From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <d.jaeger@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id A714970EBB
 for <pve-devel@lists.proxmox.com>; Tue,  6 Apr 2021 12:19:37 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 651B22C34C
 for <pve-devel@lists.proxmox.com>; Tue,  6 Apr 2021 12:19:37 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [212.186.127.180])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id D708D2C341
 for <pve-devel@lists.proxmox.com>; Tue,  6 Apr 2021 12:19:36 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id A120741F4F
 for <pve-devel@lists.proxmox.com>; Tue,  6 Apr 2021 12:19:36 +0200 (CEST)
Date: Tue, 6 Apr 2021 12:19:34 +0200
From: Dominic =?iso-8859-1?Q?J=E4ger?= <d.jaeger@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Message-ID: <20210406101934.GA76758@mala>
References: <20210216165642.16600-1-m.limbeck@proxmox.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20210216165642.16600-1-m.limbeck@proxmox.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-SPAM-LEVEL: Spam detection results:  0
 AWL 1.612 Adjusted score from AWL reputation of From: address
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 RCVD_IN_DNSWL_MED        -2.3 Sender listed at https://www.dnswl.org/,
 medium trust
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: Re: [pve-devel] [PATCH v3 conntrack-tool 1/4] initial commit
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Tue, 06 Apr 2021 10:19:37 -0000

On Tue, Feb 16, 2021 at 05:56:39PM +0100, Mira Limbeck wrote:
> Dumping conntrack information and importing conntrack information works
> for IPv4 and IPv6. No filtering is supported for now. pve-conntrack-tool
> will always return both IPv4 and IPv6 conntracks together.
> 
> Conntracks are serialized as JSON and printed on STDOUT line by line
> with one line containing one conntrack. When inserting data is read
> from STDIN line by line and expected to be one JSON object per line
> representing the conntrack.

When comparing conntrack -L and pve-conntrack-tool dump gave equivalent
outputs.  It might be a bit confusing that the tool uses converted values, e.g.
for ports. But I think this shouldn't matter as it's internal.

With firewall enabled on both nodes and cluster

> cat /etc/pve/firewall/cluster.fw /etc/pve/nodes/pveA/host.fw /etc/pve/nodes/pveB/host.fw | grep enable
> enable: 1
> enable: 1
> enable: 1

and tcp_loose deactivated on both nodes

> sysctl net.netfilter.nf_conntrack_tcp_loose 
> net.netfilter.nf_conntrack_tcp_loose = 0

I could copy test flow entries like
> conntrack -I -p tcp -t 60 --src 127.0.0.1 --dst 1.1.1.1 --state LISTEN --sport 80 --dport 55555
> pve-conntrack-tool dump | ssh root@192.168.25.147 pve-conntrack-tool insert

from node A to B

>conntrack -L | grep 55555
>tcp      6 52 SYN_SENT2 src=127.0.0.1 dst=1.1.1.1 sport=80 dport=55555 [UNREPLIED] src=1.1.1.1 dst=127.0.0.1 sport=55555 dport=80 mark=0 use=1

and looking at the number of flow entries it seems the other flow entries have been copied, too.


What still confuses me a little is live migration. Not sure if I'm doing this right.

Without the new option
> qm migrate 150 pveB --online

the SSH connection to the migrating guest broke (OK, I guess) but after
reconnecting the old flow entries were still there? Shouldn't they vanish?

With the new option
> qm migrate 150 pveA --online --migrate-conntracks

the SSH connection to the guest sometimes remained working and sometimes not
(and the entries survived).

Tested-by: Dominic Jäger <d.jaeger@proxmox.com>