Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> writes:
> __nf_ct_try_assign_helper() remains in place but it now requires a
> template to configure the helper.
>
> A toggle to disable automatic helper assignment was added by:
>
> a9006892643a ("netfilter: nf_ct_helper: allow to disable automatic helper assignment")
>
> in 2012 to address the issues described in "Secure use of iptables and
> connection tracking helpers". Automatic conntrack helper assignment was
> disabled by:
>
> 3bb398d925ec ("netfilter: nf_ct_helper: disable automatic helper assignment")
>
> back in 2016.
>
> This patch removes the sysctl toggle, users now have to rely on explicit
> conntrack helper configuration via ruleset.
>
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> ---
Acked-by: Aaron Conole <aconole@xxxxxxxxxx>
Ilya / Pravin,
We will likely need to make a change in the ovs test-suite from:
sysctl -w net.netfilter.nf_conntrack_helper=0
to:
sysctl -ew net.netfilter.nf_conntrack_helper=0
I will cook up a quick patch
-Aaron
