public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Josef Per Johansson <josef@oderland.se>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] hetzner bug with pve-firewall
Date: Sun, 12 Sep 2021 12:37:50 +0200	[thread overview]
Message-ID: <641042205.2631725.1631443070304@localhost> (raw)
In-Reply-To: <fc49386a3951d142dc137e7b926625c9656b8b03.camel@odiso.com>

Hi,

Yeah sure! It seems a bit better than my hack!

Yeah I meant the mac-address-table, my bad.

Sent from Nine
________________________________
From: alexandre derumier <aderumier@odiso.com>
Sent: Friday, 10 September 2021 18:19
To: Proxmox VE development discussion
Subject: Re: [pve-devel] hetzner bug with pve-firewall


Hi,

Le vendredi 10 septembre 2021 à 12:53 +0200, Josef Johansson a écrit :
> 
> 
> I have a patch for the source code regarding only allowing the VMs
> MAC
> in ebtables for incoming traffic also.

I just send a patch too for incoming traffic, maybe could you try it ?



>>Traffic is only broadcasted to MAC B if the ARP-table in the switch
>>times out.
>>
>>Which makes this problem a hell to diagnose :-)

to be exact, if the mac-address-table timeout in the switch. (switch
don't have arp, until it's a router)
That's why in general, switch need to be configured with mac-address-
table aging-time (2h for exemple)  > than arp timeout on servers.

Like this, if no traffic occur on servers, and arp is timeout out,
server is sending a new arp request, and the switch see the arp reply
with the mac address,
(and no expiration in mac-address-table).

Looking at hetzner problem, the tcpdump send by users show really
stranges mac address vendor. (sound like forged flood).
Anyway, they should fix this, with static mac in their switch, as they
known allowed mac by server anyway.
(Until they have poor cheap switch without mac filtering ....)
I wonder if they are not only filtering/detecting the wrong mac on
their gateway. (as here, we send tcp reset to an external ip, going
through the gateway)



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

  reply	other threads:[~2021-09-12 10:38 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-10 10:31 alexandre derumier
2021-09-10 10:43 ` Fabian Grünbichler
2021-09-13 17:43   ` alexandre derumier
2021-09-10 10:53 ` Josef Johansson
2021-09-10 12:34   ` Josef Johansson
2021-09-10 16:18   ` alexandre derumier
2021-09-12 10:37     ` Josef Per Johansson [this message]
2021-09-14  0:27       ` alexandre derumier
2021-09-14  7:21         ` Josef Per Johansson
2021-10-01 15:19           ` Josef Johansson
2021-10-12 12:41             ` Josef Johansson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=641042205.2631725.1631443070304@localhost \
    --to=josef@oderland.se \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal