From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 3BBCC60658 for ; Sat, 17 Oct 2020 17:43:18 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 29B12222A2 for ; Sat, 17 Oct 2020 17:42:48 +0200 (CEST) Received: from mail-lj1-x244.google.com (mail-lj1-x244.google.com [IPv6:2a00:1450:4864:20::244]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 8738822295 for ; Sat, 17 Oct 2020 17:42:46 +0200 (CEST) Received: by mail-lj1-x244.google.com with SMTP id h20so5942051lji.9 for ; Sat, 17 Oct 2020 08:42:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=odiso-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :content-transfer-encoding; bh=8G4g+lOWx0t4y3iQjpe54hYZPoN0JxG/pl7zdrAQbj4=; b=vNLMzyBmw72JlW90EuZQhC23vKL1wRKk+HM/dcYlpd3Upidbbf6MQSy3I9F0+i2wUu DY1TtdNf/QwvIIjH4Ozv9VnuscALUS//M0A4eS/zjd+mnrx0quC0CIK8cgw0umGOzzZu Ht/ZAS3/FaaNfx6zUEV+2SHljeIGsdnuF57WeXl7zBcQbJ9uATydKEXeVwattO6EHyGn a8/ZFuSQS8sWywCFXVmpsofoirl91lOladYCaSUk6vyB5Q2AIoyoaVGR9M1PTJPYqbbs U+iq1kARzWe/e90SdibMGcjK+oSGf5XHQg8bLvWrSw/jmmtZU8qyDD/AWVgLsdQdvdJ4 Qryw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-transfer-encoding; bh=8G4g+lOWx0t4y3iQjpe54hYZPoN0JxG/pl7zdrAQbj4=; b=LTPO4yHecqkOpSLwQcKrgiR3+Zu8WnrwOCrT5nEco2Cy9pPxNKKQo07SWodsAJWiJY eABXPPmYw7G33X+u93EZ9ZuQTxXmZDS8QBcJhjTkZLB+TGUHel/mBh2rdM+UaT0NmGhE shmJLJImQWUMTGMMDlJ3Eum5j2vQJBloGErp7kekf0P9ehGn1qAHGOD1a3fXO5ThFSYU BWfkZZma7WQXr54H0yNxTDf2mJKDXt1NCIb7zFq0aAg46DAcFJXMsWKrWgT6QLvh7tHA Iej299T3W0R8zPeN7fvBhYQ6cN10WRhBzEMQgDsaCzoE0TFG/zzVkGyTSO9wOwws2YSL 0HFQ== X-Gm-Message-State: AOAM5330aBwazhUlPtGYscVxYc2UFWfUlzDEoNTNW0wd0KasJatJSr9P ky0DoGNajAfylh+GVG8q3iZ4N69lCHAkoA+YPhYbHg5yrfE= X-Google-Smtp-Source: ABdhPJwwydmsE+BWR5E2bdTcoS1CwIfTXTNaDpkKiCfHWIs2sWItMRxXB0MA979cppnUTWjdrCalTs+Nc3Ibe+qTbXI= X-Received: by 2002:a2e:9b8e:: with SMTP id z14mr3250747lji.26.1602949360107; Sat, 17 Oct 2020 08:42:40 -0700 (PDT) MIME-Version: 1.0 References: <20201016132417.5175-1-m.limbeck@proxmox.com> <20201016132417.5175-3-m.limbeck@proxmox.com> In-Reply-To: <20201016132417.5175-3-m.limbeck@proxmox.com> From: Alexandre Derumier Date: Sat, 17 Oct 2020 17:42:29 +0200 Message-ID: To: Proxmox VE development discussion Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-SPAM-LEVEL: Spam detection results: 0 AWL 0.001 Adjusted score from AWL reputation of From: address DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature RCVD_IN_DNSWL_NONE -0.0001 Sender listed at https://www.dnswl.org/, no trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [rmll.info, qemumigrate.pm, proxmox.com] Subject: Re: [pve-devel] [PATCH qemu-server] copy conntrack information on migration X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Oct 2020 15:43:18 -0000 Hi, thanks for this patch ! It could be interesting to see if it's working fine with sysctl -w net/netfilter/nf_conntrack_tcp_loose=3D0 This is to avoid ack flood ddos (where random ack packets can add a lot of conntrack entries) https://2014.rmll.info/slides/356/day_1-1400-Jesper_Brouer-DDoS_protection_= using_Netfilter_iptables.pdf Currently we can't enable it because when we migrate vms, the already opened connected can't readd conntrack without a new syn. Also, is it fast when a lof of entries ? (like 100000 entries for example) Le ven. 16 oct. 2020 =C3=A0 15:24, Mira Limbeck a = =C3=A9crit : > > Requires the pve-conntrack-tool. On migration the conntrack information > from the source node is dumped and sent to the target node where it is > then inserted. > This helps with open connections during migration when the firewall is ac= tive. > > Signed-off-by: Mira Limbeck > --- > PVE/QemuMigrate.pm | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/PVE/QemuMigrate.pm b/PVE/QemuMigrate.pm > index 11fec4b..a4e24f7 100644 > --- a/PVE/QemuMigrate.pm > +++ b/PVE/QemuMigrate.pm > @@ -1065,6 +1065,9 @@ sub phase2 { > die "unable to parse migration status '$stat->{status}' - abo= rting\n"; > } > } > + > + $self->log('info', 'copy conntrack information'); > + PVE::Tools::run_command([['/usr/bin/pve-conntrack-tool', 'dump'], [@= {$self->{rem_ssh}}, '/usr/bin/pve-conntrack-tool', 'insert']]); > } > > sub phase2_cleanup { > -- > 2.20.1 > > > > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel >