[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openvswitch-dev
Subject:    [ovs-dev] [PATCHv3 09/11] Add support for connection tracking helper/ALGs.
From:       joestringer () nicira ! com (Joe Stringer)
Date:       2015-09-30 16:56:47
Message-ID: CANr6G5w3BZ1SYy+hiJZHh9RP54nS7XQMggEdQDn3GDorytd+bQ () mail ! gmail ! com
[Download RAW message or body]

On 30 September 2015 at 08:58, Ben Pfaff <blp at nicira.com> wrote:
> On Tue, Sep 29, 2015 at 01:40:32PM -0700, Joe Stringer wrote:
>> This patch adds support for specifying a "helper" or ALG to assist
>> connection tracking for protocols that consist of multiple streams.
>> Initially, only support for FTP is included.
>>
>> Below is an example set of flows to allow FTP control connections from
>> port 1->2 to establish active data connections in the reverse direction:
>>
>>     table=0,priority=1,action=drop
>>     table=0,arp,action=normal
>>     table=0,in_port=1,tcp,action=ct(alg=ftp,commit),2
>>     table=0,in_port=2,tcp,ct_state=-trk,action=ct(table=1)
>>     table=1,in_port=2,tcp,ct_state=+trk+est,action=1
>>     table=1,in_port=2,tcp,ct_state=+trk+rel,action=ct(commit),1
>>
>> Signed-off-by: Joe Stringer <joestringer at nicira.com>
>> Acked-by: Jarno Rajahalme <jrajahalme at nicira.com>
>
> I expected ALGs to be more complicated.  I guess the kernel does all the
> heavy lifting for us!  Thanks for writing this.

Sure thing. Indeed the complexity is in the kernel.

> In put_ct_helper(), this:
>             const char *helper = "ftp";
>
>             nl_msg_put_string__(odp_actions, OVS_CT_ATTR_HELPER, helper,
>                                 strlen(helper));
> could be written as:
>             nl_msg_put_string(odp_actions, OVS_CT_ATTR_HELPER, "ftp");
>
> In ovs-ofctl.8.in here:
>     .IP \fBalg=\fR\fIalg\fR
> the \fR in the middle could be removed:
>     .IP \fBalg=\fIalg\fR
>
> Acked-by: Ben Pfaff <blp at nicira.com>

Thanks, I'll fix these up.

[prev in list] [next in list] [prev in thread] [next in thread]