[pve-devel] [RFC container/firewall/manager/proxmox-firewall/qemu-server 00/37] proxmox firewall nftables implementation
DERUMIER, Alexandre
alexandre.derumier at groupe-cyllene.com
Wed Apr 3 14:03:37 CEST 2024
> Maybe it is time to disable dynamic mac-learning by default ?
> The code is already here and works fine.
>
> AFAIK, other hypervisor like vmware disable port flooding by default
> with static mac registration too.
>>Might be a good idea, although it still wouldn't solve the problem -
>>sadly (since we're still not allowed to do REJECT then).
maybe revert the kernel patch ? ^_^
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/net/bridge/netfilter/nft_reject_bridge.c?h=v6.8.2&id=127917c29a432c3b798e014a1714e9c1af0f87fe
Or Improve it for upstream, something like:
if !bridge_unicast_flooding && !bridge_mac_learning && proto = tcp|udp
allow_use_of_reject
as the original commit message seem to be about unicast flood
"
If we allow this to be used from forward or any other later
bridge hook, if the frame is flooded to several ports, we'll end up
sending several reject packets,
"
_______________________________________________
pve-devel mailing list
pve-devel at lists.proxmox.com
https://antiphishing.vadesecure.com/v4?f=dVpnOERZb0JKOFlaRnBNeQ-
aJAXZb5aW6JXm5NyXq0ZSryyNaYxsZDLB8WDV0q4oZylZ86zxfmQyzg5dawW4cw&i=TG56O
W16ck5wUlFINGEzQ79EVPOILSGYD2XAUbTQrkI&k=1ZtS&r=enJEWGxReW5qbm5MS3pxTW8
Kub8XGodVNRkE_1iQQaZcsg_WcpdPfj8fEnEUbIAG&s=df68f05c7c9a0ea625e65001c10
eadba11343149ec52826a395f84870d55994a&u=https%3A%2F%2Flists.proxmox.com
%2Fcgi-bin%2Fmailman%2Flistinfo%2Fpve-devel
More information about the pve-devel
mailing list