On 11/11/21 11:40, Thomas Lamprecht wrote: > On 24.09.21 10:48, Alexandre Derumier wrote: >> Currently, if bridge receive an unknown dest mac (network bug/attack/..), >> we are flooding packets to all bridge ports. >> >> This can waste cpu time, even more with firewall enabled. >> Also, if firewall is used with reject action, the src mac of RST >> packet is the original unknown dest mac. >> (This can block the server at Hetzner for example) >> >> So, we can disable learning && unicast_flood on tap|veth|fwln port interface. >> Then mac address need to be add statically in bridge fdb. > I'm a bit out of the loop of the with the whole bad hetzner network thingy, > is this still > relevant as I'd see if I can get it in finally.. > > > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel >
Hi, Is it not enough to turn off unicast_flood on fwpr*? If I have unicast_flood on fwln some scenarios does not work. I have been running it a while now and it seems to solve all odd quirks we've had with the networking on PVE. Regards Josef _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
