preconfigured firewall rules and overrun conntrack table


Distinguished Member
Oct 16, 2015
Chatsworth, CA
I am encountering a problem on busy servers were the nodes "inexplicably" lost connectivity with cluster partners and fence themselves off. Some investigation shows that when this happens, pve-firewall is enabled and conntrack table is full.

a quick look at "virgin" iptables rules has entries for cluster and ceph interfaces, which means that cluster traffic is subject to conntrack. This is NOT DESIRABLE. I am now beginning to write an override procedure but it occured to me that all of these are hard coded into /usr/share/perl5/PVE/ It is imperative that cluster interfaces are NOT hamstrung by conntrack.

1. For the immediate term I need to override the preset rules. What strategy do you guys suggest? via systemd, cron, ? do I need to delete existing rules or would
iptables -A INPUT -i bond1 -p all -j NOTRACK

be sufficient at the top?
2. devs, PLEASE revisit the logic of creating your chain rules by limiting them to interfaces identified as internet or intranet facing. You can add a "user facing" checkbox in the network definition that adds the comment to the interface stanza to identify but you may have cleverer logic. I will also file this as a feature request.
WRT question 1, adding the interfaces to the raw table does not fix the problem as the filter table still processes the rules regardless, and there is no NOTRACK option for the filter table AFAICT. Other suggestions most welcome.


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!