From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 71A441FF173 for ; Sun, 22 Jun 2025 08:27:51 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id EE1301E77C; Sun, 22 Jun 2025 08:28:15 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.10.3 morty.keekles.org 8D63D19E1D8A DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bryanfields.net; s=909DCF92-EFE7-11EB-9235-648EB8AF1B81; t=1750573323; bh=unRMaFUJ0tUjH4iyTUBUSs/oV9WXfYNjSB6s7qRcMEI=; h=Message-ID:Date:MIME-Version:To:From; b=UC19ARTnFPo72m6IWtLJhL/JIm5u+/KyoMc4fMhkF6x3FAQoxJCI0lkOcnkuJm6rJ pLBwL0+zNGhNKv3/s25P995HlT+APz6w6/pMverg28eK3ePFYuLcQLwYixmobIBCDB Wm3xQtbm04V9dI2A0SUf6kPyBcCyGj/G0+oqrdjBVO5PRxX3wJTHO1N4aakWgvk5dW DRF1IjTGYHu4yyAL6TDlTNpMMro5U8djxwXPEvio9FZfUjYhTMPu083YlhvwNTD0Q1 7rLXKkaUVSkFHFR9jHN81DOo+OaokbXsn5t1hnqbtAY06iKYo0+vYAwPs9Gz8lvE1S qPsHXQOEjgipQ== X-Virus-Scanned: amavis at morty.keekles.org Message-ID: <1d20bc9d-b794-4124-bd47-f7586ab1ccd7@bryanfields.net> Date: Sun, 22 Jun 2025 02:22:02 -0400 MIME-Version: 1.0 User-Agent: Mutt/1.12.0 (2019-05-25) To: pve-user@lists.proxmox.com Content-Language: en-US From: Bryan Fields Autocrypt: addr=Bryan@bryanfields.net; keydata= xsFNBFaW5aYBEAC6uM1IbtChDLC2cT+v2uP5AMIJyzjFFh0e6BkCeyqTupw1459dBQlRrgsr WNBFAAzUoqWiGT8xb3CUS9y7CS3cfUL06TIUbDVUcytOPS71Z5YbSICShe8cFOzqdXlvWYQR HbAP2enVeBqLyCtwBfaKwCjgUdwR/qmD/jIIOaDBxuxVmvs4ivIRdEqVJFXOIUaeKPSA8PPD eLBuaAlHhLBKXGNDjgf3EzfWiZiCkZ7vkPaVHJ7PYV+3eazeTahyvuYD1KzNaIlOy0XyKksO EmqPO0H5Qsu9ZpQEPd5qzm20tov9hA4F91tl1NX2OcZV3FqxAZ7hA8n+OmW8ep90T6e8H7UR 3l+DtGGrBmaNqJDx8cH0qQv2x+NmieNdaKiLhdgBAeTgBC2wgJ3j8xetHIEsr6pBJQWFPs4i ZsNMHGNP2qJxRTG17O2GIPlcQUIm7Nnk3vG5QvejdPS+7ULprMTDCYVcNydJ9Ar3WJawAkvZ Ombg4Of0Has7/0eNEczJIl56+EoKNKxF74LxnFx+XLOJSBUMsyQr76VE7dG1PuYiTziA8Yb5 P4vt7YJSvbn1x/BhRUuQhxFHc6cQgIfytsUusbt04EwoH3CK2O6EVIsMKhvjdKgjiKWuY4Hl zSpiDBuqg36ppqr2GrGDngYERPiB86FGgGtqyS+fnMysu/okqQARAQABzTtCcnlhbiBGaWVs ZHMgKEJyeWFuIEZpZWxkcyBOZXcgS2V5KSA8QnJ5YW5AYnJ5YW5maWVsZHMubmV0PsLBfgQT AQIAKAUCVpblpgIbIwUJEswDAAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQYTmgYVLG kUDExw//Y91BqsMNUnC51+Yl6z3N5Xxkt6xRvyHDekz0oQyZTEjMSonFlZK6T+IDRGwjkRFI GhiLF805+L2Vx0g5+N3S5TlW1BW3o3DlvmAdRZXCqSi6zK8xFxxhrq5OfQyr2f4aG38qmCA1 bhgYFUamxOmneQI1/yZayl6ZIlESsZ70TtRADBl0KPYaDTh/xU26ywQemKlbW1R2LeAquiSn OweC1huw6wLC0nQcO3j/83ZFZmHGyhNV8yfU1hAl94MurRy2I/jpXGtTkkkSBKotb9dPkf0P hXfVnhTIVMwj6YfwtTT7Fz7u24WSauxGfO5nq7PJfs/wdqcrgYzXa3ax8q6qQai3GdUyP0Zg HPLm7PsWTY9OT/MU61QH+PZHU2GHodofF03XSlCsebX770GMZcgBESBHNyAVfJb9cfdzqpl9 AKlIhfvwqYp3NeXfBZPXPN5kWHUVCRhhgUahLtIUDiNJE0beiQhqSo6/SBZOJI1DBCovhCQZ mv8dmERl/L8jesZhO+vHk1t8BW6cUaZIeKe7Di/F+84T0GKsyIXUVoZvmAnCs9XaF/BS7746 CbTHrIum45xYTPOAfr3VAgZ+Fe/hxLZ8YZsfyYrWayS0dxOvy/V7QeP3ZnBdAqgyXhWpTYRi x5mJpV49ZESKOMo2NZKZUGG6fchYdAvN4mZBUkkqsF7OwU0EVpblpgEQAMpXB+O2fPI7/HVU lM95Ifn0bl9mc1gQ0mBYkt60pNMc89L0Ej0CEDymRk/vAcoyTRPuUC7+c/EbV3fL59NXn3xY q5NQD+DVyoBcr3gU1ybgYdqdvuvdY07LOdQWwCPcDzc6HN/PxVKglyFKyUvvhIkdm3G+j8Zx jVCtiWhXcKXWY55wga7CPebqZZ5IzoLwDbR7BWNx6ACgD/W2FxKS9DitWqVQ+oAoUvsV682j vQojt4Jz59FqDqgNpkmoQeTIkulGmfjCZVPUIcd0+Vhn3PBgt+Td10l6bx6FJsM/Wp1hDLq8 AA8IqVGUZgvdzXRw0XGQN1sQZiECi77msr/n7v/+xelLex/B0eSnZUtE6TnHPNgUrrfaRwAJ O2uoX/zbmVvRgPThgrzaj75HJmuKOraJst0s5rAipaiXZdB5kbHsi/uBI7MEsSIc0auyy7lQ Vrc2P3Mb1CznZGX0Wk6E1Ovyl4AMQHsGCXJLHUTYV/dulsh0aLDKdyx3GQPjr0Q3l0OhudCb 6tHCWBJ/gAEvINRttaVswMKMCrMvcLfH+quGJFEm9Nmo0kDXa7+CuAITZT4hhDOakV2ghAa/ 9Psj6ylfpJk2Zsg+XMuhsPtMHxXXBk/akkB6VDoix94ADemXANdw8hQAOT3krASxv1hSZvJW 4CClxanP9WI5imhUT0gPABEBAAHCwWUEGAECAA8FAlaW5aYCGwwFCRLMAwAACgkQYTmgYVLG kUAvTA//f5o34tYC6yy3VMbEvwJNs93ij45csdnaZuFjoETiBjt6pTL0Gp8IMTjVHsMWNmB2 sbqlz5F/2fwaMFq/3WoJqwumZu2du/+Jqql3b/ydg9gKQaKeQdHTjwdEjH54JY+dpQbl/Y7V