guest on kernel 4.14-12 fails to show NF conntrack

stefws

Member
Jan 29, 2015
302
4
18
Denmark
siimnet.dk
If we boot a VM/guest on kernel 4.14.12 with KPTI enabled, it'll not longer show netfilter stats as on earlier kernels (4.13.4 and less), eg. always returning zero value by:

/sbin/sysctl net.netfilter.nf_conntrack_count

and

cat /proc/sys/net/netfilter/nf_conntrack_count

Can really find a good reason on the 'Net'.
Anyone knows why?
 
Last edited:

stef1777

Active Member
Jan 31, 2010
178
8
38
If this can hep, works with 4.9.0-5 (Debian stretch + patch Meltdown) in KVM.

# dmesg | grep "User page tables isolation"
[ 0.000000] Kernel/User page tables isolation: enabled
# /sbin/sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 5
# /sbin/sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 3
# uname -a
Linux green 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64 GNU/Linux
 

stefws

Member
Jan 29, 2015
302
4
18
Denmark
siimnet.dk
If this can hep, works with 4.9.0-5 (Debian stretch + patch Meltdown) in KVM.

# dmesg | grep "User page tables isolation"
[ 0.000000] Kernel/User page tables isolation: enabled
# /sbin/sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 5
# /sbin/sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 3
# uname -a
Linux green 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64 GNU/Linux
Thx but nope:

# /sbin/sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 0
# uname -r
4.14.12-1.el6.elrepo.x86_64
# dmesg|grep -i isolation
Kernel/User page tables isolation: enabled

# /sbin/sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 2443
# uname -r
4.13.4-1.el6.elrepo.x86_64
# dmesg|grep -i isolation
 

aderumier

Active Member
May 14, 2013
206
18
38
maybe because kpti avoid access to kernel memory (so conntrack), from userland ?

workaround : #conntrack -L|wc -l ?
 

fabian

Proxmox Staff Member
Staff member
Jan 7, 2016
6,710
1,171
164
maybe because kpti avoid access to kernel memory (so conntrack), from userland ?

workaround : #conntrack -L|wc -l ?

that's not how KPTI works.

I suggest filing a but with whoever is responsible for that kernel, it is possible that this is a side-effect of some KPTI patch or a general bug in (that) 4.14 kernel..
 

stefws

Member
Jan 29, 2015
302
4
18
Denmark
siimnet.dk
that's not how KPTI works.

I suggest filing a but with whoever is responsible for that kernel, it is possible that this is a side-effect of some KPTI patch or a general bug in (that) 4.14 kernel..
Right, got a bit of trouble though finding whoever for EPEL kernel-ml, it's under Fedora somehow...
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!