Dropping spanning tree packets
Mark Schouten
mark at tuxis.nl
Thu Jun 15 15:24:19 CEST 2023
Hi,
We have a customer that allows people to build EthernetOverIP tunnels,
and bridge the endpoints of those tunnels to their hypervisor interface.
This causes the hypervisor to transmit BPDU's, which causes the
uplink-switches to trigger on security and shut the uplink.
As far as I have tested, we can drop those packets with ebtables, so
I've been playing around with that.
`ruleset_addrule($ruleset, $tapchain, '-d BGA', '-j DROP’);`
On the appropriate line of /usr/share/perl5/PVE/Firewall.pm should do
the trick, along with some other changes. But I wanted to check here if
people have other ideas to fix this.
I would personally feel that dropping spanning tree packets should be
the default for a VM. But implementing it as such would cause a
non-backwards-compatible breaking change.
Any thoughts on this issue?
—
Mark Schouten, CTO
Tuxis B.V.
mark at tuxis.nl / +31 318 200208
More information about the pve-devel
mailing list