tickets #180062
openMatrix: incomming federation from `kde.org` is broken
0%
Description
Traffic from KDE.org is not flowing correctly to opensuse.org. Known side effects include KDE users not being able to join openSUSE rooms and messages not arriving to openSUSE users until another user in a room sends a message.
Not sure whether the issue lies at opensuse.org or kde.org, but it seems to me that something is happening at the network level.
I was not able to find relevant logs on m.i.o.o with my limited privileges in /var/log, nor journalctl. Outbound traffic is unaffected.
Updated by crameleon 23 days ago ยท Edited
In the latter case, I have a suspicion:
$ dig kde.modular.im +short a
k8s-core-coreingr-e213c56b76-ef68a8798c5364b0.elb.eu-central-1.amazonaws.com.
3.66.50.240
That IP address is part of 3.0.0.0/9, requests from which we are blanket rejecting with 429 due to abuse from hosts at Amazon: https://progress.opensuse.org/projects/opensuse-admin/repository/salt/revisions/843268caef24c4e986b5b0312a0dc83487910e1b/diff.
Assuming that IP address is also the one they use as a source address.
Updated by crameleon 23 days ago
Easiest would be to exclude requests to Matrix from all source address filtering, but it would mean that it receives request spam from other places which don't necessarily host Matrix servers. Do I recall correctly that only SNI is used for federation traffic? Then we could only exclude sni_matrix and still benefit from filtering requests to Matrix which only match a host header.