proxmox-firewall (nftables) and conntrack

S

smalchow

Member
Proxmox Subscriber
Nov 23, 2023
17
1
8
Hi,

the topic of "conntrack state migration not supported or disabled, active connections might get dropped" has been discussed multiple times and there are a few posts regarding fixes in the qemu-server, last fix is in 9.1.3 if i understood correctly - i read alot of those. This issue/question is NOT related to those bugs.

I understood that i have to use "nftables" in Proxmox 9 to properly support conntrack, which is enabled on each host in Firewall -> Option -> nftables = yes.

What else do i need to do

- Restart all VMs ? Or does the conntract work for each VM that was restarted ?
- Do i need to enable the firewall on each virtual machine in Firewall -> Options ?
- Do i need to enable firewalling on the respective interface of a VM in the interface settings ?

What i confirmed already is

- nftables enabled
- the proxmox-firewall systemd unit is active and running

What i tested is

- enable firewall on one VM
- set INPUT and OUTPUT to default ACCEPT
- enabled the firewall on the interface
- tried a live migration with the "conntrack" ticketmark on

and i still get the conntrack error notification.

---

I am not sure how to proceed - maybe someone can point me to the right direction

Thanks already

Soeren
 
smalchow said:
Restart all VMs ? Or does the conntract work for each VM that was restarted ?
Click to expand...
Restarting VMs should not be necessary.

smalchow said:
- Do i need to enable the firewall on each virtual machine in Firewall -> Options ?
- Do i need to enable firewalling on the respective interface of a VM in the interface settings ?
Click to expand...
Yes & yes. Conntrack migration depends on the firewall being active, as that sets up traffic marking required for state migration.
(This isn't documented as such in the admin guide, will improve that.)

You can check whether the corresonding nftables are created using nft list ruleset | grep -i mark and if connections are marked correctly by running conntrack --dump --mark <vmid>, e.g. conntrack --dump --mark 100.

You may want to also check the log of the firewall daemon using journalctl -b -u proxmox-firewall, just in case there are any errors.
 
Hi,

thanks for the reply, ok i am testing on one machine, if it is on one PVE server, i execute nft list ruleset | grep -i mark i can see 2 entries with ct mark set both with the same number behind it and some entries with source and destination IPs when executing conntrack --dump --mark before doing that i see nothing on the second machine.

When migrating i still get the warning "conntrack state migration not supported or disabled, active connections might get dropped" with not warnings in the journal.

After the migration the "ct mark set" output is only on the second machine (as expected) while for the command of entries per machine does reveal some leftovers on the first (source) machine - IPv6 link local entries and a multicast entry.

When sshing into the machine and then migrating, i see the entry from conntrack --dump --mark 100 on both machines, it seems to be synchonized, but i can not verify 100% and if that happens in all situations, what worries me though is that i still get the warning in the task that it can not conntrack

Any idea ?

Cheers
Soeren
 
You must log in or register to reply here.
Top Bottom