Message ID | 20170103181605.10301-1-joe@ovn.org |
---|---|
State | Accepted |
Headers | show |
Acked-by: Jarno Rajahalme <jarno@ovn.org> > On Jan 3, 2017, at 10:16 AM, Joe Stringer <joe@ovn.org> wrote: > > Due to upstream Linux feature "automatic helper assignment", up until > recently when using ct() action with FTP traffic, it has not been > necessary to specify the ALG parameter. However, automatic helper > assignment was disabled in Linux 4.7 or later, in upstream commit > 3bb398d925ec ("netfilter: nf_ct_helper: disable automatic helper > assignment"). Document the need for this. > > Signed-off-by: Joe Stringer <joe@ovn.org> > --- > v2: Document in both FAQ and ovs-ofctl(8). > --- > Documentation/faq/openflow.rst | 9 +++++++++ > utilities/ovs-ofctl.8.in | 10 ++++++++++ > 2 files changed, 19 insertions(+) > > diff --git a/Documentation/faq/openflow.rst b/Documentation/faq/openflow.rst > index abe89c6af123..529e3f50aadf 100644 > --- a/Documentation/faq/openflow.rst > +++ b/Documentation/faq/openflow.rst > @@ -534,3 +534,12 @@ Q: The "learn" action can't learn the action I want, can you improve it? > - At least some of the features described in T. A. Hoff, "Extending Open > vSwitch to Facilitate Creation of Stateful SDN Applications". > > +Q: When using the "ct" action with FTP connections, it doesn't seem to matter > +if I set the "alg=ftp" parameter in the action. Is this required? > + > + A: It is advisable to use this option. Some platforms may automatically > + detect and apply ALGs in the "ct" action regardless of the parameters you > + provide, however this is not consistent across all implementations. The > + `ovs-ofctl(8) <http://openvswitch.org/support/dist-docs/ovs-ofctl.8.html>`_ > + man pages contain further details in the description of the ALG parameter. > + > diff --git a/utilities/ovs-ofctl.8.in b/utilities/ovs-ofctl.8.in > index 49b3aa5f7dc4..03986421c9c3 100644 > --- a/utilities/ovs-ofctl.8.in > +++ b/utilities/ovs-ofctl.8.in > @@ -1863,6 +1863,16 @@ When committing related connections, the \fBct_mark\fR for that connection is > inherited from the current \fBct_mark\fR stored with the original connection > (ie, the connection created by \fBct(alg=...)\fR). > . > +.IP > +Note that with the Linux datapath, global sysctl options affect the usage of > +the \fBct\fR action. In particular, if \fBnet.netfilter.nf_conntrack_helper\fR > +is enabled then application layer gateway helpers may be executed even if the > +\fBalg\fR option is not specified. This is the default setting until Linux 4.7. > +For security reasons, the netfilter team recommends users to disable this > +option. See this blog post for further details: > +. > +http://www.netfilter.org/news.html#2012-04-03 > +. > .IP \fBnat\fR[\fB(\fR(\fBsrc\fR|\fBdst\fR)\fB=\fIaddr1\fR[\fB-\fIaddr2\fR][\fB:\fIport1\fR[\fB-\fIport2\fR]][\fB,\fIflags\fR]\fB)\fR] > . > Specify address and port translation for the connection being tracked. > -- > 2.10.2 > > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
On 3 January 2017 at 11:41, Jarno Rajahalme <jarno@ovn.org> wrote:
> Acked-by: Jarno Rajahalme <jarno@ovn.org>
Thanks, applied to master.
diff --git a/Documentation/faq/openflow.rst b/Documentation/faq/openflow.rst index abe89c6af123..529e3f50aadf 100644 --- a/Documentation/faq/openflow.rst +++ b/Documentation/faq/openflow.rst @@ -534,3 +534,12 @@ Q: The "learn" action can't learn the action I want, can you improve it? - At least some of the features described in T. A. Hoff, "Extending Open vSwitch to Facilitate Creation of Stateful SDN Applications". +Q: When using the "ct" action with FTP connections, it doesn't seem to matter +if I set the "alg=ftp" parameter in the action. Is this required? + + A: It is advisable to use this option. Some platforms may automatically + detect and apply ALGs in the "ct" action regardless of the parameters you + provide, however this is not consistent across all implementations. The + `ovs-ofctl(8) <http://openvswitch.org/support/dist-docs/ovs-ofctl.8.html>`_ + man pages contain further details in the description of the ALG parameter. + diff --git a/utilities/ovs-ofctl.8.in b/utilities/ovs-ofctl.8.in index 49b3aa5f7dc4..03986421c9c3 100644 --- a/utilities/ovs-ofctl.8.in +++ b/utilities/ovs-ofctl.8.in @@ -1863,6 +1863,16 @@ When committing related connections, the \fBct_mark\fR for that connection is inherited from the current \fBct_mark\fR stored with the original connection (ie, the connection created by \fBct(alg=...)\fR). . +.IP +Note that with the Linux datapath, global sysctl options affect the usage of +the \fBct\fR action. In particular, if \fBnet.netfilter.nf_conntrack_helper\fR +is enabled then application layer gateway helpers may be executed even if the +\fBalg\fR option is not specified. This is the default setting until Linux 4.7. +For security reasons, the netfilter team recommends users to disable this +option. See this blog post for further details: +. +http://www.netfilter.org/news.html#2012-04-03 +. .IP \fBnat\fR[\fB(\fR(\fBsrc\fR|\fBdst\fR)\fB=\fIaddr1\fR[\fB-\fIaddr2\fR][\fB:\fIport1\fR[\fB-\fIport2\fR]][\fB,\fIflags\fR]\fB)\fR] . Specify address and port translation for the connection being tracked.
Due to upstream Linux feature "automatic helper assignment", up until recently when using ct() action with FTP traffic, it has not been necessary to specify the ALG parameter. However, automatic helper assignment was disabled in Linux 4.7 or later, in upstream commit 3bb398d925ec ("netfilter: nf_ct_helper: disable automatic helper assignment"). Document the need for this. Signed-off-by: Joe Stringer <joe@ovn.org> --- v2: Document in both FAQ and ovs-ofctl(8). --- Documentation/faq/openflow.rst | 9 +++++++++ utilities/ovs-ofctl.8.in | 10 ++++++++++ 2 files changed, 19 insertions(+)