Stateless / no connection tracking iptables firewall possible? Answer: not possible.

M

mailinglists

Renowned Member
Mar 14, 2012
641
69
93
Hi guys,

for the simple limiting of IPs to KVM VMs I do not need statefull connection tracking firewall (performance reasons). Is there a official way to disable connection tracking?

If not, i'll just add a custom iptables rule in RAW table and mark everything as non tracking.
 
I did the latter and it works perfectly.
EDIT: It does not work. See comments below. But basically PM Web GUI ACCEPT does not mean -j ACCEPT but -g PVEFW-SET-ACCEPT-MARK. :-/
 
Last edited:
You will not have connection tracking of packets already discarded, haven't you? So using "the normal firewall" should be sufficient. Normally I never encountered a system where connection tracking will be a real latency nightmare, do you?
 
Because we will just limit available IPs to the guest (no S/D NAT), pretty much all packets get tracked (none are normally discarded unless user tries to use IPs he's not allowed to).

When pushing to the maximum PPS which we can via Linux kernels (around 1.8 mio PPS in practice) connection tracking reduces that number by 60+% (until we start getting dropped packets) in my tests. Connection tracking also eats RAM besides CPU cycles. And I also do not feel like changing maximum / default values after work, just because we reached the limit of the conntrack table or breaching RCF IPv4 standards by changing connection timeout value and closing open connection before 5 days are over, just because we do not have big enough connection tracking table.

While I agree, for not so busy servers connection tracking penalty might be negligible, but for production servers which have many users or have high amount of small packets, this definitely is a problem. And not just in the terms of latency, but also of silent packet drops / discards, which are especially painful for stateless protocols like UDP (example usual DNS request packets and sites not resolving).

I'm just guessing here, but there might be cases where people just went and bought faster hardware, just to be able to forward packets reliably instead of just disabling packet tracking.
 
Thank you for the reply. Up to now, I've never faced such a big PPS count. Almost all of my storage systems are FC-based and that does the heavy lifting for me, network is often negligible (related to your 1.8M PPS)
 
I did disable connection tracking with two simple iptables rules in raw table, but then because PM Web GUI lies about rules it will add, it just blocks all the traffic for the VM.

For example, I changed the default chain policy for in and out for a specific VM to DENY and then added two simple rules, to allow traffic from and to just one IP. It did not work, because PM Web GUI instead of adding -j ACCEPT does -g PVEFW-SET-ACCEPT-MARK which is later used to accept based on connection tracking module!

It seems one has to use statefull firewall or nothing at all with ProxMox. So while I did early tests without PM GUI and it worked (just iptable rules by hand), when using PM GUI it does not work, because action in web interface is not really iptables action per se.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom