Re: [ovs-dev] [PATCH nf] netfilter: remove nf_conntrack_helper sysctl toggle

Tue, 30 Aug 2022 03:12:57 -0700 

Hey Ilya, Aaron,
Thanks for this, I have added those extra checks to the CI script so hopefully 
that will stop patches being tested unecessarily. I will keep an eye on the 
situation anyway.

Thanks,
Michael.

> -----Original Message-----
> From: Aaron Conole <acon...@redhat.com>
> Sent: Monday 29 August 2022 19:36
> To: Ilya Maximets <i.maxim...@ovn.org>
> Cc: Phelan, Michael <michael.phe...@intel.com>; ovs-dev <ovs-
> d...@openvswitch.org>
> Subject: Re: [ovs-dev] [PATCH nf] netfilter: remove nf_conntrack_helper
> sysctl toggle
> 
> Ilya Maximets <i.maxim...@ovn.org> writes:
> 
> > On 8/26/22 09:06, Pablo Neira Ayuso wrote:
> >> __nf_ct_try_assign_helper() remains in place but it now requires a
> >> template to configure the helper.
> >>
> >> A toggle to disable automatic helper assignment was added by:
> >>
> >>   a9006892643a ("netfilter: nf_ct_helper: allow to disable automatic
> >> helper assignment")
> >>
> >> in 2012 to address the issues described in "Secure use of iptables
> >> and connection tracking helpers". Automatic conntrack helper
> >> assignment was disabled by:
> >>
> >>   3bb398d925ec ("netfilter: nf_ct_helper: disable automatic helper
> >> assignment")
> >>
> >> back in 2016.
> >>
> >> This patch removes the sysctl toggle, users now have to rely on
> >> explicit conntrack helper configuration via ruleset.
> >>
> >> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
> >> ---
> >>  include/net/netfilter/nf_conntrack.h    |  2 -
> >>  include/net/netns/conntrack.h           |  1 -
> >>  net/netfilter/nf_conntrack_core.c       |  5 --
> >>  net/netfilter/nf_conntrack_helper.c     | 80 ++++---------------------
> >>  net/netfilter/nf_conntrack_netlink.c    |  5 --
> >>  net/netfilter/nf_conntrack_standalone.c | 10 ----
> >>  net/netfilter/nft_ct.c                  |  3 -
> >>  7 files changed, 10 insertions(+), 96 deletions(-)
> >
> > Hey, Michael.
> >
> > This one ('nf') should be another filter to add for CI runs.
> > Sometimes ovs-dev gets CC-ed on netfilter patches, which are related.
> >
> > Aaron, maybe you have a complete list of filters that ovsrobot is using?
> > Or is it checks in some other way?
> 
> The robot also looks at the patch that comes in for the following file
> list:
> 
>   net/*
>   include/net/*
>   include/uapi/*
> 
> Those files indicate that the patch is intended to land on a linux tree.
> 
> Maybe that will help to suppress false-positives
> 
> > Best regards, Ilya Maximets.

_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to