From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <aderumier@odiso.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 872906990A
 for <pve-devel@lists.proxmox.com>; Tue, 14 Sep 2021 08:32:51 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 783239A08
 for <pve-devel@lists.proxmox.com>; Tue, 14 Sep 2021 08:32:51 +0200 (CEST)
Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com
 [IPv6:2a00:1450:4864:20::330])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id AB48C99FF
 for <pve-devel@lists.proxmox.com>; Tue, 14 Sep 2021 08:32:47 +0200 (CEST)
Received: by mail-wm1-x330.google.com with SMTP id 140so4900517wma.0
 for <pve-devel@lists.proxmox.com>; Mon, 13 Sep 2021 23:32:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=odiso-com.20150623.gappssmtp.com; s=20150623;
 h=message-id:subject:from:to:date:in-reply-to:references:user-agent
 :mime-version:content-transfer-encoding;
 bh=qHvK30lmKFJoirGiMezU3k6ygO+U53OwhpL4UVlWitI=;
 b=qmsyY7vcRGhlg8WztisjMen0LydCz3RXzSwkKrzWCzbeEtE/RHy4HnNNOInOPpr8Sz
 FQdLTWBUjAbj7eNWU13JX4Bm2xXIj3ufILuSLfx+pmFb5LKwNTYv3N1GSbyt5JAsgNxd
 C0RiqTtN5Slgi5bvIWBtJYiLvwdO3qX9Mgxzdg1CsTb0U3ZUcXYI2L04hgGtRAPIuzG7
 RyxlgS9/ila+Lpgy7uJqopy21NS7whg/3LRSLUBI14GvyuhLc7D5AaZMTDV66Q63jIXX
 ouGDHxga7cfdAcONQPmkV8YNEfsu6tUR3CfuG00PTaWBcesJP/QawkkR7EaAqmDRrzb/
 7jHg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:message-id:subject:from:to:date:in-reply-to
 :references:user-agent:mime-version:content-transfer-encoding;
 bh=qHvK30lmKFJoirGiMezU3k6ygO+U53OwhpL4UVlWitI=;
 b=Z/p/JkRQAbPmfAt5nDf7av5k74EX7C42IAcFE4aQ5U0K0xISpeVVde5C6NXDU8n2iO
 VPcQCawQe1yruBTCb1mY4HDpreoNixU+b5sOi2YM+upoulKDkY8jUkFL5rZN2HnRovad
 oqRjRRaFg/QuAXqyYcD+CORXIIx3NwQTBcsTcYti1Q89hl2LbZXBJnd1KD+irHR3h6UO
 o+lbFtE0fTYJIV5lGLwziKosokOliC8JF+uznMw96rNu2WltBAMF7WxbN1f5F6lxRReC
 5vbWZU/5jENosWnfMiSwc7im/Vp/BPs71m2TTT77Thb0hiuHi71YgPywyWYesRSC52ys
 RMEw==
X-Gm-Message-State: AOAM532XZT2Qh331HFU2XNldkeQB4nHTY4Zu8y5NxPcA/N9be2nQDfoZ
 EIyDAjCqlxxXgIjAoDYleeb0eQevL+ykVrCdnJk=
X-Google-Smtp-Source: ABdhPJwkrqLcVtSIubj1seNbck8yxDecN7C8+Ua4+j2LnY62YfkN5+YXbK8u2BVQzg4pIt22j4SnNg==
X-Received: by 2002:a7b:c309:: with SMTP id k9mr316556wmj.48.1631601161077;
 Mon, 13 Sep 2021 23:32:41 -0700 (PDT)
Received: from ?IPv6:2a0a:1580:0:1::100c? (ovpn1.odiso.net.
 [2a0a:1580:2000::3f])
 by smtp.gmail.com with ESMTPSA id d129sm162456wmd.23.2021.09.13.23.32.40
 for <pve-devel@lists.proxmox.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 13 Sep 2021 23:32:40 -0700 (PDT)
Message-ID: <4a34d44143f1c32f38988c478698c094badbc740.camel@odiso.com>
From: alexandre derumier <aderumier@odiso.com>
To: pve-devel@lists.proxmox.com
Date: Tue, 14 Sep 2021 08:32:39 +0200
In-Reply-To: <20210914002606.1608165-1-aderumier@odiso.com>
References: <20210914002606.1608165-1-aderumier@odiso.com>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.40.4 
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.673 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DKIM_SIGNED               0.1 Message has a DKIM or DK signature,
 not necessarily valid
 DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature
 RCVD_IN_DNSWL_NONE     -0.0001 Sender listed at https://www.dnswl.org/,
 no trust
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [network.pm]
Subject: Re: [pve-devel] [PATCH pve-common] network: disable unicast
 flooding on tap|veth|fwln ports
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Tue, 14 Sep 2021 06:32:51 -0000

Thinking a little bit more about this,
I think we should add an option in vm/ct nic options, to enable it.

It could break some network where arp timeout is bigger than default
brige ageing-time (5min by default), or with special asymetric
networks.


Le mardi 14 septembre 2021 à 02:26 +0200, Alexandre Derumier a écrit :
> Currently, if bridge receive an unknown dest mac (network
> bug/attack/..),
> we are flooding packets to all bridge ports.
> 
> This can waste cpu time, even more with firewall enabled.
> Also, if firewall is used with reject action, the src mac of RST
> packet is the original unknown dest mac.
> (This can block the server at Hetzner for example)
> 
> So, we can disable unicast_flood on tap|veth|fwln port interface.
> bridge will learn mac address of the vm|ct, when it send traffic
> or when It'll reply to arp requests coming from outside.
> 
> Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
> ---
>  src/PVE/Network.pm | 9 +++++++++
>  1 file changed, 9 insertions(+)
> 
> diff --git a/src/PVE/Network.pm b/src/PVE/Network.pm
> index 15838a0..119340f 100644
> --- a/src/PVE/Network.pm
> +++ b/src/PVE/Network.pm
> @@ -207,6 +207,12 @@ sub disable_ipv6 {
>      close($fh);
>  }
>  
> +my $bridge_disable_interface_flooding = sub {
> +    my ($iface) = @_;
> +
> +   
> PVE::ProcFSTools::write_proc_entry("/sys/class/net/$iface/brport/unic
> ast_flood", "0");
> +};
> +
>  my $bridge_add_interface = sub {
>      my ($bridge, $iface, $tag, $trunks) = @_;
>  
> @@ -334,6 +340,7 @@ my $create_firewall_bridge_linux = sub {
>      veth_create($vethfw, $vethfwpeer, $bridge);
>  
>      &$bridge_add_interface($fwbr, $vethfw);
> +    &$bridge_disable_interface_flooding($vethfw);
>      &$bridge_add_interface($bridge, $vethfwpeer, $tag, $trunks);
>  
>      &$bridge_add_interface($fwbr, $iface);
> @@ -359,6 +366,7 @@ my $create_firewall_bridge_ovs = sub {
>      PVE::Tools::run_command(['/sbin/ip', 'link', 'set', $ovsintport,
> 'mtu', $bridgemtu]);
>  
>      &$bridge_add_interface($fwbr, $ovsintport);
> +    &$bridge_disable_interface_flooding($ovsintport);
>  };
>  
>  my $cleanup_firewall_bridge = sub {
> @@ -406,6 +414,7 @@ sub tap_plug {
>         } else {
>             &$bridge_add_interface($bridge, $iface, $tag, $trunks);
>         }
> +       &$bridge_disable_interface_flooding($iface);
>  
>      } else {
>         &$cleanup_firewall_bridge($iface); # remove stale devices