nf_conntrack: table full, dropping packet

[green_lemon]

Hi all.

I'm having an issue with some VMs using lots of connections, flooding the nf_conntrack table. I have raised the nf_conntrack_maximum value to 1000000 and lowered the nf_conntrack_tcp_timeout_established value to the minimum, but some VMs still manage to create enough connections fast enough to start causing degradation to my host with packets being dropped.

So, I have a few questions asking for the best way to tackle this.

• What is nf_conntrack used for by proxmox and is it essential?
  
  
• Should other actions be taken to limit the amount of connections a VM can make? Can proxmox configure connection limits on VM firewalls?
  
  • I've searched around and have not found the option to do this.
    
    
• Is it possible to disable nf_conntrack with no ill-effects to proxmox?

Thanks for your time!

 

[spirit]

the conntrack is used for statefull connection.

for example:
you have a webserver running on port :80
you have default rules IN and OUT : DROP

when a client try to connect to the webserver, it's create a connection like "client:randomport>1024 ------> webserver:80".
So you need to open port 80 in firewall.

But..

the server need to reply to the client "webserver:80 -----> client:randomport"

That's why you have conntrack, it's to open the connection is the reverse way, without explicic rules. (anyway the client port is random, so you'll need to open all ports).

so, the only possibility to disable conntrack, it's to open all ports to OUT direction.
(and Currently I don't think it's possible to disable conntrack in proxmox)


a conntrack entry take 304 bytes memory: (so around 300mb for your 1000000 nf_conntrack_max).
So, if you have enough memory, you can increase this value.