Hi, thanks for this patch ! It could be interesting to see if it's working fine with sysctl -w net/netfilter/nf_conntrack_tcp_loose=0
This is to avoid ack flood ddos (where random ack packets can add a lot of conntrack entries) https://2014.rmll.info/slides/356/day_1-1400-Jesper_Brouer-DDoS_protection_using_Netfilter_iptables.pdf Currently we can't enable it because when we migrate vms, the already opened connected can't readd conntrack without a new syn. Also, is it fast when a lof of entries ? (like 100000 entries for example) Le ven. 16 oct. 2020 à 15:24, Mira Limbeck <m.limb...@proxmox.com> a écrit : > > Requires the pve-conntrack-tool. On migration the conntrack information > from the source node is dumped and sent to the target node where it is > then inserted. > This helps with open connections during migration when the firewall is active. > > Signed-off-by: Mira Limbeck <m.limb...@proxmox.com> > --- > PVE/QemuMigrate.pm | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/PVE/QemuMigrate.pm b/PVE/QemuMigrate.pm > index 11fec4b..a4e24f7 100644 > --- a/PVE/QemuMigrate.pm > +++ b/PVE/QemuMigrate.pm > @@ -1065,6 +1065,9 @@ sub phase2 { > die "unable to parse migration status '$stat->{status}' - > aborting\n"; > } > } > + > + $self->log('info', 'copy conntrack information'); > + PVE::Tools::run_command([['/usr/bin/pve-conntrack-tool', 'dump'], > [@{$self->{rem_ssh}}, '/usr/bin/pve-conntrack-tool', 'insert']]); > } > > sub phase2_cleanup { > -- > 2.20.1 > > > > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
