Message ID | 20161212191650.5694-1-joe@ovn.org |
---|---|
State | Changes Requested |
Headers | show |
On 12 December 2016 at 11:33, Ben Pfaff <blp@ovn.org> wrote: > On Mon, Dec 12, 2016 at 11:16:50AM -0800, Joe Stringer wrote: >> Automatic helper assignment was disabled in Linux 4.7 or later, in >> upstream commit 3bb398d925ec ("netfilter: nf_ct_helper: disable >> automatic helper assignment"). >> >> Signed-off-by: Joe Stringer <joe@ovn.org> >> --- >> Documentation/faq/openflow.rst | 14 ++++++++++++++ >> 1 file changed, 14 insertions(+) >> >> diff --git a/Documentation/faq/openflow.rst b/Documentation/faq/openflow.rst >> index d31bbef96c81..632f8e7190da 100644 >> --- a/Documentation/faq/openflow.rst >> +++ b/Documentation/faq/openflow.rst >> @@ -535,3 +535,17 @@ Q: The "learn" action can't learn the action I want, can you improve it? >> - At least some of the features described in T. A. Hoff, "Extending Open >> vSwitch to Facilitate Creation of Stateful SDN Applications". >> >> +Q: When using the "ct" action with FTP connections, it doesn't seem to matter >> +if I set the "alg=ftp" parameter in the action. Is this required? >> + >> + A: Before Linux 4.7, automatic helper assignment was enabled by default. >> + This means is that even if you do not specify ALGs, the traffic will be put >> + through that ALG. In such cases, it is possible to construct OpenFlow >> + tables using conntrack actions that are missing the FTP option, and the >> + conntrack action will still track that FTP connection and correlate its >> + sessions. When using kernels 4.7 or higher, or if the "nf_conntrack_helper" >> + sysctl is disabled, you should always specify the alg option for FTP >> + control connections. >> + >> + For more context, see the blog post from the netfilter team: >> + http://www.netfilter.org/news.html#2012-04-03 > > This is nice but what about also documenting it alongside the option > itself, e.g. add this: > > diff --git a/utilities/ovs-ofctl.8.in b/utilities/ovs-ofctl.8.in > index af1eb2b..0be4e0c 100644 > --- a/utilities/ovs-ofctl.8.in > +++ b/utilities/ovs-ofctl.8.in > @@ -1839,8 +1839,10 @@ tracker with the \fBtable\fR specified. > The \fBcommit\fR parameter must be specified to use \fBexec(...)\fR. > . > .IP \fBalg=\fIalg\fR > -Specify application layer gateway \fIalg\fR to track specific connection > -types. Supported types include: > +With Linux kernels before 4.7, automatic helper assignment was enabled > +by default and this option has no effect. With later kernels, this > +option enables particular application level gateway \fIalg\fR. Supported > +\fIalg\fR types include: > .RS > .IP \fBftp\fR > Look for negotiation of FTP data connections. If a subsequent FTP data > > Acked-by: Ben Pfaff <blp@ovn.org> It's a little more subtle than that, since even on earlier kernels the sysctl exists and may be disabled. Furthermore, even if it's enabled, if for instance you have FTP control traffic going over an unusual port then I'm not sure that the automatic helpers will kick in. This is also Linux datapath specific, so it doesn't apply to the proposed windows datapath support and wouldn't apply to userspace datapath on Linux either, if/when it is introduced. The proposed patch here should be updated with this in mind too. I think that this is really just a platform-specific debugging tip which complicates the explanation in ovs-ofctl(8). Ideally people using this feature should always specify the ALG, even if it has no effect on some platforms since over time it's going to be required on all platforms anyway.
On Mon, Dec 12, 2016 at 12:54:50PM -0800, Joe Stringer wrote: > On 12 December 2016 at 11:33, Ben Pfaff <blp@ovn.org> wrote: > > On Mon, Dec 12, 2016 at 11:16:50AM -0800, Joe Stringer wrote: > >> Automatic helper assignment was disabled in Linux 4.7 or later, in > >> upstream commit 3bb398d925ec ("netfilter: nf_ct_helper: disable > >> automatic helper assignment"). > >> > >> Signed-off-by: Joe Stringer <joe@ovn.org> > >> --- > >> Documentation/faq/openflow.rst | 14 ++++++++++++++ > >> 1 file changed, 14 insertions(+) > >> > >> diff --git a/Documentation/faq/openflow.rst b/Documentation/faq/openflow.rst > >> index d31bbef96c81..632f8e7190da 100644 > >> --- a/Documentation/faq/openflow.rst > >> +++ b/Documentation/faq/openflow.rst > >> @@ -535,3 +535,17 @@ Q: The "learn" action can't learn the action I want, can you improve it? > >> - At least some of the features described in T. A. Hoff, "Extending Open > >> vSwitch to Facilitate Creation of Stateful SDN Applications". > >> > >> +Q: When using the "ct" action with FTP connections, it doesn't seem to matter > >> +if I set the "alg=ftp" parameter in the action. Is this required? > >> + > >> + A: Before Linux 4.7, automatic helper assignment was enabled by default. > >> + This means is that even if you do not specify ALGs, the traffic will be put > >> + through that ALG. In such cases, it is possible to construct OpenFlow > >> + tables using conntrack actions that are missing the FTP option, and the > >> + conntrack action will still track that FTP connection and correlate its > >> + sessions. When using kernels 4.7 or higher, or if the "nf_conntrack_helper" > >> + sysctl is disabled, you should always specify the alg option for FTP > >> + control connections. > >> + > >> + For more context, see the blog post from the netfilter team: > >> + http://www.netfilter.org/news.html#2012-04-03 > > > > This is nice but what about also documenting it alongside the option > > itself, e.g. add this: > > > > diff --git a/utilities/ovs-ofctl.8.in b/utilities/ovs-ofctl.8.in > > index af1eb2b..0be4e0c 100644 > > --- a/utilities/ovs-ofctl.8.in > > +++ b/utilities/ovs-ofctl.8.in > > @@ -1839,8 +1839,10 @@ tracker with the \fBtable\fR specified. > > The \fBcommit\fR parameter must be specified to use \fBexec(...)