guest on kernel 4.14-12 fails to show NF conntrack

[stefws]

If we boot a VM/guest on kernel 4.14.12 with KPTI enabled, it'll not longer show netfilter stats as on earlier kernels (4.13.4 and less), eg. always returning zero value by:

/sbin/sysctl net.netfilter.nf_conntrack_count

and

cat /proc/sys/net/netfilter/nf_conntrack_count

Can really find a good reason on the 'Net'.
Anyone knows why?

 

[stef1777]

If this can hep, works with 4.9.0-5 (Debian stretch + patch Meltdown) in KVM.

# dmesg | grep "User page tables isolation"
[ 0.000000] Kernel/User page tables isolation: enabled
# /sbin/sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 5
# /sbin/sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 3
# uname -a
Linux green 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64 GNU/Linux

 

[stefws]

If this can hep, works with 4.9.0-5 (Debian stretch + patch Meltdown) in KVM.

# dmesg | grep "User page tables isolation"
[ 0.000000] Kernel/User page tables isolation: enabled
# /sbin/sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 5
# /sbin/sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 3
# uname -a
Linux green 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64 GNU/Linux

Thx but nope:

# /sbin/sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 0
# uname -r
4.14.12-1.el6.elrepo.x86_64
# dmesg|grep -i isolation
Kernel/User page tables isolation: enabled

# /sbin/sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 2443
# uname -r
4.13.4-1.el6.elrepo.x86_64
# dmesg|grep -i isolation

 

[stef1777]

No found bug report on this.

 

[aderumier]

maybe because kpti avoid access to kernel memory (so conntrack), from userland ?

workaround : #conntrack -L|wc -l ?

 

[fabian]

maybe because kpti avoid access to kernel memory (so conntrack), from userland ?

workaround : #conntrack -L|wc -l ?

that's not how KPTI works.

I suggest filing a but with whoever is responsible for that kernel, it is possible that this is a side-effect of some KPTI patch or a general bug in (that) 4.14 kernel..

 

[stefws]

maybe because kpti avoid access to kernel memory (so conntrack), from userland ?

workaround : #conntrack -L|wc -l ?

Also my first thought, but as Fabian says...
Assume conntrack-tools also utilizes /proc

 

[stefws]

that's not how KPTI works.

I suggest filing a but with whoever is responsible for that kernel, it is possible that this is a side-effect of some KPTI patch or a general bug in (that) 4.14 kernel..

Right, got a bit of trouble though finding whoever for EPEL kernel-ml, it's under Fedora somehow...

 

[stefws]

Right, got a bit of trouble though finding whoever for EPEL kernel-ml, it's under Fedora somehow...

report @kernel.org Bug 198479 and @EPEL 0000816