/proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established and /proc/sys/net/nf_conntrack_max
are empty by default, because conntrack module is not loaded, until we have apply iptables rules So, we just need to update them after iptables commit (which load the conntrack modules) Signed-off-by: Alexandre Derumier <[email protected]> --- src/PVE/Firewall.pm | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 24bb524..23e34cb 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -2857,10 +2857,6 @@ sub apply_ruleset { enable_bridge_firewall(); - update_nf_conntrack_max($hostfw_conf); - - update_nf_conntrack_tcp_timeout_established($hostfw_conf); - my ($ipset_create_cmdlist, $ipset_delete_cmdlist, $ipset_changes) = get_ipset_cmdlist($ipset_ruleset, undef, $verbose); @@ -2899,6 +2895,11 @@ sub apply_ruleset { } die "unable to apply firewall changes\n" if $errors; + + update_nf_conntrack_max($hostfw_conf); + + update_nf_conntrack_tcp_timeout_established($hostfw_conf); + } sub update_nf_conntrack_max { -- 1.7.10.4 _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
