From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id A714970EBB for ; Tue, 6 Apr 2021 12:19:37 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 651B22C34C for ; Tue, 6 Apr 2021 12:19:37 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id D708D2C341 for ; Tue, 6 Apr 2021 12:19:36 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id A120741F4F for ; Tue, 6 Apr 2021 12:19:36 +0200 (CEST) Date: Tue, 6 Apr 2021 12:19:34 +0200 From: Dominic =?iso-8859-1?Q?J=E4ger?= To: Proxmox VE development discussion Message-ID: <20210406101934.GA76758@mala> References: <20210216165642.16600-1-m.limbeck@proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20210216165642.16600-1-m.limbeck@proxmox.com> User-Agent: Mutt/1.10.1 (2018-07-13) X-SPAM-LEVEL: Spam detection results: 0 AWL 1.612 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [PATCH v3 conntrack-tool 1/4] initial commit X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2021 10:19:37 -0000 On Tue, Feb 16, 2021 at 05:56:39PM +0100, Mira Limbeck wrote: > Dumping conntrack information and importing conntrack information works > for IPv4 and IPv6. No filtering is supported for now. pve-conntrack-tool > will always return both IPv4 and IPv6 conntracks together. > > Conntracks are serialized as JSON and printed on STDOUT line by line > with one line containing one conntrack. When inserting data is read > from STDIN line by line and expected to be one JSON object per line > representing the conntrack. When comparing conntrack -L and pve-conntrack-tool dump gave equivalent outputs. It might be a bit confusing that the tool uses converted values, e.g. for ports. But I think this shouldn't matter as it's internal. With firewall enabled on both nodes and cluster > cat /etc/pve/firewall/cluster.fw /etc/pve/nodes/pveA/host.fw /etc/pve/nodes/pveB/host.fw | grep enable > enable: 1 > enable: 1 > enable: 1 and tcp_loose deactivated on both nodes > sysctl net.netfilter.nf_conntrack_tcp_loose > net.netfilter.nf_conntrack_tcp_loose = 0 I could copy test flow entries like > conntrack -I -p tcp -t 60 --src 127.0.0.1 --dst 1.1.1.1 --state LISTEN --sport 80 --dport 55555 > pve-conntrack-tool dump | ssh root@192.168.25.147 pve-conntrack-tool insert from node A to B >conntrack -L | grep 55555 >tcp 6 52 SYN_SENT2 src=127.0.0.1 dst=1.1.1.1 sport=80 dport=55555 [UNREPLIED] src=1.1.1.1 dst=127.0.0.1 sport=55555 dport=80 mark=0 use=1 and looking at the number of flow entries it seems the other flow entries have been copied, too. What still confuses me a little is live migration. Not sure if I'm doing this right. Without the new option > qm migrate 150 pveB --online the SSH connection to the migrating guest broke (OK, I guess) but after reconnecting the old flow entries were still there? Shouldn't they vanish? With the new option > qm migrate 150 pveA --online --migrate-conntracks the SSH connection to the guest sometimes remained working and sometimes not (and the entries survived). Tested-by: Dominic Jäger