patched from EPEL kernel-ml 4.13.4-1.el6.elrepo.x86_64 to 4.14.12-1.el6.elrepo.x86_64 and then these suddenly always returns zero values: # cat /proc/sys/net/netfilter/nf_conntrack_count 0 # /sbin/sysctl net.netfilter.nf_conntrack_count net.netfilter.nf_conntrack_count = 0 this makes it hard to track usage :/
[quote] patched from EPEL kernel-ml [/quote] I suspect that you are confused. The kernel-ml (& kernel-lt) package sets are from the ELRepo Project _not_ EPEL.
Ok right, my mistake/confusion between EPEL and ELrepo sorry :)
Assumed it got nothing to do with KPTI, got debian boxes patched with KPTI enabled kernel which still reports nf_conntrack fine (though it's a different kernel version): # dmesg | grep -i isolation [ 0.000000] Kernel/User page tables isolation: enabled # uname -r 4.4.98-3-pve # cat /proc/sys/net/netfilter/nf_conntrack_count 19129
same issue with kernel 4.14.13-1.el6.elrepo.x86_64...
also the case with KPTI disabled in 4.14.13-1