[pve-devel] hetzner bug with pve-firewall

alexandre derumier aderumier at odiso.com
Fri Sep 10 18:18:59 CEST 2021


Le vendredi 10 septembre 2021 à 12:53 +0200, Josef Johansson a écrit :
> I have a patch for the source code regarding only allowing the VMs
> in ebtables for incoming traffic also.

I just send a patch too for incoming traffic, maybe could you try it ?

>>Traffic is only broadcasted to MAC B if the ARP-table in the switch
>>times out.
>>Which makes this problem a hell to diagnose :-)

to be exact, if the mac-address-table timeout in the switch. (switch
don't have arp, until it's a router)
That's why in general, switch need to be configured with mac-address-
table aging-time (2h for exemple)  > than arp timeout on servers.

Like this, if no traffic occur on servers, and arp is timeout out,
server is sending a new arp request, and the switch see the arp reply
with the mac address,
(and no expiration in mac-address-table).

Looking at hetzner problem, the tcpdump send by users show really
stranges mac address vendor. (sound like forged flood).
Anyway, they should fix this, with static mac in their switch, as they
known allowed mac by server anyway.
(Until they have poor cheap switch without mac filtering ....)
I wonder if they are not only filtering/detecting the wrong mac on
their gateway. (as here, we send tcp reset to an external ip, going
through the gateway)

More information about the pve-devel mailing list