[pve-devel] [RFC container/firewall/manager/proxmox-firewall/qemu-server 00/37] proxmox firewall nftables implementation

Stefan Hanreich s.hanreich at proxmox.com
Wed Apr 3 14:25:40 CEST 2024


On 4/3/24 14:03, DERUMIER, Alexandre via pve-devel wrote:
> maybe revert the kernel patch ? ^_^
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/net/bridge/netfilter/nft_reject_bridge.c?h=v6.8.2&id=127917c29a432c3b798e014a1714e9c1af0f87fe

I also thought about it shortly. If we can ensure that certain
conditions are met that might be an option. We would have to think about
broadcast/multicast traffic like ARP / DHCP I would assume. It seems a
bit drastic from my POV, which is why dropped that thought.

> Or Improve it for upstream, something like:
> 
> if !bridge_unicast_flooding && !bridge_mac_learning && proto = tcp|udp
>     allow_use_of_reject

that might be a possibility, although I'm not sure that information
about the bridge is available in the netfilter modules.




More information about the pve-devel mailing list