* [pve-devel] applied: [PATCH firewall] increase default nf_conntrack_max to kernel default
@ 2021-07-08 7:36 wb
2021-07-08 7:51 ` Thomas Lamprecht
2021-07-08 20:01 ` alexandre derumier
0 siblings, 2 replies; 3+ messages in thread
From: wb @ 2021-07-08 7:36 UTC (permalink / raw)
To: Thomas Lamprecht; +Cc: pve-devel
Hello Thomas,
Currently with Proxmox, I have a Kubernetes node running on LXC. However, I have encountered an issue on the Container Network Interface (CNI) side and in order for it to work, the parameter /proc/sys/net/netfilter/nf_conntrack_max must be raised.
You know that the container settings are managed by the hypervisor. However, something prevents to go above 262144. By searching a bit in your code, I found the limitation in Firewall.pm. I raised this value and the CNI works again.
The last change was in this commit that you made.
https://lists.proxmox.com/pipermail/pve-devel/2019-October/039748.html
Is it possible to take into consideration the increase of this parameter in your code?
Waiting for your feedback.
Sincerely.
Julien BLAIS
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [pve-devel] applied: [PATCH firewall] increase default nf_conntrack_max to kernel default
2021-07-08 7:36 [pve-devel] applied: [PATCH firewall] increase default nf_conntrack_max to kernel default wb
@ 2021-07-08 7:51 ` Thomas Lamprecht
2021-07-08 20:01 ` alexandre derumier
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Lamprecht @ 2021-07-08 7:51 UTC (permalink / raw)
To: Proxmox VE development discussion, wb
Hello Julien,
On 08.07.21 09:36, wb wrote:
> Hello Thomas,
>
> Currently with Proxmox, I have a Kubernetes node running on LXC. However, I have encountered an issue on the Container Network Interface (CNI) side and in order for it to work, the parameter /proc/sys/net/netfilter/nf_conntrack_max must be raised.
>
> You know that the container settings are managed by the hypervisor. However, something prevents to go above 262144. By searching a bit in your code, I found the limitation in Firewall.pm. I raised this value and the CNI works again.
>
> The last change was in this commit that you made.
> https://lists.proxmox.com/pipermail/pve-devel/2019-October/039748.html
>
> Is it possible to take into consideration the increase of this parameter in your code?
>
FYI, you can already override that setting in the node firewall options in the web-interface,
if set manually that vaile will always be preferred, at least as long the value is bigger than
the default of 262144.
cheers,
Thomas
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [pve-devel] applied: [PATCH firewall] increase default nf_conntrack_max to kernel default
2021-07-08 7:36 [pve-devel] applied: [PATCH firewall] increase default nf_conntrack_max to kernel default wb
2021-07-08 7:51 ` Thomas Lamprecht
@ 2021-07-08 20:01 ` alexandre derumier
1 sibling, 0 replies; 3+ messages in thread
From: alexandre derumier @ 2021-07-08 20:01 UTC (permalink / raw)
To: Proxmox VE development discussion, Thomas Lamprecht
Hi,
you can change it in the proxmox node firewall options.
Le jeudi 08 juillet 2021 à 09:36 +0200, wb a écrit :
> Hello Thomas,
>
> Currently with Proxmox, I have a Kubernetes node running on LXC.
> However, I have encountered an issue on the Container Network
> Interface (CNI) side and in order for it to work, the parameter
> /proc/sys/net/netfilter/nf_conntrack_max must be raised.
>
> You know that the container settings are managed by the hypervisor.
> However, something prevents to go above 262144. By searching a bit in
> your code, I found the limitation in Firewall.pm. I raised this value
> and the CNI works again.
>
> The last change was in this commit that you made.
> https://lists.proxmox.com/pipermail/pve-devel/2019-October/039748.html
>
> Is it possible to take into consideration the increase of this
> parameter in your code?
>
> Waiting for your feedback.
>
> Sincerely.
>
> Julien BLAIS
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-07-08 20:02 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-08 7:36 [pve-devel] applied: [PATCH firewall] increase default nf_conntrack_max to kernel default wb
2021-07-08 7:51 ` Thomas Lamprecht
2021-07-08 20:01 ` alexandre derumier
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox