conntrack in PVE 5 is not working, in PVE 4 is ok.

J

jmjosebest

Renowned Member
Jan 16, 2009
192
38
93
Hello

I've installed conntrack on a PVE 5 node, and when I run the conntrack -L command don't show nothing.

In a old PVE 4 node in production since long time ago is working ok.
(It's possible that when I've installed this PVE 4, was doing the procedure to install on a Debian base, not sure).

Any idea how to fix in PVE 5 ?

It's very useful to detect network issues like scans or attacks.

Thanks!
 
is the command installed? (apt install conntrack)
does the file /proc/net/ip_conntrack have any content? (afaik the conntrack utility shows its contents)
 
Yes, I've installed:

Code: 
# conntrack -L
conntrack v1.4.4 (conntrack-tools): 0 flow entries have been shown.

I have other node, with PVE 5.0 and is also working ok, the issue only happens on PVE 5.1

Code: 
# cat /proc/net/ip_conntrack
cat: /proc/net/ip_conntrack: No such file or directory

But also don't exist on the nodes that are working ok (pve 4 and pve 5.0)
 
guess the conntrack documentation was a bit dated - sorry

is the nf_conntrack module loaded (lsmod |grep conntrack) ?
do you have conntrack rules in your iptables output (iptables -nvL)?
 
Thanks for your response.

We see some differences:

PVE 5.0 working ok
Code: 
# lsmod |grep conntrack
nf_conntrack_netlink    36864  0
nf_conntrack_ipv4      16384  1
nf_defrag_ipv4         16384  1 nf_conntrack_ipv4
nf_conntrack          135168  4 nf_conntrack_ipv4,nf_conntrack_netlink,nf_nat_ipv4,nf_nat
nfnetlink              16384  4 nfnetlink_log,ip_set,nf_conntrack_netlink

PVE 5.1 not working
Code: 
# lsmod |grep conntrack
nf_conntrack_netlink    40960  0
nf_conntrack          131072  1 nf_conntrack_netlink
nfnetlink              16384  4 nfnetlink_log,ip_set,nf_conntrack_netlink
libcrc32c              16384  2 nf_conntrack,dm_persistent_data

Adding modprobe nf_conntrack_ipv4

And is working ok.

How can add nf_conntrack_ipv4 to permanent after reboot?

Thanks!!!
 
the module usually gets loaded if any firewall rule needs it - do you use the pve-firewall (configurable via the GUI) ?
if you do not use any firewall on the node, you can always use /etc/modules (or /etc/modules-load.d/conntrack.conf) - and add the needed modules one per line
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom