From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id CB94E69EEE for ; Wed, 15 Sep 2021 17:34:13 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 8D25D1BA04 for ; Wed, 15 Sep 2021 17:33:43 +0200 (CEST) Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 93DAE1B9FB for ; Wed, 15 Sep 2021 17:33:42 +0200 (CEST) Received: by mail-ed1-x530.google.com with SMTP id g21so5147927edw.4 for ; Wed, 15 Sep 2021 08:33:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=odiso-com.20150623.gappssmtp.com; s=20150623; h=message-id:subject:from:to:date:in-reply-to:references:user-agent :mime-version:content-transfer-encoding; bh=NHL5noPjIF1WgZ6ntK1F6yl+1MQXffu8b3vwkp9wbYU=; b=QuUlf4FvQw1eOoT0MEV1YHSQJ8QM0ke1iByFQCPXFLGKvmHZdXPs/7f7Ev+J13meEc gHJ2Vm2mHBmf8dMiq/duC38yFNvtF1j/39LOuuCOaWhk1vssVyiZ5CC/G0UA0pFb40LJ zmtQDo77KzTi9l4qRvzCEApESzo+q6fdqg/RMFW1CAP+qUDzeQP1wABJrtyf0L3Ww5O3 l0EW4kbZPM7ashtmXQdIgvdAdpcDDkbEqVLmLHKwoBS13osYopfaTlYrpB1d+WZbuDev OKr+jsKsZ3RodghREJd6J4TRRjywYR+IN0JwB6kMBxCguKlxoiBlxJY93Br9i+f5PQh6 gkQQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:subject:from:to:date:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=NHL5noPjIF1WgZ6ntK1F6yl+1MQXffu8b3vwkp9wbYU=; b=yt1VyN2vew2fwdGQiMPsSUpTf8PKOJASziuEBD/I64I/9wULkNQDr6W0IOGy9KtN8o NmcU4DhkXfmHvKNtPL4AydRMsdaY67fHSBHT/p9xURe5a76nR0DbnGuLWpP9PgXc3BRR /13ygEHqYnHzdwQB6uVzUp5rj83sD9AZKVs7+xN7GsKBr1f7K3fcPUm+zwf+hxhhXZ8r 1EbDb/jrNZFTwtR5Y6RGSzGIwvvXpiwc7C/NlYnERtI0VYzjuSvFVSoQyqTIf57XH9DA cv8/OaseshLKETtqG/Igldxg9Q5GX1YVAlFKko4PUp4WKNCPKhL7PEkrMxNaKdzidqQ1 XTXw== X-Gm-Message-State: AOAM530ACM0y4hX9zaOZPOxb4Koi34y772fRpt0IsGUGqXa7RNcVEjOy rEeTuq3kt3EwB2koOxyzzWqqZ3/q7aLzhwIr X-Google-Smtp-Source: ABdhPJwZNZhf6QNFxrvg4PfPvBlnNwf/R6wlU2g/TvsbN3XGlrw5SsqjL10IGajx3sMwnMrZZffi1A== X-Received: by 2002:a17:907:2098:: with SMTP id pv24mr636164ejb.426.1631720015781; Wed, 15 Sep 2021 08:33:35 -0700 (PDT) Received: from [192.168.178.50] ([79.132.253.106]) by smtp.gmail.com with ESMTPSA id g21sm135377ejs.53.2021.09.15.08.33.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Sep 2021 08:33:35 -0700 (PDT) Message-ID: <790dd453ab8b0fab53942c7dd4b536d5285a3c00.camel@odiso.com> From: alexandre derumier To: pve-devel@lists.proxmox.com Date: Wed, 15 Sep 2021 17:33:35 +0200 In-Reply-To: <4a34d44143f1c32f38988c478698c094badbc740.camel@odiso.com> References: <20210914002606.1608165-1-aderumier@odiso.com> <4a34d44143f1c32f38988c478698c094badbc740.camel@odiso.com> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.40.4 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.647 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature RCVD_IN_DNSWL_NONE -0.0001 Sender listed at https://www.dnswl.org/, no trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [vmware.com, network.pm] Subject: Re: [pve-devel] [PATCH pve-common] network: disable unicast flooding on tap|veth|fwln ports X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Sep 2021 15:34:13 -0000 I have looked at other hypervisors implementations (as it don't see to have problem with hetzner), https://listman.redhat.com/archives/libvir-list/2014-December/msg00173.html https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/administration/GUID-C5752084-A582-4AEA-BD5D-03FE5DBC746E.html Both vmware && libvirt have a mode to manually manage fdb entries in bridge mac table. This will work if only 1mac is behind 1 nic, so it should be an option (nested hypervisor for examples). but for classic vm , it could allow to disable unicast_flood && learning for the tap interface, but also promisc mode on tap interface! I was think about add an option on vmbrX or vnetX directly to enable/disable. I'm going to do tests, testing vlan aware && live migration too. Le mardi 14 septembre 2021 à 08:32 +0200, alexandre derumier a écrit : > Thinking a little bit more about this, > I think we should add an option in vm/ct nic options, to enable it. > > It could break some network where arp timeout is bigger than default > brige ageing-time (5min by default), or with special asymetric > networks. > > > Le mardi 14 septembre 2021 à 02:26 +0200, Alexandre Derumier a écrit : > > Currently, if bridge receive an unknown dest mac (network > > bug/attack/..), > > we are flooding packets to all bridge ports. > > > > This can waste cpu time, even more with firewall enabled. > > Also, if firewall is used with reject action, the src mac of RST > > packet is the original unknown dest mac. > > (This can block the server at Hetzner for example) > > > > So, we can disable unicast_flood on tap|veth|fwln port interface. > > bridge will learn mac address of the vm|ct, when it send traffic > > or when It'll reply to arp requests coming from outside. > > > > Signed-off-by: Alexandre Derumier > > --- > >  src/PVE/Network.pm | 9 +++++++++ > >  1 file changed, 9 insertions(+) > > > > diff --git a/src/PVE/Network.pm b/src/PVE/Network.pm > > index 15838a0..119340f 100644 > > --- a/src/PVE/Network.pm > > +++ b/src/PVE/Network.pm > > @@ -207,6 +207,12 @@ sub disable_ipv6 { > >      close($fh); > >  } > >   > > +my $bridge_disable_interface_flooding = sub { > > +    my ($iface) = @_; > > + > > +    > > PVE::ProcFSTools::write_proc_entry("/sys/class/net/$iface/brport/unic > > ast_flood", "0"); > > +}; > > + > >  my $bridge_add_interface = sub { > >      my ($bridge, $iface, $tag, $trunks) = @_; > >   > > @@ -334,6 +340,7 @@ my $create_firewall_bridge_linux = sub { > >      veth_create($vethfw, $vethfwpeer, $bridge); > >   > >      &$bridge_add_interface($fwbr, $vethfw); > > +    &$bridge_disable_interface_flooding($vethfw); > >      &$bridge_add_interface($bridge, $vethfwpeer, $tag, $trunks); > >   > >      &$bridge_add_interface($fwbr, $iface); > > @@ -359,6 +366,7 @@ my $create_firewall_bridge_ovs = sub { > >      PVE::Tools::run_command(['/sbin/ip', 'link', 'set', $ovsintport, > > 'mtu', $bridgemtu]); > >   > >      &$bridge_add_interface($fwbr, $ovsintport); > > +    &$bridge_disable_interface_flooding($ovsintport); > >  }; > >   > >  my $cleanup_firewall_bridge = sub { > > @@ -406,6 +414,7 @@ sub tap_plug { > >         } else { > >             &$bridge_add_interface($bridge, $iface, $tag, $trunks); > >         } > > +       &$bridge_disable_interface_flooding($iface); > >   > >      } else { > >         &$cleanup_firewall_bridge($iface); # remove stale devices >