Ilya Maximets <i.maxim...@ovn.org> writes:
> On 8/26/22 09:06, Pablo Neira Ayuso wrote:
>> __nf_ct_try_assign_helper() remains in place but it now requires a
>> template to configure the helper.
>>
>> A toggle to disable automatic helper assignment was added by:
>>
>> a9006892643a ("netfilter: nf_ct_helper: allow to disable automatic helper
>> assignment")
>>
>> in 2012 to address the issues described in "Secure use of iptables and
>> connection tracking helpers". Automatic conntrack helper assignment was
>> disabled by:
>>
>> 3bb398d925ec ("netfilter: nf_ct_helper: disable automatic helper
>> assignment")
>>
>> back in 2016.
>>
>> This patch removes the sysctl toggle, users now have to rely on explicit
>> conntrack helper configuration via ruleset.
>>
>> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
>> ---
>> include/net/netfilter/nf_conntrack.h | 2 -
>> include/net/netns/conntrack.h | 1 -
>> net/netfilter/nf_conntrack_core.c | 5 --
>> net/netfilter/nf_conntrack_helper.c | 80 ++++---------------------
>> net/netfilter/nf_conntrack_netlink.c | 5 --
>> net/netfilter/nf_conntrack_standalone.c | 10 ----
>> net/netfilter/nft_ct.c | 3 -
>> 7 files changed, 10 insertions(+), 96 deletions(-)
>
> Hey, Michael.
>
> This one ('nf') should be another filter to add for CI runs.
> Sometimes ovs-dev gets CC-ed on netfilter patches, which are related.
>
> Aaron, maybe you have a complete list of filters that ovsrobot is using?
> Or is it checks in some other way?
The robot also looks at the patch that comes in for the following file
list:
net/*
include/net/*
include/uapi/*
Those files indicate that the patch is intended to land on a linux tree.
Maybe that will help to suppress false-positives
> Best regards, Ilya Maximets.
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
