From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id D2E0668D8C for ; Fri, 10 Sep 2021 18:19:08 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id D0BB417294 for ; Fri, 10 Sep 2021 18:19:08 +0200 (CEST) Received: from mail-wr1-x433.google.com (mail-wr1-x433.google.com [IPv6:2a00:1450:4864:20::433]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 8170A1728A for ; Fri, 10 Sep 2021 18:19:07 +0200 (CEST) Received: by mail-wr1-x433.google.com with SMTP id t18so3456832wrb.0 for ; Fri, 10 Sep 2021 09:19:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=odiso-com.20150623.gappssmtp.com; s=20150623; h=message-id:subject:from:to:date:in-reply-to:references:user-agent :mime-version:content-transfer-encoding; bh=NQQptW3Ie9A8XLNiDbW8uLkyok9RzUNRCyYqDcriU3I=; b=s2H0CmM27O2VYOUVpakOpXMhTjR+Xc/fvKonBoe4R8skpD43F4jF8jjyNbEQZQ2E3h BmzAOHPJL2s9NcnlWO7T6i1u2MUS3EKf5Mtxooh9Kuo3Lf2z5y1AtmuiuiNgi6ItFcNH oLw9LD2hLwyyJVBIwrFfiSo80tvZNdHzdqEbZx5kla9m6vwxZCBjPPvllJ9xM2sWwTGA qCDRSL1f0OTkjSwsqkaL+gV+qQDcqdK8sWbdWRcch6ZKrMKYdxZKfYA4qcODBtApLy/M kDzYWVv7KDvOPcSE4oUyMDnB/rcx4YM+ANwF8nOlkqCXo5GzsOJcrDB/T50EhVQn/pwg 0Afg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:subject:from:to:date:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=NQQptW3Ie9A8XLNiDbW8uLkyok9RzUNRCyYqDcriU3I=; b=4oAxFcY2mIpSReKus6pg4O14nA+sXuKK9+4uc+voXkaEC+tLXIXjfO2zDa1LuWQcVJ V+CuHNTxhyb8WWgTbM8d6XaOXn14Eg4Xcik5v0hqA7llFXLn8N/3ZRJW02Ncrwmk+gGM RYrTldpIvS9znjJ3Q6sdsDFcAZapPAa9ONYpuIuksE72OpqDlt/rDiwBQUDjatgjaR0w NzHCESjsGx8QMfya4a7vogiwTEFlObQmFEi8A/+jNU07C0fFglD/UGT5kRuCJYO5n9e7 MbO1wY1chNeI95lNGlwV/ZTUESBwrI8LaubTCM1xv/EMliQH07nOh0L79wFMxk8s9P7n /Ezg== X-Gm-Message-State: AOAM532ofcakI5pX5UYbaqDHIorXhBGaEbtLpLnd4PrtV3kGDlxB9pYH 56OT6RE62vQ5euFV91Lq3wixunJW28/Uew== X-Google-Smtp-Source: ABdhPJxQ5loXvIrEbWisw9FVLLqZSbRe7t3XjbWaQyKA2cCXUk/dRd3CbEQveojGMxkmKxwnOpEuhg== X-Received: by 2002:adf:de8f:: with SMTP id w15mr11018829wrl.277.1631290740809; Fri, 10 Sep 2021 09:19:00 -0700 (PDT) Received: from ?IPv6:2a0a:1580:0:1::100c? (ovpn1.odiso.net. [2a0a:1580:2000::3f]) by smtp.gmail.com with ESMTPSA id m29sm5314597wrb.89.2021.09.10.09.19.00 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 10 Sep 2021 09:19:00 -0700 (PDT) Message-ID: From: alexandre derumier To: Proxmox VE development discussion Date: Fri, 10 Sep 2021 18:18:59 +0200 In-Reply-To: <7686571e-ebf0-8ad5-8bc3-af484fd2ac88@oderland.se> References: <7686571e-ebf0-8ad5-8bc3-af484fd2ac88@oderland.se> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.40.4 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.695 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature RCVD_IN_DNSWL_NONE -0.0001 Sender listed at https://www.dnswl.org/, no trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] hetzner bug with pve-firewall X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Sep 2021 16:19:08 -0000 Hi, Le vendredi 10 septembre 2021 à 12:53 +0200, Josef Johansson a écrit : > > > I have a patch for the source code regarding only allowing the VMs > MAC > in ebtables for incoming traffic also. I just send a patch too for incoming traffic, maybe could you try it ? >>Traffic is only broadcasted to MAC B if the ARP-table in the switch >>times out. >> >>Which makes this problem a hell to diagnose :-) to be exact, if the mac-address-table timeout in the switch. (switch don't have arp, until it's a router) That's why in general, switch need to be configured with mac-address- table aging-time (2h for exemple)  > than arp timeout on servers. Like this, if no traffic occur on servers, and arp is timeout out, server is sending a new arp request, and the switch see the arp reply with the mac address, (and no expiration in mac-address-table). Looking at hetzner problem, the tcpdump send by users show really stranges mac address vendor. (sound like forged flood). Anyway, they should fix this, with static mac in their switch, as they known allowed mac by server anyway. (Until they have poor cheap switch without mac filtering ....) I wonder if they are not only filtering/detecting the wrong mac on their gateway. (as here, we send tcp reset to an external ip, going through the gateway)