From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from r.rg.net (r.rg.net [198.180.152.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 592EC345CBC for ; Wed, 10 Jun 2026 17:19:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.180.152.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781111981; cv=none; b=V77z53wUlnHs/99MT6eazx5kWmf5NQAhEVRxNe1R9fYDHEBiaf8Wssl6hlOHlvxZk6Z0KsxyxARgP5ly8H++hmzopxEGPN7/vsbIqFP4brdl/jsKOHKx9+GgpmsIyQy678LlrANS9FATotKJA8oCjydXE7C1n/AkAUAfzC8ybkI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781111981; c=relaxed/simple; bh=3ivup3p2WlPLThG2JLqNcchFZIilLpVAsi1b3YOz1EI=; h=Date:Message-ID:From:To:Cc:Subject:In-Reply-To:References: MIME-Version:Content-Type; b=rb7wJSjWzP/kxoMp8Fetp0iIt8cpoZe/W5Z6uMGtDINUilzaz6Foin/7wiQITWv1NEOMfRTauqmw1Y8N7gOR2mA52tSvRrVVPZ5utXEHm0NieZq8o6rzlPN/9nHfox1GRlX99l0p63jDK7d8qQ34Bpd+SZ8dTjSzKw8PgcFzE70= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=psg.com; spf=pass smtp.mailfrom=psg.com; dkim=pass (2048-bit key) header.d=psg.com header.i=@psg.com header.b=JSKrhTqn; arc=none smtp.client-ip=198.180.152.18 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=psg.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=psg.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=psg.com header.i=@psg.com header.b="JSKrhTqn" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=psg.com; s=rgnet-mail; t=1781111979; bh=3ivup3p2WlPLThG2JLqNcchFZIilLpVAsi1b3YOz1EI=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=JSKrhTqnv9sc2UAAk9E3DYorsynBJbhl2tXqOF8wlLM7twhxZqKQiZL9VhzvZ3dDd 6ECWm7emCb2KZVqyhkaB7aYWRTMQHudzmgB6ySxTGpAXuMTGmoR+5Hq4UyV/30Ty0Y kus5pgAxmbQUsyOBUAqY+4eZCj2s90tjr3K6VuCgFHJKsz2ltHZUvfUC15lcnIo81h U83nc04VZgU6zICMaez4RAexpePT4qnQwEdJvZOqqzsmusIQahXgdmiRNrYeM5tx5c X+NvUOjRLZ3Ag3i58PJv4usf7uP/MchIOMoIvP58aYnJiRn1JjJo8TftRlNvIsIC0F H1yBQ2Fo8mlSg== Received: from ryuu.rg.net (localhost [127.0.0.1]) by r.rg.net (Postfix) with ESMTP id 5ED818063A; Wed, 10 Jun 2026 17:19:39 +0000 (UTC) Date: Wed, 10 Jun 2026 10:19:39 -0700 Message-ID: From: Randy Bush To: "Kerin Millar" Cc: netfilter@vger.kernel.org Subject: Re: prefix len confusion In-Reply-To: References: <7b1ed82b-3bdd-4cae-bb08-7f8479778a7a@app.fastmail.com> <6fcf67b9-4fee-4b1c-85f1-597afff788ba@app.fastmail.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/27.2 Mule/6.0 Precedence: bulk X-Mailing-List: netfilter@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII >> we also see this (distributed source) attack on proxmox clusters' web >> interfaces >> >> 2026-06-07T02:01:39.274405+00:00 pv0 pvedaemon[2276]: >> authentication failure; rhost=::ffff:85.11.167.7 user=root@pam >> msg=Authentication failure >> 2026-06-07T02:01:42.970943+00:00 pv0 pvedaemon[2277]: >> authentication failure; rhost=::ffff:85.11.167.7 user=root@pam >> msg=Authentication failure >> >> can we safely just add ffff::0 to the v6 bogon list? > > It's an IPv4 address being logged in the form of an IPv4-mapped IPv6 > address. If you wish to block it, consider it as an ordinary IPv4 > address (85.11.167.7). if nft treats it as an ipv4 addy, then the ipv4 filters should have blocked, n'est-ce pas? tcp dport 8006 ip daddr $PROX4 drop > For that reason, you should also be able to observe the packet(s) if > you add a suitable tracing rule to the existing PREROUTING chain. after pouting another cup > That is, unless it is bridged traffic or does not traverse the > firewall (as discussed previously). no bridging. we are hunting other holes in the attack surface. using your prerouting hack to demonstrate the filtering is working is a big help in focusing our efforts. randy