Bug 198479 - net.netfilter.nf_conntrack_count always = 0
Summary: net.netfilter.nf_conntrack_count always = 0
Status: NEW
Alias: None
Product: Networking
Classification: Unclassified
Component: Netfilter/Iptables (show other bugs)
Hardware: x86-64 Linux
: P1 normal
Assignee: networking_netfilter-iptables@kernel-bugs.osdl.org
Depends on:
Reported: 2018-01-15 08:14 UTC by Steffen Winther Sørensen
Modified: 2018-01-16 09:19 UTC (History)
2 users (show)

See Also:
Kernel Version: 4.14.12-1
Tree: Mainline
Regression: No


Description Steffen Winther Sørensen 2018-01-15 08:14:11 UTC
patched from EPEL kernel-ml 4.13.4-1.el6.elrepo.x86_64 to 4.14.12-1.el6.elrepo.x86_64 and then these suddenly always returns zero values:

# cat /proc/sys/net/netfilter/nf_conntrack_count 
# /sbin/sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 0

this makes it hard to track usage :/
Comment 1 Alan Bartlett 2018-01-15 15:52:47 UTC
patched from EPEL kernel-ml

I suspect that you are confused. The kernel-ml (& kernel-lt) package sets are from the ELRepo Project _not_ EPEL.
Comment 2 Steffen Winther Sørensen 2018-01-16 08:44:14 UTC
Ok right, my mistake/confusion between EPEL and ELrepo sorry :)
Comment 3 Steffen Winther Sørensen 2018-01-16 08:51:23 UTC
Assumed it got nothing to do with KPTI, got debian boxes patched with KPTI enabled kernel which still reports nf_conntrack fine (though it's a different kernel version):

# dmesg | grep -i isolation
[    0.000000] Kernel/User page tables isolation: enabled
# uname -r
# cat /proc/sys/net/netfilter/nf_conntrack_count
Comment 4 Steffen Winther Sørensen 2018-01-16 09:10:18 UTC
same issue with kernel 4.14.13-1.el6.elrepo.x86_64...
Comment 5 Steffen Winther Sørensen 2018-01-16 09:19:32 UTC
also the case with KPTI disabled in 4.14.13-1

Note You need to log in before you can comment on or make changes to this bug.