From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id A77B2698B2 for ; Tue, 14 Sep 2021 02:28:13 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id A2A412ED6A for ; Tue, 14 Sep 2021 02:27:43 +0200 (CEST) Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com [IPv6:2a00:1450:4864:20::42e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id D2DDB2EC67 for ; Tue, 14 Sep 2021 02:27:41 +0200 (CEST) Received: by mail-wr1-x42e.google.com with SMTP id q11so17259753wrr.9 for ; Mon, 13 Sep 2021 17:27:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=odiso-com.20150623.gappssmtp.com; s=20150623; h=message-id:subject:from:to:date:in-reply-to:references:user-agent :mime-version; bh=cGZivo/Cie/3DQ3vfR8yTCOZAkSbxHBun7vRp18HWWE=; b=XrFsHgRh7rZp+jnEKXB//tsQUFuVmYT+hk7fVt0Bm4PksWGkWdkYFLw6+jkpUaZSV0 G70IFtJ1bdKSh8HK2aP9vQ7jGvw2+otYOcU5NwdJqt1YEyiOH43Skl/yGt6SedWGYzYx C5o5K4KDVkdhmVA4DUBC1b35KK8Ti52M1EBWe7HpggUsw1LHMIh8MTCs/Orb5NP+kHCU 4ABFDmNKaPU71S6qIG3w/VCDYcrhSg8umVnW+G0I1dCcszq2ikpQsQrVXAaN0X6Eubel HPaTpQq6Xyg/Aeu2XCCczTjW0Jm9im3PKu1CEVI5tbZOjdsLmxrnHKMZ4mbO32O3NV3B kilA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:subject:from:to:date:in-reply-to :references:user-agent:mime-version; bh=cGZivo/Cie/3DQ3vfR8yTCOZAkSbxHBun7vRp18HWWE=; b=LiilGVEDfYHBHEqAfrQzGIelc+fSYgwnBGBgdPVltqynCq+EGwNtlA+7nqouSD58/T nDL5FjBJHXV78j17miz7yXSRfkKsn/Uk9ktND5V3Lka7uV3wKUgXnUThY0S/qUNJeb2a o2YgXGbhMSItRpASSw32DCnxinVE9hK+pdtGbMjt1GQ7POhdtp7YHcAxOvFPjuhBSA2T 4C/PoXTdAfaPvc00VO5gBuWJALfwL6cNTyL6MTUx2pbujyGgrswJC9tLaA5gMZ+4L6Dg XYmuULAVwnhcua4JKM7biACF/yoKYV4q+D6PHJpuhcI+7iL9mERy9Y9IBjnXuwQfpu69 k/4A== X-Gm-Message-State: AOAM531kNVTe/G66aj6O84tKRwS0xQoYw38QPjkWDYke7DYv4EmfVSAd T34SCI5GWsBgyGHsM10YAJcEvHxuHZ+2jBZvAKs= X-Google-Smtp-Source: ABdhPJyZAwA6v9nS1DvyVcsDgOx9MvrqhiwJWgJgq8guj33NULu3Ac/lM2saWj2cFoZSiBdABn5LpA== X-Received: by 2002:a5d:568a:: with SMTP id f10mr6757025wrv.314.1631579255281; Mon, 13 Sep 2021 17:27:35 -0700 (PDT) Received: from ?IPv6:2a0a:1580:0:1::100c? (ovpn1.odiso.net. [2a0a:1580:2000::3f]) by smtp.gmail.com with ESMTPSA id c15sm9189259wrc.83.2021.09.13.17.27.34 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Sep 2021 17:27:34 -0700 (PDT) Message-ID: <0ef5cbe7c222199e7032c28c50a37fe12b71154b.camel@odiso.com> From: alexandre derumier To: Proxmox VE development discussion Date: Tue, 14 Sep 2021 02:27:33 +0200 In-Reply-To: <641042205.2631725.1631443070304@localhost> References: <7686571e-ebf0-8ad5-8bc3-af484fd2ac88@oderland.se> <641042205.2631725.1631443070304@localhost> User-Agent: Evolution 3.40.4 MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.683 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature HTML_MESSAGE 0.001 HTML included in message RCVD_IN_DNSWL_NONE -0.0001 Sender listed at https://www.dnswl.org/, no trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [proxmox.com] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.29 Subject: Re: [pve-devel] hetzner bug with pve-firewall X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Sep 2021 00:28:13 -0000 Hi, I just send another patch, without ebtables, but with disabling unicast_flood on vm bridge ports.  maybe can you try it ? Le dimanche 12 septembre 2021 à 12:37 +0200, Josef Per Johansson a écrit : > Hi, > > Yeah sure! It seems a bit better than my hack! > > Yeah I meant the mac-address-table, my bad. > > Sent from Nine > ________________________________ > From: alexandre derumier > Sent: Friday, 10 September 2021 18:19 > To: Proxmox VE development discussion > Subject: Re: [pve-devel] hetzner bug with pve-firewall > > > Hi, > > Le vendredi 10 septembre 2021 à 12:53 +0200, Josef Johansson a > écrit : > > > > > > I have a patch for the source code regarding only allowing the VMs > > MAC > > in ebtables for incoming traffic also. > > I just send a patch too for incoming traffic, maybe could you try it > ? > > > > > > Traffic is only broadcasted to MAC B if the ARP-table in the > > > switch > > > times out. > > > > > > Which makes this problem a hell to diagnose :-) > > to be exact, if the mac-address-table timeout in the switch. (switch > don't have arp, until it's a router) > That's why in general, switch need to be configured with mac-address- > table aging-time (2h for exemple)  > than arp timeout on servers. > > Like this, if no traffic occur on servers, and arp is timeout out, > server is sending a new arp request, and the switch see the arp reply > with the mac address, > (and no expiration in mac-address-table). > > Looking at hetzner problem, the tcpdump send by users show really > stranges mac address vendor. (sound like forged flood). > Anyway, they should fix this, with static mac in their switch, as > they > known allowed mac by server anyway. > (Until they have poor cheap switch without mac filtering ....) > I wonder if they are not only filtering/detecting the wrong mac on > their gateway. (as here, we send tcp reset to an external ip, going > through the gateway) > > > > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel