Hi all,
Let me introduce you the following issue.
Context:
My environment uses Proxmox 3.4 (the issue exists also in Proxmox 4.0)
The firewall is activated on the "Datacenter" section with default configuration.
Rules are added for SSH and HTTPS/8006 for the Proxmox host.
A VM (kvm64) runs a Linux distribution without firewall on its interfaces.
An application initiates a SCTP connection to an external server but fails to connect to it.
The first SCTP packet SCTP_INIT is dropped.
Troubleshooting party:
The external server runs the following command:
The VM application is replaced by the command below:
Configuring additonal logs with Iptables on the Proxmox host, the following rule is identified as source of the failure:
Quick and dirty workaround:
The configuration line above is set by that piece of code in the file /usr/share/perl5/PVE/Firewall.pm:
A dirty solution could be to avoid SCTP analysis by putting specifically TCP and UDP:
Next step could be to analyse conntrack source code, but if you have any comment or idea?
Regards.
Let me introduce you the following issue.
Context:
My environment uses Proxmox 3.4 (the issue exists also in Proxmox 4.0)
The firewall is activated on the "Datacenter" section with default configuration.
Rules are added for SSH and HTTPS/8006 for the Proxmox host.
A VM (kvm64) runs a Linux distribution without firewall on its interfaces.
An application initiates a SCTP connection to an external server but fails to connect to it.
The first SCTP packet SCTP_INIT is dropped.
Troubleshooting party:
The external server runs the following command:
Code:
withsctp nc -v -k -l 3200The VM application is replaced by the command below:
Code:
withsctp nc -v <external_server_ip> 3200Configuring additonal logs with Iptables on the Proxmox host, the following rule is identified as source of the failure:
Code:
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROPQuick and dirty workaround:
The configuration line above is set by that piece of code in the file /usr/share/perl5/PVE/Firewall.pm:
Code:
1829 sub ruleset_chain_add_conn_filters {
1830 my ($ruleset, $chain, $accept) = <arobase>_;
1831
1832 ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID -j DROP");
1833 ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j $accept");
1834 }A dirty solution could be to avoid SCTP analysis by putting specifically TCP and UDP:
Code:
ruleset_addrule($ruleset, $chain, "-m conntrack -p TCP --ctstate INVALID -j DROP");
ruleset_addrule($ruleset, $chain, "-m conntrack -p UDP --ctstate INVALID -j DROP");Next step could be to analyse conntrack source code, but if you have any comment or idea?
Regards.