From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 45D776A810 for ; Wed, 16 Mar 2022 17:33:44 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 335AB2A2C1 for ; Wed, 16 Mar 2022 17:33:14 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 0ED8D2A297 for ; Wed, 16 Mar 2022 17:33:13 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id CC5FB46E83; Wed, 16 Mar 2022 17:33:12 +0100 (CET) Message-ID: <732df56c-ef4c-5b28-a279-a594e1c36e0c@proxmox.com> Date: Wed, 16 Mar 2022 17:33:11 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Thunderbird/99.0 Content-Language: en-US To: Proxmox VE development discussion , Alexandre Derumier References: <20210924084855.3074162-1-aderumier@odiso.com> From: Thomas Lamprecht In-Reply-To: <20210924084855.3074162-1-aderumier@odiso.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.057 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: [pve-devel] applied-series: [PATCH pve-common 0/2] add disable bridge learning feature X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Mar 2022 16:33:44 -0000 On 24.09.21 10:48, Alexandre Derumier wrote: > Currently, if bridge receive an unknown dest mac (network bug/attack/..), > we are flooding packets to all bridge ports. > > This can waste cpu time, even more with firewall enabled. > Also, if firewall is used with reject action, the src mac of RST > packet is the original unknown dest mac. > (This can block the server at Hetzner for example) > > So, we can disable learning && unicast_flood on tap|veth|fwln port interface. > Then mac address need to be add statically in bridge fdb. > > > Alexandre Derumier (2): > network: add support for disabling bridge learning on tap|veth|fwln > ports > Inotify: add bridge-disable-mac-learning option to bridges. > > src/PVE/INotify.pm | 4 +++- > src/PVE/Network.pm | 60 +++++++++++++++++++++++++++++++++++++++++----- > 2 files changed, 57 insertions(+), 7 deletions(-) > applied, thanks! But I moved from the single flag to an $opts hash for the tap_plug option, nicer to use than those overly long parameter flags list, that often have lots of slightly confusing undef mixed in. You need to adapt the calling site of the relevant open patches though (sorry for the added work).