[pve-devel] [PATCH pve-common 0/2] add disable bridge learning feature

Josef Johansson josef at oderland.se
Thu Nov 11 11:46:36 CET 2021


On 11/11/21 11:40, Thomas Lamprecht wrote:
> On 24.09.21 10:48, Alexandre Derumier wrote:
>> Currently, if bridge receive an unknown dest mac (network bug/attack/..),
>> we are flooding packets to all bridge ports.
>>
>> This can waste cpu time, even more with firewall enabled.
>> Also, if firewall is used with reject action, the src mac of RST
>> packet is the original unknown dest mac.
>> (This can block the server at Hetzner for example)
>>
>> So, we can disable learning && unicast_flood on tap|veth|fwln port interface.
>> Then mac address need to be add statically in bridge fdb.
> I'm a bit out of the loop of the with the whole bad hetzner network thingy, is this still
> relevant as I'd see if I can get it in finally..
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>

Hi,

Is it not enough to turn off unicast_flood on fwpr*?

If I have unicast_flood on fwln some scenarios does not work.

I have been running it a while now and it seems to solve all odd quirks
we've had with the networking on PVE.

Regards
Josef



More information about the pve-devel mailing list