>>There are no filters implemented yet, and there does not seem to be a
>>way to filter by interface. So if we want to limit the conntracks to
>>certain VMs, we could use zones and add a filter for them.
>>We would have to map them somehow though as the zone parameter is only
>>16 bits and VMIDs mi
I haven't done any performance tests yet. But currently we query all
conntracks (same as conntrack -L), print them one by one as JSON to STDOUT.
When importing we do it line-by-line, which means one conntrack at a
time. But if necessary we could batch them, as mentioned in the
bugtracker, by usi
On 17.10.20 17:42, Alexandre Derumier wrote:
> Hi,
> thanks for this patch !
>
> It could be interesting to see if it's working fine with
> sysctl -w net/netfilter/nf_conntrack_tcp_loose=0
>
> This is to avoid ack flood ddos (where random ack packets can add a
> lot of conntrack entries)
> http
I don't have checked the code, but does
"'/usr/bin/pve-conntrack-tool', 'dump'" only dump vm conntrack, or
all the host conntrack table ?
(Not sure how it could be possible for only vm currently, but if we
implement different conntrack zones for each vm, it could be easy)
Le ven. 16 oct. 202
Hi,
thanks for this patch !
It could be interesting to see if it's working fine with
sysctl -w net/netfilter/nf_conntrack_tcp_loose=0
This is to avoid ack flood ddos (where random ack packets can add a
lot of conntrack entries)
https://2014.rmll.info/slides/356/day_1-1400-Jesper_Brouer-DDoS_pro
Requires the pve-conntrack-tool. On migration the conntrack information
from the source node is dumped and sent to the target node where it is
then inserted.
This helps with open connections during migration when the firewall is active.
Signed-off-by: Mira Limbeck
---
PVE/QemuMigrate.pm | 3 +++
