--- Begin Message ---
>>## Known Issues
>>There is currently one major issue that we still need to solve:
>>REJECTing
>>packets from the guest firewalls is currently not possible for
>>incoming traffic
>>(it will instead be dropped).
That's remember me this old Hetzner bug (Hetzner flooding bad packet
with wrong dest mac flooding to all ports), then firewall reject with
tcp-reset, with a random bridge mac
https://forum.proxmox.com/threads/proxmox-claiming-mac-address.52601/page-3#post-416219
Personnaly, I'm not sure than using reject / tcp-reset in a bridged is
a good idea. (Even if personally I'm using it production, I don't have
problem to switch to DROP, if I can avoid other problems)
>>
>>This is due to the fact that we are using the postrouting hook of
>>nftables in a
>>table with type bridge for incoming traffic. In the bridge table in
>>the
>>postrouting hook we cannot tell whether the packet has also been sent
>>to other
>>ports in the bridge (e.g. when a MAC has not yet been learned and the
>>packet
>>then gets flooded to all bridge ports).
Maybe it is time to disable dynamic mac-learning by default ?
The code is already here and works fine.
AFAIK, other hypervisor like vmware disable port flooding by default
with static mac registration too.
--- End Message ---
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
