[pve-devel] [PATCH ve-rs/firewall/qemu-server/manager/docs v4 00/14] fix #5180: migrate conntrack state on live migration

[Christoph Heiss]

On Mon Jul 21, 2025 at 4:49 PM CEST, Gabriel Goller wrote:
> Gave this a quick spin:
>
> I think you forgot to add the NAT limitations to the docs? That's IMO
> quite important to add — maybe even in a "WARNINGS" box. Maybe we could
> also add this somewhere in the "Migrate" window?

Adding another sentence mentioning that to the docs makes sense.
A warning in the Migrate window is another thing - it could be a
"static" warning which is always shown when conntrack migration is
enabled, but programmatically determining whether NAT is enabled
(somewhere) seems rather tricky ..

>
> Sometimes when clicking on 'Migrate' the pre-selected node shows "Cannot
> migrate conntrack state, target node is lacking support. ...", although
> it should work. Selecting another node, then going back to the original
> one makes the warning go away. Also sometimes when the node does not
> support migrating conntrack, the warnings is not shown. This might just
> be a UI fluke/reloading issue, but haven't looked at the code yet...

Hm, yeah, probably some flakiness w.r.t. the UI checks running. I'll try
to reproduce it - the (failing) requests would be interesting
nonetheless.

>
> Otherwise everything works well, the conntrack states are corectly moved
> to the other nodes and the connection is not dropped even when the
> firewall denies everything on input!
>
> PS: you forgot to add the tested-by and reviewed-by trailers from stefan :)

Thanks for the notice!