Dropping spanning tree packets

Mark Schouten mark at tuxis.nl
Thu Jun 15 15:24:19 CEST 2023


We have a customer that allows people to build EthernetOverIP tunnels, 
and bridge the endpoints of those tunnels to their hypervisor interface. 
This causes the hypervisor to transmit BPDU's, which causes the 
uplink-switches to trigger on security and shut the uplink.

As far as I have tested, we can drop those packets with ebtables, so 
I've been playing around with that.

`ruleset_addrule($ruleset, $tapchain, '-d BGA', '-j DROP’);`

On the appropriate line of /usr/share/perl5/PVE/Firewall.pm should do 
the trick, along with some other changes. But I wanted to check here if 
people have other ideas to fix this.

I would personally feel that dropping spanning tree packets should be 
the default for a VM. But implementing it as such would cause a 
non-backwards-compatible breaking change.

Any thoughts on this issue?

Mark Schouten, CTO
Tuxis B.V.
mark at tuxis.nl / +31 318 200208

More information about the pve-devel mailing list