\fR. > > . > > .IP \fBalg=\fIalg\fR > > -Specify application layer gateway \fIalg\fR to track specific connection > > -types. Supported types include: > > +With Linux kernels before 4.7, automatic helper assignment was enabled > > +by default and this option has no effect. With later kernels, this > > +option enables particular application level gateway \fIalg\fR. Supported > > +\fIalg\fR types include: > > .RS > > .IP \fBftp\fR > > Look for negotiation of FTP data connections. If a subsequent FTP data > > > > Acked-by: Ben Pfaff <blp@ovn.org> > > It's a little more subtle than that, since even on earlier kernels the > sysctl exists and may be disabled. Furthermore, even if it's enabled, > if for instance you have FTP control traffic going over an unusual > port then I'm not sure that the automatic helpers will kick in. This > is also Linux datapath specific, so it doesn't apply to the proposed > windows datapath support and wouldn't apply to userspace datapath on > Linux either, if/when it is introduced. The proposed patch here should > be updated with this in mind too. > > I think that this is really just a platform-specific debugging tip > which complicates the explanation in ovs-ofctl(8). Ideally people > using this feature should always specify the ALG, even if it has no > effect on some platforms since over time it's going to be required on > all platforms anyway. Maybe the FAQ entry should give this additional information and advice, and then ovs-ofctl(8) could refer to it.
On 12/12/16, 11:16 AM, "ovs-dev-bounces@openvswitch.org on behalf of Joe Stringer" <ovs-dev-bounces@openvswitch.org on behalf of joe@ovn.org> wrote:
Automatic helper assignment was disabled in Linux 4.7 or later, in
upstream commit 3bb398d925ec ("netfilter: nf_ct_helper: disable
automatic helper assignment").
Signed-off-by: Joe Stringer <joe@ovn.org>
---
Documentation/faq/openflow.rst | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/Documentation/faq/openflow.rst b/Documentation/faq/openflow.rst
index d31bbef96c81..632f8e7190da 100644
--- a/Documentation/faq/openflow.rst
+++ b/Documentation/faq/openflow.rst
@@ -535,3 +535,17 @@ Q: The "learn" action can't learn the action I want, can you improve it?
- At least some of the features described in T. A. Hoff, "Extending Open
vSwitch to Facilitate Creation of Stateful SDN Applications".
+Q: When using the "ct" action with FTP connections, it doesn't seem to matter
+if I set the "alg=ftp" parameter in the action. Is this required?
+
+ A: Before Linux 4.7, automatic helper assignment was enabled by default.
+ This means is that even if you do not specify ALGs, the traffic will be put
+ through that ALG. In such cases, it is possible to construct OpenFlow
+ tables using conntrack actions that are missing the FTP option, and the
+ conntrack action will still track that FTP connection and correlate its
+ sessions.
This is surprising behavior. As you mentioned offline, perhaps it is better to
recommend disabling thru. sysctl as a default ?
When using kernels 4.7 or higher, or if the "nf_conntrack_helper"
+ sysctl is disabled, you should always specify the alg option for FTP
+ control connections.
+
+ For more context, see the blog post from the netfilter team:
+ https://urldefense.proofpoint.com/v2/url?u=http-3A__www.netfilter.org_news.html-232012-2D04-2D03&d=DgICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=0POoOw3La7-Pq7vNSCDTYbV1Uy3kvqte-NKVmyr21wQ&s=ofbMfIRsn-W4gae0qMp5m8d_SvWRwyGwg7hCDCQBQ5k&e=
--
2.10.2
_______________________________________________
dev mailing list
dev@openvswitch.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev&d=DgICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=0POoOw3La7-Pq7vNSCDTYbV1Uy3kvqte-NKVmyr21wQ&s=pQgtplkZpvEI-bd4QqVlYAVFEJhmp-LnbvF9aKgpiJY&e=
diff --git a/Documentation/faq/openflow.rst b/Documentation/faq/openflow.rst index d31bbef96c81..632f8e7190da 100644 --- a/Documentation/faq/openflow.rst +++ b/Documentation/faq/openflow.rst @@ -535,3 +535,17 @@ Q: The "learn" action can't learn the action I want, can you improve it? - At least some of the features described in T. A. Hoff, "Extending Open vSwitch to Facilitate Creation of Stateful SDN Applications". +Q: When using the "ct" action with FTP connections, it doesn't seem to matter +if I set the "alg=ftp" parameter in the action. Is this required? + + A: Before Linux 4.7, automatic helper assignment was enabled by default. + This means is that even if you do not specify ALGs, the traffic will be put + through that ALG. In such cases, it is possible to construct OpenFlow + tables using conntrack actions that are missing the FTP option, and the + conntrack action will still track that FTP connection and correlate its + sessions. When using kernels 4.7 or higher, or if the "nf_conntrack_helper" + sysctl is disabled, you should always specify the alg option for FTP + control connections. + + For more context, see the blog post from the netfilter team: + http://www.netfilter.org/news.html#2012-04-03
Automatic helper assignment was disabled in Linux 4.7 or later, in upstream commit 3bb398d925ec ("netfilter: nf_ct_helper: disable automatic helper assignment"). Signed-off-by: Joe Stringer <joe@ovn.org> --- Documentation/faq/openflow.rst | 14 ++++++++++++++ 1 file changed, 14 insertions(+)