conntrack in PVE 5 is not working, in PVE 4 is ok.

[jmjosebest]

Hello

I've installed conntrack on a PVE 5 node, and when I run the conntrack -L command don't show nothing.

In a old PVE 4 node in production since long time ago is working ok.
(It's possible that when I've installed this PVE 4, was doing the procedure to install on a Debian base, not sure).

Any idea how to fix in PVE 5 ?

It's very useful to detect network issues like scans or attacks.

Thanks!

 

[Stoiko Ivanov]

is the command installed? (apt install conntrack)
does the file /proc/net/ip_conntrack have any content? (afaik the conntrack utility shows its contents)

 

[jmjosebest]

Yes, I've installed:

# conntrack -L
conntrack v1.4.4 (conntrack-tools): 0 flow entries have been shown.

I have other node, with PVE 5.0 and is also working ok, the issue only happens on PVE 5.1

# cat /proc/net/ip_conntrack
cat: /proc/net/ip_conntrack: No such file or directory

But also don't exist on the nodes that are working ok (pve 4 and pve 5.0)

 

[Stoiko Ivanov]

guess the conntrack documentation was a bit dated - sorry

is the nf_conntrack module loaded (lsmod |grep conntrack) ?
do you have conntrack rules in your iptables output (iptables -nvL)?

 

[jmjosebest]

Thanks for your response.

We see some differences:

PVE 5.0 working ok

# lsmod |grep conntrack
nf_conntrack_netlink    36864  0
nf_conntrack_ipv4      16384  1
nf_defrag_ipv4         16384  1 nf_conntrack_ipv4
nf_conntrack          135168  4 nf_conntrack_ipv4,nf_conntrack_netlink,nf_nat_ipv4,nf_nat
nfnetlink              16384  4 nfnetlink_log,ip_set,nf_conntrack_netlink

PVE 5.1 not working

# lsmod |grep conntrack
nf_conntrack_netlink    40960  0
nf_conntrack          131072  1 nf_conntrack_netlink
nfnetlink              16384  4 nfnetlink_log,ip_set,nf_conntrack_netlink
libcrc32c              16384  2 nf_conntrack,dm_persistent_data

Adding modprobe nf_conntrack_ipv4

And is working ok.

How can add nf_conntrack_ipv4 to permanent after reboot?

Thanks!!!

 

[Stoiko Ivanov]

the module usually gets loaded if any firewall rule needs it - do you use the pve-firewall (configurable via the GUI) ?
if you do not use any firewall on the node, you can always use /etc/modules (or /etc/modules-load.d/conntrack.conf) - and add the needed modules one per line

 

[jmjosebest]

Yes, I have the firewall enabled, with default settings: http://prntscr.com/jpfuuv

 

[Stoiko Ivanov]

You need to enable the firewall in all relevant places for the rules to get inserted (https://pve.proxmox.com/pve-docs/chapter-pve-firewall.html)
Datacenter, node, vm/ct and on the interface of the vm