[pve-devel] [RFC container/firewall/manager/proxmox-firewall/qemu-server 00/37] proxmox firewall nftables implementation
DERUMIER, Alexandre
alexandre.derumier at groupe-cyllene.com
Wed Apr 3 08:05:55 CEST 2024
>>## Known Issues
>>There is currently one major issue that we still need to solve:
>>REJECTing
>>packets from the guest firewalls is currently not possible for
>>incoming traffic
>>(it will instead be dropped).
That's remember me this old Hetzner bug (Hetzner flooding bad packet
with wrong dest mac flooding to all ports), then firewall reject with
tcp-reset, with a random bridge mac
https://forum.proxmox.com/threads/proxmox-claiming-mac-address.52601/page-3#post-416219
Personnaly, I'm not sure than using reject / tcp-reset in a bridged is
a good idea. (Even if personally I'm using it production, I don't have
problem to switch to DROP, if I can avoid other problems)
>>
>>This is due to the fact that we are using the postrouting hook of
>>nftables in a
>>table with type bridge for incoming traffic. In the bridge table in
>>the
>>postrouting hook we cannot tell whether the packet has also been sent
>>to other
>>ports in the bridge (e.g. when a MAC has not yet been learned and the
>>packet
>>then gets flooded to all bridge ports).
Maybe it is time to disable dynamic mac-learning by default ?
The code is already here and works fine.
AFAIK, other hypervisor like vmware disable port flooding by default
with static mac registration too.
More information about the pve-devel
mailing list