[pve-devel] applied: [PATCH firewall] increase default nf_conntrack_max to kernel default

[pve-devel] applied: [PATCH firewall] increase default nf_conntrack_max to kernel default

[wb]

Hello Thomas,

Currently with Proxmox, I have a Kubernetes node running on LXC. However, I have encountered an issue on the Container Network Interface (CNI) side and in order for it to work, the parameter /proc/sys/net/netfilter/nf_conntrack_max must be raised.

You know that the container settings are managed by the hypervisor. However, something prevents to go above 262144. By searching a bit in your code, I found the limitation in Firewall.pm. I raised this value and the CNI works again.

The last change was in this commit that you made.
https://lists.proxmox.com/pipermail/pve-devel/2019-October/039748.html

Is it possible to take into consideration the increase of this parameter in your code?

Waiting for your feedback.

Sincerely.

Julien BLAIS

Re: [pve-devel] applied: [PATCH firewall] increase default nf_conntrack_max to kernel default

[Thomas Lamprecht]

Hello Julien,

On 08.07.21 09:36, wb wrote:
> Hello Thomas,
> 
> Currently with Proxmox, I have a Kubernetes node running on LXC. However, I have encountered an issue on the Container Network Interface (CNI) side and in order for it to work, the parameter /proc/sys/net/netfilter/nf_conntrack_max must be raised.
> 
> You know that the container settings are managed by the hypervisor. However, something prevents to go above 262144. By searching a bit in your code, I found the limitation in Firewall.pm. I raised this value and the CNI works again.
> 
> The last change was in this commit that you made.
> https://lists.proxmox.com/pipermail/pve-devel/2019-October/039748.html
> 
> Is it possible to take into consideration the increase of this parameter in your code?
> 

FYI, you can already override that setting in the node firewall options in the web-interface,
if set manually that vaile will always be preferred, at least as long the value is bigger than
the default of 262144.

cheers,
Thomas

Re: [pve-devel] applied: [PATCH firewall] increase default nf_conntrack_max to kernel default

[alexandre derumier]

Hi,
you can change it in the proxmox node firewall options.


Le jeudi 08 juillet 2021 à 09:36 +0200, wb a écrit :
> Hello Thomas,
> 
> Currently with Proxmox, I have a Kubernetes node running on LXC.
> However, I have encountered an issue on the Container Network
> Interface (CNI) side and in order for it to work, the parameter
> /proc/sys/net/netfilter/nf_conntrack_max must be raised.
> 
> You know that the container settings are managed by the hypervisor.
> However, something prevents to go above 262144. By searching a bit in
> your code, I found the limitation in Firewall.pm. I raised this value
> and the CNI works again.
> 
> The last change was in this commit that you made.
> https://lists.proxmox.com/pipermail/pve-devel/2019-October/039748.html
> 
> Is it possible to take into consideration the increase of this
> parameter in your code?
> 
> Waiting for your feedback.
> 
> Sincerely.
> 
> Julien BLAIS
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>