yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1823633] Re: [RFE] L3 - netfilter Contrack Helper Support

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Rodolfo Alonso <1823633@xxxxxxxxxxxxxxxxxx>
Date: Wed, 26 Oct 2022 08:21:38 -0000
Reply-to: Bug 1823633 <1823633@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

** Changed in: neutron
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1823633

Title:
  [RFE] L3 - netfilter Contrack Helper Support

Status in neutron:
  Fix Released

Bug description:
  OS distributions started to disable the nf_conntrack_helper
  functionality by default. (Ubuntu Bionic) Without the
  nf_conntrack_helper traffic such as tftp and other protocols that
  require a nf_conntrack module will not work. (This became apparent
  with Openstack Ironic which uses tftp transfer boot images during Pre
  Boot Execution (PXE) stopped working.)

  Deactivating the automatic conntrack helper assignment is better security practice, ref:
  https://github.com/regit/secure-conntrack-helpers/blob/master/secure-conntrack-helpers.rst

  This RFE is for adding support in Neutron to configure protocol
  specific CT target rules. This was discussed in meeting[1] 2019-03-20
  with consensus on adding an L3 extension.

  [1] http://eavesdrop.openstack.org/irclogs/%23openstack-
  meeting/%23openstack-meeting.2019-03-20.log.html#t2019-03-20T14:47:08

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1823633/+subscriptions

References

[Bug 1823633] [NEW] [RFE] L3 - netfilter Contrack Helper Support
From: Harald Jensås, 2019-04-08