[PVE-User] Ceph and firewalling

Alexandre DERUMIER aderumier at odiso.com
Fri May 10 10:04:12 CEST 2019 

>>The more relevant flag, nf_conntrack_tcp_loose (If it is set to zero,
>>we disable picking up already established connections) is already on
>>(non-zero) by default.

I think this break already established connections of a vm when we do a live-migration, as we don't transfert the conntrack.


----- Mail original -----
De: "Thomas Lamprecht" <t.lamprecht at proxmox.com>
À: "proxmoxve" <pve-user at pve.proxmox.com>, "Mark Schouten" <mark at tuxis.nl>
Envoyé: Jeudi 9 Mai 2019 11:10:46
Objet: Re: [PVE-User] Ceph and firewalling

On 5/9/19 10:09 AM, Mark Schouten wrote: 
> On Thu, May 09, 2019 at 07:53:50AM +0200, Alexandre DERUMIER wrote: 
>> But to really be sure to not have the problem anymore : 
>> 
>> add in /etc/sysctl.conf 
>> 
>> net.netfilter.nf_conntrack_tcp_be_liberal = 1 
> 
> This is very useful info. I'll create a bug for Proxmox, so they can 
> consider it to set this in pve-firewall, which seems a good default if 
> you ask me. 
> 

IMO this is not a sensible default, it makes conntrack almost void: 

> nf_conntrack_tcp_be_liberal - BOOLEAN 
> [...] 
> If it's non-zero, we mark *only out of window RST segments* as INVALID. 

The more relevant flag, nf_conntrack_tcp_loose (If it is set to zero, 
we disable picking up already established connections) is already on 
(non-zero) by default. 

The issue you ran into was the case where pve-cluster (pmxcfs) was 
upgraded and restarted and pve-firewall thought that the user deleted 
all rules and thus flushed them, is already fixed for most common cases 
(package upgrade and normal restart of pve-cluster), so this shouldn't 
be an issue with pve-firewall in version 3.0-20 

But, Stoiko offered to re-take a look at this and try doing additional 
error handling if the fw config read fails (as in pmxcfs not mounted) 
and keep the current rules un-touched in this case (i.e., no remove, 
no add) or maybe also moving the management rules above the conntrack, 
but we need to take a close look here to ensure this has no non-intended 
side effects. 

cheers, 
Thomas 

_______________________________________________ 
pve-user mailing list 
pve-user at pve.proxmox.com 
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user

More information about the pve-user mailing list