guest on kernel 4.14-12 fails to show NF conntrack

stefws

Member
Jan 29, 2015
302
4
18
Denmark
siimnet.dk
If we boot a VM/guest on kernel 4.14.12 with KPTI enabled, it'll not longer show netfilter stats as on earlier kernels (4.13.4 and less), eg. always returning zero value by:

/sbin/sysctl net.netfilter.nf_conntrack_count

and

cat /proc/sys/net/netfilter/nf_conntrack_count

Can really find a good reason on the 'Net'.
Anyone knows why?
 
Last edited:
If this can hep, works with 4.9.0-5 (Debian stretch + patch Meltdown) in KVM.

# dmesg | grep "User page tables isolation"
[ 0.000000] Kernel/User page tables isolation: enabled
# /sbin/sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 5
# /sbin/sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 3
# uname -a
Linux green 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64 GNU/Linux
 
If this can hep, works with 4.9.0-5 (Debian stretch + patch Meltdown) in KVM.

# dmesg | grep "User page tables isolation"
[ 0.000000] Kernel/User page tables isolation: enabled
# /sbin/sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 5
# /sbin/sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 3
# uname -a
Linux green 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64 GNU/Linux
Thx but nope:

# /sbin/sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 0
# uname -r
4.14.12-1.el6.elrepo.x86_64
# dmesg|grep -i isolation
Kernel/User page tables isolation: enabled

# /sbin/sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 2443
# uname -r
4.13.4-1.el6.elrepo.x86_64
# dmesg|grep -i isolation
 
maybe because kpti avoid access to kernel memory (so conntrack), from userland ?

workaround : #conntrack -L|wc -l ?
 
maybe because kpti avoid access to kernel memory (so conntrack), from userland ?

workaround : #conntrack -L|wc -l ?

that's not how KPTI works.

I suggest filing a but with whoever is responsible for that kernel, it is possible that this is a side-effect of some KPTI patch or a general bug in (that) 4.14 kernel..
 
that's not how KPTI works.

I suggest filing a but with whoever is responsible for that kernel, it is possible that this is a side-effect of some KPTI patch or a general bug in (that) 4.14 kernel..
Right, got a bit of trouble though finding whoever for EPEL kernel-ml, it's under Fedora somehow...
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!