guest on kernel 4.14-12 fails to show NF conntrack

stefws

stefws

Renowned Member
Jan 29, 2015
302
4
83
Denmark
siimnet.dk
If we boot a VM/guest on kernel 4.14.12 with KPTI enabled, it'll not longer show netfilter stats as on earlier kernels (4.13.4 and less), eg. always returning zero value by:

/sbin/sysctl net.netfilter.nf_conntrack_count

and

cat /proc/sys/net/netfilter/nf_conntrack_count
Click to expand...

Can really find a good reason on the 'Net'.
Anyone knows why?
 
Last edited:
If this can hep, works with 4.9.0-5 (Debian stretch + patch Meltdown) in KVM.

# dmesg | grep "User page tables isolation"
[ 0.000000] Kernel/User page tables isolation: enabled
# /sbin/sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 5
# /sbin/sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 3
# uname -a
Linux green 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64 GNU/Linux
 
stef1777 said:
If this can hep, works with 4.9.0-5 (Debian stretch + patch Meltdown) in KVM.

# dmesg | grep "User page tables isolation"
[ 0.000000] Kernel/User page tables isolation: enabled
# /sbin/sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 5
# /sbin/sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 3
# uname -a
Linux green 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64 GNU/Linux
Click to expand...
Thx but nope:

# /sbin/sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 0
# uname -r
4.14.12-1.el6.elrepo.x86_64
# dmesg|grep -i isolation
Kernel/User page tables isolation: enabled

# /sbin/sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 2443
# uname -r
4.13.4-1.el6.elrepo.x86_64
# dmesg|grep -i isolation
Click to expand...
 
maybe because kpti avoid access to kernel memory (so conntrack), from userland ?

workaround : #conntrack -L|wc -l ?
 
aderumier said:
maybe because kpti avoid access to kernel memory (so conntrack), from userland ?

workaround : #conntrack -L|wc -l ?
Click to expand...

that's not how KPTI works.

I suggest filing a but with whoever is responsible for that kernel, it is possible that this is a side-effect of some KPTI patch or a general bug in (that) 4.14 kernel..
 
fabian said:
that's not how KPTI works.

I suggest filing a but with whoever is responsible for that kernel, it is possible that this is a side-effect of some KPTI patch or a general bug in (that) 4.14 kernel..
Click to expand...
Right, got a bit of trouble though finding whoever for EPEL kernel-ml, it's under Fedora somehow...
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back