[pve-devel] hetzner bug with pve-firewall
Josef Per Johansson
josef at oderland.se
Sun Sep 12 12:37:50 CEST 2021
Hi,
Yeah sure! It seems a bit better than my hack!
Yeah I meant the mac-address-table, my bad.
Sent from Nine
________________________________
From: alexandre derumier <aderumier at odiso.com>
Sent: Friday, 10 September 2021 18:19
To: Proxmox VE development discussion
Subject: Re: [pve-devel] hetzner bug with pve-firewall
Hi,
Le vendredi 10 septembre 2021 à 12:53 +0200, Josef Johansson a écrit :
>
>
> I have a patch for the source code regarding only allowing the VMs
> MAC
> in ebtables for incoming traffic also.
I just send a patch too for incoming traffic, maybe could you try it ?
>>Traffic is only broadcasted to MAC B if the ARP-table in the switch
>>times out.
>>
>>Which makes this problem a hell to diagnose :-)
to be exact, if the mac-address-table timeout in the switch. (switch
don't have arp, until it's a router)
That's why in general, switch need to be configured with mac-address-
table aging-time (2h for exemple) Â > than arp timeout on servers.
Like this, if no traffic occur on servers, and arp is timeout out,
server is sending a new arp request, and the switch see the arp reply
with the mac address,
(and no expiration in mac-address-table).
Looking at hetzner problem, the tcpdump send by users show really
stranges mac address vendor. (sound like forged flood).
Anyway, they should fix this, with static mac in their switch, as they
known allowed mac by server anyway.
(Until they have poor cheap switch without mac filtering ....)
I wonder if they are not only filtering/detecting the wrong mac on
their gateway. (as here, we send tcp reset to an external ip, going
through the gateway)
_______________________________________________
pve-devel mailing list
pve-devel at lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list