net.bridge.bridge-nf-call-iptables and friends

einsibjani

Member
Feb 5, 2020
16
4
23
45
I have a 3 node cluster setup in production. Recently we discovered a problem where fragmented UDP packets
were being dropped somewhere along the way from our vm's. Finally we tracked to culprit down, and it
was the fact that proxmox had set

net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1

so our fragmented packets were being reconstructed by the firewall before leaving the host. /etc/sysctl.d/pve.conf
has both variables set to 0 so it seems that the fact that we turned on the firewall in proxmox set both variables.

We only use the firewall to filter traffic to the proxmox hosts themselves, we have external routers and firewalls and
firewalls running inside the vm's, so I've turned off the datacenter and per-vm firewalls but kept it on for the hosts.

If I set the tunables back to 0, will Proxmox reset them to 1 on the next reboot since we have the firewall enabled on
the hosts?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!