[pve-devel] PVE Firewall and nf_conntrack

Alexandre DERUMIER aderumier at odiso.com
Tue Dec 2 10:06:35 CET 2014 

>>Thanks, where does PVE set that value? 

/usr/share/perl5/PVE/Firewall.pm

sub update_nf_conntrack_max {
    my ($hostfw_conf) = @_;

    my $max = 65536; # reasonable default

    my $options = $hostfw_conf->{options} || {};

    if (defined($options->{nf_conntrack_max}) && ($options->{nf_conntrack_max} > $max)) {
        $max = $options->{nf_conntrack_max};
        $max = int(($max+ 8191)/8192)*8192; # round to multiples of 8192
    }

    my $filename_nf_conntrack_max = "/proc/sys/net/nf_conntrack_max";
    my $filename_hashsize = "/sys/module/nf_conntrack/parameters/hashsize";

    my $current = int(PVE::Tools::file_read_firstline($filename_nf_conntrack_max) || $max);

    if ($current != $max) {
        my $hashsize = int($max/4);
        PVE::ProcFSTools::write_proc_entry($filename_hashsize, $hashsize);
        PVE::ProcFSTools::write_proc_entry($filename_nf_conntrack_max, $max);
    }
}

sub update_nf_conntrack_tcp_timeout_established {
    my ($hostfw_conf) = @_;

    my $options = $hostfw_conf->{options} || {};

    my $value = defined($options->{nf_conntrack_tcp_timeout_established}) ? $options->{nf_conntrack_tcp_timeout_established} : 432000;

    PVE::ProcFSTools::write_proc_entry("/proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established", $value);
}

----- Mail original ----- 

De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
À: "Dietmar Maurer" <dietmar at proxmox.com>, pve-devel at pve.proxmox.com 
Envoyé: Mardi 2 Décembre 2014 09:51:07 
Objet: Re: [pve-devel] PVE Firewall and nf_conntrack 


Am 02.12.2014 um 09:31 schrieb Dietmar Maurer: 
>> The kernel host log is full of: 
>> 
>> [1620408.606201] net_ratelimit: 462 callbacks suppressed [1620408.606204] 
>> nf_conntrack: table full, dropping packet 
>> 
>> 1.) Where do we use nf_conntrack? 
> 
> everywhere 
> 
>> 2.) Should PVE ship with a sysctl file raising the nf conntrack limits? 
> 
> You can adjust the value the the GUI (Host firewall option nf_conntrack_max) 

Thanks, where does PVE set that value? 

I've a custom /etc/sysctl.d/ conf file which sets the value to 6.5 
Million but pve seems to reset the value on boot to 65536. 

Stefan 

_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

More information about the pve-devel mailing list