[PVE-User] Ceph and firewalling
aderumier at odiso.com
Fri May 10 10:04:12 CEST 2019
>>The more relevant flag, nf_conntrack_tcp_loose (If it is set to zero,
>>we disable picking up already established connections) is already on
>>(non-zero) by default.
I think this break already established connections of a vm when we do a live-migration, as we don't transfert the conntrack.
----- Mail original -----
De: "Thomas Lamprecht" <t.lamprecht at proxmox.com>
À: "proxmoxve" <pve-user at pve.proxmox.com>, "Mark Schouten" <mark at tuxis.nl>
Envoyé: Jeudi 9 Mai 2019 11:10:46
Objet: Re: [PVE-User] Ceph and firewalling
On 5/9/19 10:09 AM, Mark Schouten wrote:
> On Thu, May 09, 2019 at 07:53:50AM +0200, Alexandre DERUMIER wrote:
>> But to really be sure to not have the problem anymore :
>> add in /etc/sysctl.conf
>> net.netfilter.nf_conntrack_tcp_be_liberal = 1
> This is very useful info. I'll create a bug for Proxmox, so they can
> consider it to set this in pve-firewall, which seems a good default if
> you ask me.
IMO this is not a sensible default, it makes conntrack almost void:
> nf_conntrack_tcp_be_liberal - BOOLEAN
> If it's non-zero, we mark *only out of window RST segments* as INVALID.
The more relevant flag, nf_conntrack_tcp_loose (If it is set to zero,
we disable picking up already established connections) is already on
(non-zero) by default.
The issue you ran into was the case where pve-cluster (pmxcfs) was
upgraded and restarted and pve-firewall thought that the user deleted
all rules and thus flushed them, is already fixed for most common cases
(package upgrade and normal restart of pve-cluster), so this shouldn't
be an issue with pve-firewall in version 3.0-20
But, Stoiko offered to re-take a look at this and try doing additional
error handling if the fw config read fails (as in pmxcfs not mounted)
and keep the current rules un-touched in this case (i.e., no remove,
no add) or maybe also moving the management rules above the conntrack,
but we need to take a close look here to ensure this has no non-intended
pve-user mailing list
pve-user at pve.proxmox.com
More information about the pve-user