[pve-devel] [PATCH v3 conntrack-tool 1/4] initial commit
Dominic Jäger
d.jaeger at proxmox.com
Tue Apr 6 12:19:34 CEST 2021
On Tue, Feb 16, 2021 at 05:56:39PM +0100, Mira Limbeck wrote:
> Dumping conntrack information and importing conntrack information works
> for IPv4 and IPv6. No filtering is supported for now. pve-conntrack-tool
> will always return both IPv4 and IPv6 conntracks together.
>
> Conntracks are serialized as JSON and printed on STDOUT line by line
> with one line containing one conntrack. When inserting data is read
> from STDIN line by line and expected to be one JSON object per line
> representing the conntrack.
When comparing conntrack -L and pve-conntrack-tool dump gave equivalent
outputs. It might be a bit confusing that the tool uses converted values, e.g.
for ports. But I think this shouldn't matter as it's internal.
With firewall enabled on both nodes and cluster
> cat /etc/pve/firewall/cluster.fw /etc/pve/nodes/pveA/host.fw /etc/pve/nodes/pveB/host.fw | grep enable
> enable: 1
> enable: 1
> enable: 1
and tcp_loose deactivated on both nodes
> sysctl net.netfilter.nf_conntrack_tcp_loose
> net.netfilter.nf_conntrack_tcp_loose = 0
I could copy test flow entries like
> conntrack -I -p tcp -t 60 --src 127.0.0.1 --dst 1.1.1.1 --state LISTEN --sport 80 --dport 55555
> pve-conntrack-tool dump | ssh root at 192.168.25.147 pve-conntrack-tool insert
from node A to B
>conntrack -L | grep 55555
>tcp 6 52 SYN_SENT2 src=127.0.0.1 dst=1.1.1.1 sport=80 dport=55555 [UNREPLIED] src=1.1.1.1 dst=127.0.0.1 sport=55555 dport=80 mark=0 use=1
and looking at the number of flow entries it seems the other flow entries have been copied, too.
What still confuses me a little is live migration. Not sure if I'm doing this right.
Without the new option
> qm migrate 150 pveB --online
the SSH connection to the migrating guest broke (OK, I guess) but after
reconnecting the old flow entries were still there? Shouldn't they vanish?
With the new option
> qm migrate 150 pveA --online --migrate-conntracks
the SSH connection to the guest sometimes remained working and sometimes not
(and the entries survived).
Tested-by: Dominic Jäger <d.jaeger at proxmox.com>
More information about the pve-devel
mailing list