STP Packet Filtering

Question

I have a KVM host with guests joined to a virtual bridge for networking.

Netdata on guests of this system drew my attention to packets being dropped at the network interface level (the metric reported as RX dropped by ifconfig).

I tracked the dropped packets to STP (spanning tree protocol) broadcasts from outside of the host. The virtual bridge on the host has STP off, but these packets from other switches on the network are still forwarded to guests.

# tcpdump -i enp2s0 stp -etn
30:23:03:27:7c:27 > 01:80:c2:00:00:00, 802.3, length 38: LLC, dsap STP (0x42) Individual, ssap STP (0x42) Command, ctrl 0x03: STP 802.1d, Config, Flags [none], bridge-id fffe.30:23:03:27:7c:27.8001, length 43
# tcpdump -i enp1s0 stp -etn
10:06:45:e6:24:0b > 01:80:c2:00:00:00, 802.3, length 38: LLC, dsap STP (0x42) Individual, ssap STP (0x42) Command, ctrl 0x03: STP 802.1d, Config, Flags [none], bridge-id 8000.10:06:45:e6:24:0b.8004, length 43

Question

How can I drop STP packets being forwarded through the virtual bridge?

I tried to filter by the dsap/ssap number, but this didn't work.

ebtables -A FORWARD -p LENGTH --802_3-sap 0x42 -j DROP

alternatively, I'd be interested in any reasons why this is not a good idea.

Answer 1

What the dropped packets mean is that no kernel subsystem has registered STP as a supported protocol; the ethernet driver doesn't know where to send the packet, so drops it and increments the dropped counter. This is itself fine, but Netdata treats the rising counter as a possible issue.

The simplest way to fix this is make the kernel/driver aware of STP:

sudo modprobe stp

This should result in the STP packets being dropped by STP driver rather than the ethernet driver.

On most Linux distros you can make this permanent by adding stp to /etc/modules.