[pve-devel] [PATCH qemu-server] copy conntrack information on migration
Thomas Lamprecht
t.lamprecht at proxmox.com
Mon Oct 19 07:46:38 CEST 2020
On 17.10.20 17:42, Alexandre Derumier wrote:
> Hi,
> thanks for this patch !
>
> It could be interesting to see if it's working fine with
> sysctl -w net/netfilter/nf_conntrack_tcp_loose=0
>
> This is to avoid ack flood ddos (where random ack packets can add a
> lot of conntrack entries)
> https://2014.rmll.info/slides/356/day_1-1400-Jesper_Brouer-DDoS_protection_using_Netfilter_iptables.pdf
>
> Currently we can't enable it because when we migrate vms, the already
> opened connected can't readd conntrack without a new syn.
That was the main intention for this series, i.e., your bug #2451 :)
https://bugzilla.proxmox.com/show_bug.cgi?id=2451
More information about the pve-devel
mailing list