14 ++++++++++++++
> >>  1 file changed, 14 insertions(+)
> >>
> >> diff --git a/Documentation/faq/openflow.rst b/Documentation/faq/openflow.rst
> >> index d31bbef96c81..632f8e7190da 100644
> >> --- a/Documentation/faq/openflow.rst
> >> +++ b/Documentation/faq/openflow.rst
> >> @@ -535,3 +535,17 @@ Q: The "learn" action can't learn the action I want, can you improve it?
> >>      - At least some of the features described in T. A. Hoff, "Extending Open
> >>        vSwitch to Facilitate Creation of Stateful SDN Applications".
> >>
> >> +Q: When using the "ct" action with FTP connections, it doesn't seem to matter
> >> +if I set the "alg=ftp" parameter in the action. Is this required?
> >> +
> >> +    A: Before Linux 4.7, automatic helper assignment was enabled by default.
> >> +    This means is that even if you do not specify ALGs, the traffic will be put
> >> +    through that ALG. In such cases, it is possible to construct OpenFlow
> >> +    tables using conntrack actions that are missing the FTP option, and the
> >> +    conntrack action will still track that FTP connection and correlate its
> >> +    sessions. When using kernels 4.7 or higher, or if the "nf_conntrack_helper"
> >> +    sysctl is disabled, you should always specify the alg option for FTP
> >> +    control connections.
> >> +
> >> +    For more context, see the blog post from the netfilter team:
> >> +    http://www.netfilter.org/news.html#2012-04-03
> >
> > This is nice but what about also documenting it alongside the option
> > itself, e.g. add this:
> >
> > diff --git a/utilities/ovs-ofctl.8.in b/utilities/ovs-ofctl.8.in
> > index af1eb2b..0be4e0c 100644
> > --- a/utilities/ovs-ofctl.8.in
> > +++ b/utilities/ovs-ofctl.8.in
> > @@ -1839,8 +1839,10 @@ tracker with the \fBtable\fR specified.
> >  The \fBcommit\fR parameter must be specified to use \fBexec(...)\fR.
> >  .
> >  .IP \fBalg=\fIalg\fR
> > -Specify application layer gateway \fIalg\fR to track specific connection
> > -types. Supported types include:
> > +With Linux kernels before 4.7, automatic helper assignment was enabled
> > +by default and this option has no effect.  With later kernels, this
> > +option enables particular application level gateway \fIalg\fR.  Supported
> > +\fIalg\fR types include:
> >  .RS
> >  .IP \fBftp\fR
> >  Look for negotiation of FTP data connections. If a subsequent FTP data
> >
> > Acked-by: Ben Pfaff <blp@ovn.org>
> 
> It's a little more subtle than that, since even on earlier kernels the
> sysctl exists and may be disabled. Furthermore, even if it's enabled,
> if for instance you have FTP control traffic going over an unusual
> port then I'm not sure that the automatic helpers will kick in. This
> is also Linux datapath specific, so it doesn't apply to the proposed
> windows datapath support and wouldn't apply to userspace datapath on
> Linux either, if/when it is introduced. The proposed patch here should
> be updated with this in mind too.
> 
> I think that this is really just a platform-specific debugging tip
> which complicates the explanation in ovs-ofctl(8). Ideally people
> using this feature should always specify the ALG, even if it has no
> effect on some platforms since over time it's going to be required on
> all platforms anyway.

Maybe the FAQ entry should give this additional information and advice,
and then ovs-ofctl(8) could refer to it.

On 12/12/16, 11:16 AM, "ovs-dev-bounces@openvswitch.org on behalf of Joe Stringer" <ovs-dev-bounces@openvswitch.org on behalf of joe@ovn.org> wrote:

    Automatic helper assignment was disabled in Linux 4.7 or later, in
    upstream commit 3bb398d925ec ("netfilter: nf_ct_helper: disable
    automatic helper assignment").
    
    Signed-off-by: Joe Stringer <joe@ovn.org>
    ---
     Documentation/faq/openflow.rst | 14 ++++++++++++++
     1 file changed, 14 insertions(+)
    
    diff --git a/Documentation/faq/openflow.rst b/Documentation/faq/openflow.rst
    index d31bbef96c81..632f8e7190da 100644
    --- a/Documentation/faq/openflow.rst
    +++ b/Documentation/faq/openflow.rst
    @@ -535,3 +535,17 @@ Q: The "learn" action can't learn the action I want, can you improve it?
         - At least some of the features described in T. A. Hoff, "Extending Open
           vSwitch to Facilitate Creation of Stateful SDN Applications".
     
    +Q: When using the "ct" action with FTP connections, it doesn't seem to matter
    +if I set the "alg=ftp" parameter in the action. Is this required?
    +
    +    A: Before Linux 4.7, automatic helper assignment was enabled by default.
    +    This means is that even if you do not specify ALGs, the traffic will be put
    +    through that ALG. In such cases, it is possible to construct OpenFlow
    +    tables using conntrack actions that are missing the FTP option, and the
    +    conntrack action will still track that FTP connection and correlate its
    +    sessions. 

This is surprising behavior. As you mentioned offline, perhaps it is better to 
recommend disabling thru. sysctl as a default ?


When using kernels 4.7 or higher, or if the "nf_conntrack_helper"
    +    sysctl is disabled, you should always specify the alg option for FTP
    +    control connections.
    +
    +    For more context, see the blog post from the netfilter team:
    +    https://urldefense.proofpoint.com/v2/url?u=http-3A__www.netfilter.org_news.html-232012-2D04-2D03&d=DgICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=0POoOw3La7-Pq7vNSCDTYbV1Uy3kvqte-NKVmyr21wQ&s=ofbMfIRsn-W4gae0qMp5m8d_SvWRwyGwg7hCDCQBQ5k&e= 
    -- 
    2.10.2
    
    _______________________________________________
    dev mailing list
    dev@openvswitch.org
    https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev&d=DgICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=0POoOw3La7-Pq7vNSCDTYbV1Uy3kvqte-NKVmyr21wQ&s=pQgtplkZpvEI-bd4QqVlYAVFEJhmp-LnbvF9aKgpiJY&e=