From: Josef Johansson <josef@oderland.se>
To: pve-devel@lists.proxmox.com
Subject: Re: [pve-devel] hetzner bug with pve-firewall
Date: Tue, 12 Oct 2021 14:41:21 +0200 [thread overview]
Message-ID: <787e1c04-fd74-e375-d6d6-728d397f5d7a@oderland.se> (raw)
In-Reply-To: <e3ea888d-0b1d-8916-a652-cce49c656cf7@oderland.se>
Hi,
I deployed on all interfaces, both fwnl and fwpr.
It seems to have solve a bunch of troubles on our side.
Med vänliga hälsningar
Josef Johansson
On 10/1/21 17:19, Josef Johansson wrote:
> Hi,
>
> Sorry for the late answer.
>
> It seems to do what it's intended to do.
>
> I ran `bridge link set dev fwpr<id>p0 flood off`
>
> If it works ok I will deploy it on more VMs.
>
> Med vänliga hälsningar
> Josef Johansson
>
> On 9/14/21 09:21, Josef Per Johansson wrote:
>> Hi,
>>
>> I can check it out for sure, not touching ebtables would be nice.
>>
>> Sent from Nine
>> ________________________________
>> From: alexandre derumier <aderumier@odiso.com>
>> Sent: Tuesday, 14 September 2021 02:28
>> To: Proxmox VE development discussion
>> Subject: Re: [pve-devel] hetzner bug with pve-firewall
>>
>>
>> Hi, I just send another patch,
>>
>> without ebtables, but with disabling unicast_flood on vm bridge ports.
>>
>> maybe can you try it ?
>>
>>
>> Le dimanche 12 septembre 2021 à 12:37 +0200, Josef Per Johansson a
>> écrit :
>>> Hi,
>>>
>>> Yeah sure! It seems a bit better than my hack!
>>>
>>> Yeah I meant the mac-address-table, my bad.
>>>
>>> Sent from Nine
>>> ________________________________
>>> From: alexandre derumier <aderumier@odiso.com>
>>> Sent: Friday, 10 September 2021 18:19
>>> To: Proxmox VE development discussion
>>> Subject: Re: [pve-devel] hetzner bug with pve-firewall
>>>
>>>
>>> Hi,
>>>
>>> Le vendredi 10 septembre 2021 à 12:53 +0200, Josef Johansson a
>>> écrit :
>>>> I have a patch for the source code regarding only allowing the VMs
>>>> MAC
>>>> in ebtables for incoming traffic also.
>>> I just send a patch too for incoming traffic, maybe could you try it
>>> ?
>>>
>>>
>>>
>>>>> Traffic is only broadcasted to MAC B if the ARP-table in the
>>>>> switch
>>>>> times out.
>>>>>
>>>>> Which makes this problem a hell to diagnose :-)
>>> to be exact, if the mac-address-table timeout in the switch. (switch
>>> don't have arp, until it's a router)
>>> That's why in general, switch need to be configured with mac-address-
>>> table aging-time (2h for exemple) > than arp timeout on servers.
>>>
>>> Like this, if no traffic occur on servers, and arp is timeout out,
>>> server is sending a new arp request, and the switch see the arp reply
>>> with the mac address,
>>> (and no expiration in mac-address-table).
>>>
>>> Looking at hetzner problem, the tcpdump send by users show really
>>> stranges mac address vendor. (sound like forged flood).
>>> Anyway, they should fix this, with static mac in their switch, as
>>> they
>>> known allowed mac by server anyway.
>>> (Until they have poor cheap switch without mac filtering ....)
>>> I wonder if they are not only filtering/detecting the wrong mac on
>>> their gateway. (as here, we send tcp reset to an external ip, going
>>> through the gateway)
>>>
>>>
>>>
>>> _______________________________________________
>>> pve-devel mailing list
>>> pve-devel@lists.proxmox.com
>>> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>>> _______________________________________________
>>> pve-devel mailing list
>>> pve-devel@lists.proxmox.com
>>> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>> _______________________________________________
>> pve-devel mailing list
>> pve-devel@lists.proxmox.com
>> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>>
>> _______________________________________________
>> pve-devel mailing list
>> pve-devel@lists.proxmox.com
>> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
prev parent reply other threads:[~2021-10-12 12:41 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-10 10:31 alexandre derumier
2021-09-10 10:43 ` Fabian Grünbichler
2021-09-13 17:43 ` alexandre derumier
2021-09-10 10:53 ` Josef Johansson
2021-09-10 12:34 ` Josef Johansson
2021-09-10 16:18 ` alexandre derumier
2021-09-12 10:37 ` Josef Per Johansson
2021-09-14 0:27 ` alexandre derumier
2021-09-14 7:21 ` Josef Per Johansson
2021-10-01 15:19 ` Josef Johansson
2021-10-12 12:41 ` Josef Johansson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=787e1c04-fd74-e375-d6d6-728d397f5d7a@oderland.se \
--to=josef@oderland.se \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.