jHRzOcSlR4WgZ0/gAIlbKCV5OQvP/6HwGFIgN83MmPhHvYIUdus3tcDxf74uq4wo6vLtEFLY mbJZs1oRl/bzyok0ZvdmII4xhnyVieX98uyAFgWewHvSg1hFPHAtX6GxLFRR2Xz3df7dA60A BSupmW2C1km82Ionna5xUUQ+XBmjoVRE7wYiUg68/O4KCQv54vR7HcH6uEAWOI3eTpSkn6OF 1u4mNZexLJ/LF86DRYYRtYHTpEAxPsYy/idOt8oWWaR/L9aAEnWnWi3G462zfa+2XollAwBG 2oQmazAKwQasdi2W37OXKywSePuUOaQf7PSm3Uy/PVLR86RJaBfQ8IjkU7qlFrGrCN4NM4Sk CtqY84HtlsDY0ZuIg+gJCb13RT0b/HYWk11VRoeC1ys4E+3bOcSXxiyMaLz+Jwy2EJjsCixa jHmJOY69icegMGLQiHnfx3WlFewy+mQRJl+4gkA1VWyxLwwQmMqOaTQ79bF9GoF6qXROXo9b 9rT3q8jorgOm+1x6PsqQ9M0QL+qshhal/EIaMaOdoN0= X-SPAM-LEVEL: Spam detection results: 0 BAYES_00 -1.9 Bayes spam probability is 0 to 1% DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from domain DMARC_MISSING 0.1 Missing DMARC policy RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [firewall.pm, bryanfields.net] Subject: [PVE-User] PVE-firewall and multicast with linux bridging X-BeenThere: pve-user@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE user list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE user list Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: pve-user-bounces@lists.proxmox.com Sender: "pve-user" I've run into this multicast issue. Even with the interface as unfirewalled, proxmox is blocking multicast/invalid traffic at the server and datacenter level. I have the following VM's and LXC's all attached to an interface vmbr46. 100.120.255.128/28 100.120.255.129 - vrrp gateway 100.120.255.130 - Core 1 (router VM) 100.120.255.131 - Core 2 (router VM) 100.120.255.132 - NMS LXC 100.120.255.133 - vm0 - debian testing VM 100.120.255.134 - vm1 - debian testing VM 100.120.255.135 - Hypervisor vmbr46 This is an isolated bridge on linux, and is only used for testing of these servers/multicast network. None of the ports have the firewall enabled. During testing, I've had PIM between the routers come up and several weird groups back and forth. I first assumed it was the fact I was testing from an LXC, and made the VMs. This was not the case, as the VM's would have the same issues of only some ICMP pings to the multicast addresses working and testing with socat showed one way multicast between the Hypervisor and one VM. After much mocking this up on another host and locally with real servers, I was able to isolate it to the bridge device. There was not firewall logs for any of this, and pings to 224.0.0.1 wouldn't even work. This is the all multicast address, everything that is participating in multicast should reply. I configured the vmbr46 as 100.120.255.135/28 on the hypervisor to test this. I had the management firewall on the hypervisor disabled and confirmed I wasn't seeing any drops in the logs. eventually after troubleshooting this, I discovered there is a built in rule that blocks BROADCAST, MULTICAST, and ANYCAST across all interfaces, even though it's not on the forward chain. Owing to how multicast is handled on the bridge, it appears the INPUT chain is filtering this. This is in the rules, and appears to be harcoded in /usr/share/perl5/PVE/Firewall.pm -A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP -A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP -A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP -A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP I'd be ok with the hypervisor not being able to talk directly to the VMs on the vmbr46 interface, but I need the VMs and CT's to pass multicast with each other. Is there some way to exempt an interface totally from filtering? -- Bryan Fields 727-409-1194 - Voice http://bryanfields.net _______________________________________________ pve-user mailing list pve-user@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-user