[pve-devel] [PATCH pve-common 0/2] add disable bridge learning feature

Thomas Lamprecht t.lamprecht at proxmox.com
Thu Nov 11 11:40:34 CET 2021


On 24.09.21 10:48, Alexandre Derumier wrote:
> Currently, if bridge receive an unknown dest mac (network bug/attack/..),
> we are flooding packets to all bridge ports.
> 
> This can waste cpu time, even more with firewall enabled.
> Also, if firewall is used with reject action, the src mac of RST
> packet is the original unknown dest mac.
> (This can block the server at Hetzner for example)
> 
> So, we can disable learning && unicast_flood on tap|veth|fwln port interface.
> Then mac address need to be add statically in bridge fdb.

I'm a bit out of the loop of the with the whole bad hetzner network thingy, is this still
relevant as I'd see if I can get it in finally..





More information about the pve-devel mailing list