nf_conntrack entries missing in proc on container, present on host, nf_conntrack module is loaded

[iMx]

Just come across something similar to another thread, although not identical as nf_conntrack is/does load, when trying to use SYNPROXY - you need to set on the container:

net.netfilter.nf_conntrack_tcp_loose=0

However, whilst this exists on the host, it does not exist (since 6.2.x upgrade from 5.x) on containers.

sysctl: cannot stat /proc/sys/net/netfilter/nf_conntrack_tcp_loose: No such file or directory

nfconntrack module is loaded on the container:

xt_conntrack           16384  54
nf_conntrack 139264 7 xt_conntrack,nf_nat,xt_nat,ipt_SYNPROXY,nf_synproxy_core,xt_CT,xt_MASQUERADE
nf_defrag_ipv6 24576 1 nf_conntrack
nf_defrag_ipv4 16384 1 nf_conntrack
x_tables 45056 17 ebtables,ip6table_filter,xt_conntrack,ip6table_raw,iptable_filter,xt_multiport,xt_tcpudp,xt_recent,xt_nat,ipt_SYNPROXY,ip6_tables,ipt_REJECT,xt_CT,iptable_raw,ip_tables,xt_MASQUERADE,xt_TCPMSS
libcrc32c 16384 4 nf_conntrack,nf_nat,btrfs,sctp

Lots of conntrack entries missing in proc on the container:

ls /proc/sys/net/netfilter/
nf_conntrack_frag6_high_thresh nf_conntrack_frag6_low_thresh nf_conntrack_frag6_timeout nf_log

When compare to the host/another machine:

ls -lah /proc/sys/net/netfilter/|wc -l
55

... have tried restarting the container after verifying host modules, still the same. Looks to be a bug somewhere, this was not a problem in Proxmox 5.x. LXC bug perhaps? Or Kernel? :/

Did something change between 5.x and 6.x, that I need to specifically allow proc entries? Am at a bit of a loss... any thoughts welcomed.

 

[wolfgang]

Hi,

When compare to the host/another machine:

What Proxmox VE versions got these hosts?

Can you send the LXC config of this container to get a picture?